From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.79])
 by mx.groups.io with SMTP id smtpd.web10.874.1631557202199811456
 for <devel@edk2.groups.io>;
 Mon, 13 Sep 2021 11:20:04 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="body hash did not verify" header.i=@amd.com header.s=selector1 header.b=nh/mug4N;
 spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.94.79, mailfrom: brijesh.singh@amd.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=UI0DZDQehvs9Nx9I3lzc/7vzZdswSGBSD/8IRlnt9HXnnyUZmONJFP/6cy0bndRXCMOuCiU7Iz3e4pAoIzWkt60NCDzB3eu0EzxWLsTSubIZvvohdzkhcMdRIQJq1sxAmINHwM4JgrPyJKb14hi7USjHyWCYeH2xR4HjTdJX9pKH57KpTgLneDXexxVeordf4AGIy3O+PKB0QUlWl2gGg3UAiBUdUs1G2pwJqZqfE/cnGJ1VFH8+GCwkdjkM/0/KdK6RHn8g+TPL46dficL1EvqFZYx/NYucQ6yFNoD4wF3CtWgLXdvOu+U/eVocjsp31igzet8SPoDcg/kYMO88Ww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=M34uBi4z9OTM1s2NduA2WzfG4s6WkRBSWucZU2AH/Sk=;
 b=bLsopgscInTAnHji1rkDT/BBZZZMCOP02YySdq8Vnx3z0rTvxJ7NKEuhsoj3Bet1gR143KToB6CVpO5s2oZRapoAYF4ik8kRWE32PoPse22pd1ojIGz7qR9n0rEqTv9uTeV5+D+ADcBIb7NVfyIN6xyY7b1+BHZZM+Ctg1nhbx17Z9k9ikes6RXxbv8z3YU9+dbPDWzjpicgVbYmm1+NRATCP3oxPWuHnkKdcj/Mw8hq3EGxpScpYPo2E9r/QZiUsHs0lu8YNB1gVr+G7uAavq0h7PstSRhuLNuFpkKchQ5d7trQtNAT6ReI4sZP0MKM/Am4oOIEU48s7QCMIsApqg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass
 header.d=amd.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=M34uBi4z9OTM1s2NduA2WzfG4s6WkRBSWucZU2AH/Sk=;
 b=nh/mug4Ndgj89hoPcQ7Eg2leqGNgkKoxXpKjCO+58LK+ppX9ZmSDCb0HipkhPrK6ADX/VZQrZ8F/ZEi6ziXeykBgPsMMwV0TSNgNuhQBCZZhUGQcVFFIS7d+zB+ISVw4JuSW9kRzgXR1XdT8OohLxZXch2FLZzolyWc7Ug6dB0E=
Authentication-Results: edk2.groups.io; dkim=none (message not signed)
 header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com;
Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22)
 by SN1PR12MB2512.namprd12.prod.outlook.com (2603:10b6:802:31::14) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep
 2021 18:20:02 +0000
Received: from SN6PR12MB2718.namprd12.prod.outlook.com
 ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com
 ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021
 18:20:02 +0000
From: "Brijesh Singh" <brijesh.singh@amd.com>
To: devel@edk2.groups.io
CC: James Bottomley <jejb@linux.ibm.com>,
	Min Xu <min.m.xu@intel.com>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Tom Lendacky <thomas.lendacky@amd.com>,
	Jordan Justen <jordan.l.justen@intel.com>,
	Ard Biesheuvel <ardb+tianocore@kernel.org>,
	Erdem Aktas <erdemaktas@google.com>,
	Michael Roth <Michael.Roth@amd.com>,
	Gerd Hoffmann <kraxel@redhat.com>,
	Brijesh Singh <brijesh.singh@amd.com>,
	Michael Roth <michael.roth@amd.com>
Subject: [PATCH v7 05/31] OvmfPkg: reserve CPUID page
Date: Mon, 13 Sep 2021 13:19:15 -0500
Message-ID: <20210913181941.23405-6-brijesh.singh@amd.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com>
References: <20210913181941.23405-1-brijesh.singh@amd.com>
X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM
 (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com
 (2603:10b6:805:6f::22)
Return-Path: brijesh.singh@amd.com
MIME-Version: 1.0
Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:01 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 027c4c8e-f57f-4ac8-bd83-08d976e31a46
X-MS-TrafficTypeDiagnostic: SN1PR12MB2512:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: 
	<SN1PR12MB2512C0540013DB2076921C88E5D99@SN1PR12MB2512.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:5516;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	o0OmOI2W0gsrtH17D1bZJP7HhBkxqtFKE3d+9MLZeKP4ua74aITGouSF6v+ii0Xo8xfNFlK8Jh2Hfk5d9sg8Y7pvzmKVgh68mkSUOszuY4nOhwFjMYBX/crHzT+lQe3CY89richfp6cQAkk1o/Egm7CKaQFjguKv5XL/bxygFjzZjMPKBp2FDnZBukrHmtOMELV4hkxBNDPCCKlSRMTgWp7LamhKBff0I4nslg4XRJn3w/BliBjBRIb6ronHISMpL8mM21dY/f4HFtvnjOjcroq7+Awe0IY+KlXbS3yAO+zg0Rvzb5yQIreuD9DWh8qymBiauuqesOVOsLp/3uUcRE86numGME2k5sDMktIN03JEWPxCvD0xxb80Pftg1XskhZkJ0BXJ5as73xrzWpVCPc1gwWmBlQX3EuqnsFQIc4i5aT5h8bafqZNuDN86fNCk0MXqkWF0r0COnsA31phLljLRi4+omjyBOV46FqyTPgU6r3dZYvat6ctRml91M/IZ/se6IpKFEGHQGoFDRP7sB33+qY5ctqhsogcinqz5Ag2dZfrsgcmuhC6k/wA5OhUo2zhQAN36ICnsq0BqYnFWjhRKeUrroIPql+XwCS6W3ZcHXEJ0IBBCEH40HUk8eTB33ra2+earDSeWay9zQy0zzjOI7yoc3BZKwfGQOw+rCYvC+wrFb8F2DUsOyLXVv+7vbLP3Zwdh9U+8MrP98ccM2/E91QccMb1I9crTwewud6moG6BSQd6oLAwlsy7ET8eV3GI8B9YWEdUmRM2KNs3ssd5Won/BtAHrfMdBd3GMWEI=
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB2718.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(396003)(346002)(39860400002)(366004)(376002)(136003)(83380400001)(478600001)(86362001)(8936002)(966005)(6486002)(8676002)(186003)(6916009)(2906002)(38350700002)(38100700002)(26005)(36756003)(19627235002)(956004)(2616005)(66946007)(6666004)(66556008)(54906003)(5660300002)(52116002)(44832011)(66476007)(316002)(4326008)(1076003)(7696005);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
	=?us-ascii?Q?dnpV9oztef3E38usOEqTeGxmdUxen4AH01zkyv9IstJoKRZxyZO7MKK7H2Hk?=
 =?us-ascii?Q?QC0RfRlfK8YSI/CzBwLj3iQvLnWQuU5+Kk/UYUihPOnkpqX7lHONAKnJAgOE?=
 =?us-ascii?Q?NCw8Ayg6uDekDgRIexLC9Urir3n7BqV75AGUnXiIpk4gcZrJxL9ragYoH2CQ?=
 =?us-ascii?Q?ru6/BIlpvkPG7H8wrHVO25l9v1wW4zsuF9OfI9hsu9ci1sFOXde3ejnfHhdz?=
 =?us-ascii?Q?vibo4rZ8aRzIH9alCJLzONq8JI1+EXREMgdh/p2jMpbmWFaORdd6s1aBIg4x?=
 =?us-ascii?Q?du0aTO7vr30vr8llxwtnVEfH/f0XUG2EGFyUwm8oByCLzX6EBjsva7s6jzan?=
 =?us-ascii?Q?3MBVFnU2dFsEsGyoWbucU1ogi5jj6iuQM1XSsXUqvb/kJ+w03m/Fh4hOKHFz?=
 =?us-ascii?Q?47YdMEHXek9KDkgeQVO/T5PvJnDeDsJBpfbh19HB7bF7s47M+L8yG7J4zyuA?=
 =?us-ascii?Q?QsOivxcg/lvCbovRM/GByDJufAzn1yvOkPCmLj/mu9ticMvlPDYUngmnAoJ3?=
 =?us-ascii?Q?YW6JhCqiaLfVZQ9W6R+4ffEslHuSltMyD7Cb2nITNw0r1lpoA3hLKN3e70Yb?=
 =?us-ascii?Q?zuBOvUvMqrVks8/NRIsCVf6fFFf/bJ1m4byDIB3j+qMZwrq9oXQUhSSXlV86?=
 =?us-ascii?Q?2UbhoHyw3ruz38Xl+lL2E2B+zBH4Xl+CWIUvbsZFzpMrJyVeqlac1Wf9PpeK?=
 =?us-ascii?Q?sy4GpSWC6pVNSKg1I7wdbby2kyHtVlDRr4NOHcWR75zSmp+h571VrS9+y1T5?=
 =?us-ascii?Q?BVLjC6WvSBMHgdG/hupVSf940eztFgMgd+ZoFI6/uEM7A+F4wSJ5jnmcU4/D?=
 =?us-ascii?Q?T88e8N3dyfg+iFnuDw9oJQsygxUBNGiAFziD/bF6nZKA0XRrts1PeCOTUelE?=
 =?us-ascii?Q?bXDserTpqMxQ3JpFe2r4myQtuUDuHr62xhv4AMAyoPpNyno+4toP2gGyYnF/?=
 =?us-ascii?Q?v7ABhHkacXF7NCT/zNxOhdYJyHvZa3rE2EO/lYOxT4wZ4NZJDB8awSXjvnJ5?=
 =?us-ascii?Q?G/R4sA12PQETlF824Jq8nDmtxKasayQ1no0eqZxiK1oNsBDDRsqoK0fF4+mA?=
 =?us-ascii?Q?l+YbzN+92yoRFNMdHJtYUFVm0zI1QQz0nWc/Ps4+CA2IcAy8TKBtYUmU3vkX?=
 =?us-ascii?Q?8IwEU7PapoP2h5YMkm0/8TClbvcZMv4OiUhAB1aHZFEY5Rx7EcycEZ/gL2kg?=
 =?us-ascii?Q?h+tV6DqFjrAkqehilT2i4EDqcUV9qUd56HUWP4kxo3ULdC499fTN0jVwYpUC?=
 =?us-ascii?Q?AdOU1sfiQjTWeNpmmxThKd5jyBOgjNkjAcyq2QE0msfnhcQg6Mbr3LNtlpAs?=
 =?us-ascii?Q?RjFPqGUC0IpmnZMIrhltwnE1?=
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 027c4c8e-f57f-4ac8-bd83-08d976e31a46
X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:02.2272
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: bW+0tCLifHT3PoQsdS5IPcwZiGTx7FFQAbVrFbk+GriyR3Yw46dN74WSU8aBN44JylEFC6MJWsL3kUFDFnidHQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2512
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275

Platform features and capabilities are traditionally discovered via the
CPUID instruction. Hypervisors typically trap and emulate the CPUID
instruction for a variety of reasons. There are some cases where incorrect
CPUID information can potentially lead to a security issue. The SEV-SNP
firmware provides a feature to filter the CPUID results through the PSP.
The filtered CPUID values are saved on a special page for the guest to
consume. Reserve a page in MEMFD that will contain the results of
filtered CPUID values.

Add a new section in Ovmf metadata structure so that hypervisor can
locate and populate the CPUID values before the boot.

Cc: Michael Roth <michael.roth@amd.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
 OvmfPkg/OvmfPkg.dec                      |  7 +++++++
 OvmfPkg/OvmfPkgX64.fdf                   |  3 +++
 OvmfPkg/ResetVector/ResetVector.inf      |  2 ++
 OvmfPkg/ResetVector/ResetVector.nasmb    |  2 ++
 OvmfPkg/ResetVector/X64/OvmfMetadata.asm | 11 +++++++++++
 5 files changed, 25 insertions(+)

diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index 6266fdef6054..efa0de6d0600 100644
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -347,6 +347,13 @@ [PcdsFixedAtBuild]
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|0|UINT32|0x52
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize|0|UINT32|0x53
=20
+  ## The base address and size of a CPUID Area that contains the hyperviso=
r
+  #  provided CPUID results. In the case of SEV-SNP, the CPUID results are
+  #  filtered by the SEV-SNP firmware. If this is set in the .fdf, the
+  #  platform is responsible to reserve this area from DXE phase overwrite=
s.
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|0|UINT32|0x54
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize|0|UINT32|0x55
+
 [PcdsDynamic, PcdsDynamicEx]
   gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x1=
0
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 5b871db20ab2..b38c123b8341 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -91,6 +91,9 @@ [FD.MEMFD]
 0x00D000|0x001000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|gUefiOvmfPkgTokenSpaceGui=
d.PcdOvmfSnpSecretsSize
=20
+0x00E000|0x001000
+gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|gUefiOvmfPkgTokenSpaceGuid.Pcd=
OvmfCpuidSize
+
 0x010000|0x010000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpace=
Guid.PcdOvmfSecPeiTempRamSize
=20
diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/Rese=
tVector.inf
index 09454d0797e6..4cb81a3233f0 100644
--- a/OvmfPkg/ResetVector/ResetVector.inf
+++ b/OvmfPkg/ResetVector/ResetVector.inf
@@ -46,6 +46,8 @@ [Pcd]
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase
=20
 [FixedPcd]
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize
   gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase
   gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
   gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase
diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re=
setVector.nasmb
index f7d09acd33ed..84cb5ae81b66 100644
--- a/OvmfPkg/ResetVector/ResetVector.nasmb
+++ b/OvmfPkg/ResetVector/ResetVector.nasmb
@@ -79,6 +79,8 @@
   %define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase)=
 + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize))
   %define SEV_SNP_SECRETS_BASE  (FixedPcdGet32 (PcdOvmfSnpSecretsBase))
   %define SEV_SNP_SECRETS_SIZE  (FixedPcdGet32 (PcdOvmfSnpSecretsSize))
+  %define CPUID_BASE  (FixedPcdGet32 (PcdOvmfCpuidBase))
+  %define CPUID_SIZE  (FixedPcdGet32 (PcdOvmfCpuidSize))
=20
 %include "Ia32/Flat32ToFlat64.asm"
 %include "Ia32/AmdSev.asm"
diff --git a/OvmfPkg/ResetVector/X64/OvmfMetadata.asm b/OvmfPkg/ResetVector=
/X64/OvmfMetadata.asm
index bb348e1c6a79..95bac86a3b95 100644
--- a/OvmfPkg/ResetVector/X64/OvmfMetadata.asm
+++ b/OvmfPkg/ResetVector/X64/OvmfMetadata.asm
@@ -23,6 +23,11 @@ BITS  64
 ; The section must be accepted or validated by the VMM before the boot
 %define OVMF_SECTION_TYPE_SEC_MEM     0x102
=20
+; The section contains the hypervisor pre-populated CPUID values. In the
+; case of SEV-SNP, the CPUID values are filtered and measured by the SEV-S=
NP
+; firmware.
+%define OVMF_SECTION_TYPE_CPUID       0x103
+
 ; AMD SEV-SNP specific sections
 %define OVMF_SECTION_TYPE_SNP_SECRETS 0x200
=20
@@ -50,5 +55,11 @@ SevSnpSecrets:
   DD  SEV_SNP_SECRETS_SIZE
   DD  OVMF_SECTION_TYPE_SNP_SECRETS
=20
+; CPUID values
+CpuidSec:
+  DD  CPUID_BASE
+  DD  CPUID_SIZE
+  DD  OVMF_SECTION_TYPE_CPUID
+
 OvmfGuidedStructureEnd:
   ALIGN   16
--=20
2.17.1