From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (NAM12-BN8-obe.outbound.protection.outlook.com [40.107.237.74]) by mx.groups.io with SMTP id smtpd.web08.4217.1642633436327530995 for ; Wed, 19 Jan 2022 15:03:56 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amd.com header.s=selector1 header.b=u4LLIpnz; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.237.74, mailfrom: brijesh.singh@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bLz8tVygecxt62PZZrptj+0dRgm2aKUncpjznfCv6iEKxhlR1MH0aA7Iu9SMTeg5/JP8gi5xGXJ8WrgJIrrwcxW0SpLiGz6We5+sqxWxxIUlwzP6w/cGRM51lLkJ+YJDx0s+vPpbViiL6O2Gk7oIYj91HcEQUYSm9kvQio6zJZOj2Pwa0NXjkvP+fmu6tqVahP1xfdUvVmGRXjNPAC0G+tGQcnwe8lwIH6ml+SITkxlF4ff7IAaxpIvnMgPTAOYZ6USo0jt++zfnpzWzJVly+oHTYNa7JLw7E/O5Xy8j1sDuW7OXFFi4eEfmoXgfCApi51Xp2u/Ui9BjyxPmAPZWUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=73qVof4+bOgQJI5x758j2IXdqvXw4r4sJ2jvFIXc0Y0=; b=fB9nlBSo6Wc5780GAKmp9JUPShm+C3MMVg1+FcIfv/beaXR5AaelYjkj2qq9/ASk6k2cXXqglxX1Ze5LMINWbT3iiX5Yusvy7PpDTe4DztoIpOyRhMxFtvlMgwheNXvpVhjgPg/8X2P7wppFAjLZW6QyJvZM1jsRa+EbyyHF3LMQ7PdKuiISvgXK2vw/FspXp5YmtNVWwxo3AMomFdY3LeYeQ0HV4zjDgviCtbu6/L9V6mBwYvkhHkkjJ/w3xX+Y/TN2YhX2E1hWSOi76FI3+nsZdJGLNnf0itjQ1LLHUxmLXv4pe/y46i/xuOrshK3OhAliOSRKowW/tzWgWW/KTQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=73qVof4+bOgQJI5x758j2IXdqvXw4r4sJ2jvFIXc0Y0=; b=u4LLIpnz4294TUsNaK6MqPMWzhnlz2W2apL9M3jVt7S0gpaZnH4gMIlDaVti728iEDiIB8PzrMX8sYR4TdbKPwsTneQrnKBawcx0aGEKv8FHtLNq5DRy90dKxsUOVmoRUeNnFR0960dcLaGVL8PyZMM2gGDtbK0Xq060qqgyvyw= Received: from DS7PR05CA0034.namprd05.prod.outlook.com (2603:10b6:8:2f::35) by SJ0PR12MB5487.namprd12.prod.outlook.com (2603:10b6:a03:301::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4909.7; Wed, 19 Jan 2022 23:03:53 +0000 Received: from DM6NAM11FT013.eop-nam11.prod.protection.outlook.com (2603:10b6:8:2f:cafe::c4) by DS7PR05CA0034.outlook.office365.com (2603:10b6:8:2f::35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4909.3 via Frontend Transport; Wed, 19 Jan 2022 23:03:53 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; Received: from SATLEXMB04.amd.com (165.204.84.17) by DM6NAM11FT013.mail.protection.outlook.com (10.13.173.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.4909.7 via Frontend Transport; Wed, 19 Jan 2022 23:03:53 +0000 Received: from sbrijesh-desktop.amd.com (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.18; Wed, 19 Jan 2022 17:03:51 -0600 From: "Brijesh Singh" To: CC: James Bottomley , Min Xu , "Jiewen Yao" , Tom Lendacky , "Jordan Justen" , Ard Biesheuvel , Erdem Aktas , "Michael Roth" , Gerd Hoffmann , Brijesh Singh Subject: [PATCH 2/2] OvmfPkg/BaseMemEncryptLib: use the SEV_STATUS MSR value from workarea Date: Wed, 19 Jan 2022 17:03:32 -0600 Message-ID: <20220119230332.44888-3-brijesh.singh@amd.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220119230332.44888-1-brijesh.singh@amd.com> References: <20220119230332.44888-1-brijesh.singh@amd.com> MIME-Version: 1.0 Return-Path: brijesh.singh@amd.com X-Originating-IP: [10.180.168.240] X-ClientProxiedBy: SATLEXMB03.amd.com (10.181.40.144) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: f2179f01-ed5b-4858-ce74-08d9db9ff6b3 X-MS-TrafficTypeDiagnostic: SJ0PR12MB5487:EE_ X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7691; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: uTf8l1aZLfsTvECtnEsrF/LvEqrbP+ZzFfuvbjK4f3IIYRuRXZshITjzFIjRqpfxBsnsjuGCEjztIFMRSDGHmw7DxyXTcVSsUP5ky+wEV1t/E0LrgR0hqvGH2zCj61N980zfKLow2gHua0pMbiD5XqYwjLdqZt5VXXfuJEFIZIoUX7r1faJ38x770YMWWeeDUPl2yydLCp5Mxley7WsgFjpv3NTbZFx7AU0io+5Lob7uwGeW7EUFXn6x1EupTbG70VhPLz/HT+0BaVANNa28ap0yPccCtdAbNKDdzaYGJqr2oTNIfmsm7hwVAzCDlEXAU3e5xqHqi88x6VA2c/1h9k0j79dGyXbsg0AkRREDifqzSHewHKZkgxpZvjvoz7q+vOA3PpbKZmr4WgTq0cdqa8ao5FARGzPFqWrylvQmuLzThv3JqiWjEdJ5h84mID/K/4LWXk+ch9aEhe92iElF6ygor3cIT2fD6nNdTF2TebEsk+PMPm2bpbyFKk+O/8GvPgbxBcevPEmdd+s9HWq8hvpOJXihegRNaxeIIUb+UHgc0uznLN8kZMGo7MeGlxNJN9EjtuU31OW2yN2hFH4gqQwjWv9NiLwTmPVmqM5HP9L7+tM/rqhbsroNC8+kccjlvLRANBwiV+gL+Pkg1cTR45ptsBheX2EOmkxQsDi5HX/EGl9Jia8gkzOnhFFkj5bBS6r5X2ZmKm7dOQRSKfZvMz/PK9mJIqC1uYUv+DuFTI9e5DZdM1KdQdmE2FvwCV6YA4ZCjIwIlHWtS5YiDK8dit7EEZYpJGamzEXq23wpcVw= X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(4636009)(40470700002)(36840700001)(46966006)(2906002)(8936002)(16526019)(86362001)(81166007)(26005)(8676002)(6916009)(186003)(82310400004)(426003)(7696005)(2616005)(44832011)(336012)(4326008)(83380400001)(316002)(36756003)(70206006)(70586007)(30864003)(356005)(1076003)(47076005)(5660300002)(508600001)(6666004)(54906003)(36860700001)(40460700001)(36900700001);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Jan 2022 23:03:53.3804 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: f2179f01-ed5b-4858-ce74-08d9db9ff6b3 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT013.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR12MB5487 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain Improve the MemEncryptSev{Es,Snp}IsEnabled() to use the SEV_STATUS MSR value saved in the workarea. Since workarea is valid until the PEI phase, so, for the Dxe phase use the PcdConfidentialComputingGuestAttr to determine which SEV technology is enabled. Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Signed-off-by: Brijesh Singh --- .../DxeMemEncryptSevLib.inf | 1 + .../PeiMemEncryptSevLib.inf | 1 + .../SecMemEncryptSevLib.inf | 1 + .../DxeMemEncryptSevLibInternal.c | 142 ++++++++---------- .../PeiMemEncryptSevLibInternal.c | 139 ++++++----------- .../SecMemEncryptSevLibInternal.c | 80 +++++----- 6 files changed, 150 insertions(+), 214 deletions(-) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf b= /OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf index f613bb314f5f..35b7d519d938 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf @@ -58,3 +58,4 @@ [FeaturePcd] =20 [Pcd] gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask + gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf b= /OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf index 50c83859d7e7..714da3323765 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf @@ -58,6 +58,7 @@ [FeaturePcd] =20 [FixedPcd] gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedEnd diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf b= /OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf index 939af0a91ea4..284e5acc1177 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf @@ -52,3 +52,4 @@ [LibraryClasses] =20 [FixedPcd] gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibIntern= al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c index 15fcd5529587..25768daf5467 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c @@ -16,83 +16,77 @@ #include #include #include - -STATIC BOOLEAN mSevStatus =3D FALSE; -STATIC BOOLEAN mSevEsStatus =3D FALSE; -STATIC BOOLEAN mSevSnpStatus =3D FALSE; -STATIC BOOLEAN mSevStatusChecked =3D FALSE; +#include =20 STATIC UINT64 mSevEncryptionMask =3D 0; STATIC BOOLEAN mSevEncryptionMaskSaved =3D FALSE; =20 /** - Reads and sets the status of SEV features. + The function check if the specified Attr is set. =20 - **/ + @param[in] CurrentAttr The current attribute. + @param[in] Attr The attribute to check. + + @retval TRUE The specified Attr is set. + @retval FALSE The specified Attr is not set. + +**/ +STATIC +BOOLEAN +AmdMemEncryptionAttrCheck ( + IN UINT64 CurrentAttr, + IN CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr + ) +{ + switch (Attr) { + case CCAttrAmdSev: + // + // SEV is automatically enabled if SEV-ES or SEV-SNP is active. + // + return CurrentAttr >=3D CCAttrAmdSev; + case CCAttrAmdSevEs: + // + // SEV-ES is automatically enabled if SEV-SNP is active. + // + return CurrentAttr >=3D CCAttrAmdSevEs; + case CCAttrAmdSevSnp: + return CurrentAttr =3D=3D CCAttrAmdSevSnp; + default: + return FALSE; + } +} + +/** + Check if the specified confidential computing attribute is active. + + @param[in] Attr The attribute to check. + + @retval TRUE The specified Attr is active. + @retval FALSE The specified Attr is not active. + +**/ STATIC -VOID +BOOLEAN EFIAPI -InternalMemEncryptSevStatus ( - VOID +ConfidentialComputingGuestHas ( + IN CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr ) { - UINT32 RegEax; - MSR_SEV_STATUS_REGISTER Msr; - CPUID_MEMORY_ENCRYPTION_INFO_EAX Eax; - BOOLEAN ReadSevMsr; - UINT64 EncryptionMask; - - ReadSevMsr =3D FALSE; - - EncryptionMask =3D PcdGet64 (PcdPteMemoryEncryptionAddressOrMask); - if (EncryptionMask !=3D 0) { - // - // The MSR has been read before, so it is safe to read it again and av= oid - // having to validate the CPUID information. - // - ReadSevMsr =3D TRUE; - } else { - // - // Check if memory encryption leaf exist - // - AsmCpuid (CPUID_EXTENDED_FUNCTION, &RegEax, NULL, NULL, NULL); - if (RegEax >=3D CPUID_MEMORY_ENCRYPTION_INFO) { - // - // CPUID Fn8000_001F[EAX] Bit 1 (Sev supported) - // - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, &Eax.Uint32, NULL, NULL, NUL= L); - - if (Eax.Bits.SevBit) { - ReadSevMsr =3D TRUE; - } - } - } - - if (ReadSevMsr) { - // - // Check MSR_0xC0010131 Bit 0 (Sev Enabled) - // - Msr.Uint32 =3D AsmReadMsr32 (MSR_SEV_STATUS); - if (Msr.Bits.SevBit) { - mSevStatus =3D TRUE; - } - - // - // Check MSR_0xC0010131 Bit 1 (Sev-Es Enabled) - // - if (Msr.Bits.SevEsBit) { - mSevEsStatus =3D TRUE; - } - - // - // Check MSR_0xC0010131 Bit 2 (Sev-Snp Enabled) - // - if (Msr.Bits.SevSnpBit) { - mSevSnpStatus =3D TRUE; - } + UINT64 CurrentAttr; + + // + // Get the current CC attribute. + // + CurrentAttr =3D PcdGet64 (PcdConfidentialComputingGuestAttr); + + // + // If attr is for the AMD group then call AMD specific checks. + // + if (((RShiftU64 (CurrentAttr, 8)) & 0xff) =3D=3D 1) { + return AmdMemEncryptionAttrCheck (CurrentAttr, Attr); } =20 - mSevStatusChecked =3D TRUE; + return (CurrentAttr =3D=3D Attr); } =20 /** @@ -107,11 +101,7 @@ MemEncryptSevSnpIsEnabled ( VOID ) { - if (!mSevStatusChecked) { - InternalMemEncryptSevStatus (); - } - - return mSevSnpStatus; + return ConfidentialComputingGuestHas (CCAttrAmdSevSnp); } =20 /** @@ -126,11 +116,7 @@ MemEncryptSevEsIsEnabled ( VOID ) { - if (!mSevStatusChecked) { - InternalMemEncryptSevStatus (); - } - - return mSevEsStatus; + return ConfidentialComputingGuestHas (CCAttrAmdSevEs); } =20 /** @@ -145,11 +131,7 @@ MemEncryptSevIsEnabled ( VOID ) { - if (!mSevStatusChecked) { - InternalMemEncryptSevStatus (); - } - - return mSevStatus; + return ConfidentialComputingGuestHas (CCAttrAmdSev); } =20 /** diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibIntern= al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c index d68ff08c3ea6..3f8f91a5da12 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c @@ -17,82 +17,51 @@ #include #include =20 -STATIC BOOLEAN mSevStatus =3D FALSE; -STATIC BOOLEAN mSevEsStatus =3D FALSE; -STATIC BOOLEAN mSevSnpStatus =3D FALSE; -STATIC BOOLEAN mSevStatusChecked =3D FALSE; +/** + Read the workarea to determine whether SEV is enabled. If enabled, + then return the SevEsWorkArea pointer. + + **/ +STATIC +SEC_SEV_ES_WORK_AREA * +EFIAPI +GetSevEsWorkArea ( + VOID + ) +{ + OVMF_WORK_AREA *WorkArea; + + WorkArea =3D (OVMF_WORK_AREA *)FixedPcdGet32 (PcdOvmfWorkAreaBase); + + // + // If its not SEV guest then SevEsWorkArea is not valid. + // + if ((WorkArea =3D=3D NULL) || (WorkArea->Header.GuestType !=3D GUEST_TYP= E_AMD_SEV)) { + return NULL; + } =20 -STATIC UINT64 mSevEncryptionMask =3D 0; -STATIC BOOLEAN mSevEncryptionMaskSaved =3D FALSE; + return (SEC_SEV_ES_WORK_AREA *)FixedPcdGet32 (PcdSevEsWorkAreaBase); +} =20 /** - Reads and sets the status of SEV features. + Read the SEV Status MSR value from the workarea =20 **/ STATIC -VOID +UINT32 EFIAPI InternalMemEncryptSevStatus ( VOID ) { - UINT32 RegEax; - MSR_SEV_STATUS_REGISTER Msr; - CPUID_MEMORY_ENCRYPTION_INFO_EAX Eax; - BOOLEAN ReadSevMsr; - SEC_SEV_ES_WORK_AREA *SevEsWorkArea; + SEC_SEV_ES_WORK_AREA *SevEsWorkArea; =20 - ReadSevMsr =3D FALSE; - - SevEsWorkArea =3D (SEC_SEV_ES_WORK_AREA *)FixedPcdGet32 (PcdSevEsWorkAre= aBase); - if ((SevEsWorkArea !=3D NULL) && (SevEsWorkArea->EncryptionMask !=3D 0))= { - // - // The MSR has been read before, so it is safe to read it again and av= oid - // having to validate the CPUID information. - // - ReadSevMsr =3D TRUE; - } else { - // - // Check if memory encryption leaf exist - // - AsmCpuid (CPUID_EXTENDED_FUNCTION, &RegEax, NULL, NULL, NULL); - if (RegEax >=3D CPUID_MEMORY_ENCRYPTION_INFO) { - // - // CPUID Fn8000_001F[EAX] Bit 1 (Sev supported) - // - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, &Eax.Uint32, NULL, NULL, NUL= L); - - if (Eax.Bits.SevBit) { - ReadSevMsr =3D TRUE; - } - } - } - - if (ReadSevMsr) { - // - // Check MSR_0xC0010131 Bit 0 (Sev Enabled) - // - Msr.Uint32 =3D AsmReadMsr32 (MSR_SEV_STATUS); - if (Msr.Bits.SevBit) { - mSevStatus =3D TRUE; - } - - // - // Check MSR_0xC0010131 Bit 1 (Sev-Es Enabled) - // - if (Msr.Bits.SevEsBit) { - mSevEsStatus =3D TRUE; - } - - // - // Check MSR_0xC0010131 Bit 2 (Sev-Snp Enabled) - // - if (Msr.Bits.SevSnpBit) { - mSevSnpStatus =3D TRUE; - } + SevEsWorkArea =3D GetSevEsWorkArea (); + if (SevEsWorkArea =3D=3D NULL) { + return 0; } =20 - mSevStatusChecked =3D TRUE; + return (UINT32)(UINTN)SevEsWorkArea->SevStatusMsrValue; } =20 /** @@ -107,11 +76,11 @@ MemEncryptSevSnpIsEnabled ( VOID ) { - if (!mSevStatusChecked) { - InternalMemEncryptSevStatus (); - } + MSR_SEV_STATUS_REGISTER Msr; =20 - return mSevSnpStatus; + Msr.Uint32 =3D InternalMemEncryptSevStatus (); + + return Msr.Bits.SevSnpBit ? TRUE : FALSE; } =20 /** @@ -126,11 +95,11 @@ MemEncryptSevEsIsEnabled ( VOID ) { - if (!mSevStatusChecked) { - InternalMemEncryptSevStatus (); - } + MSR_SEV_STATUS_REGISTER Msr; =20 - return mSevEsStatus; + Msr.Uint32 =3D InternalMemEncryptSevStatus (); + + return Msr.Bits.SevEsBit ? TRUE : FALSE; } =20 /** @@ -145,11 +114,11 @@ MemEncryptSevIsEnabled ( VOID ) { - if (!mSevStatusChecked) { - InternalMemEncryptSevStatus (); - } + MSR_SEV_STATUS_REGISTER Msr; =20 - return mSevStatus; + Msr.Uint32 =3D InternalMemEncryptSevStatus (); + + return Msr.Bits.SevBit ? TRUE : FALSE; } =20 /** @@ -163,24 +132,12 @@ MemEncryptSevGetEncryptionMask ( VOID ) { - if (!mSevEncryptionMaskSaved) { - SEC_SEV_ES_WORK_AREA *SevEsWorkArea; + SEC_SEV_ES_WORK_AREA *SevEsWorkArea; =20 - SevEsWorkArea =3D (SEC_SEV_ES_WORK_AREA *)FixedPcdGet32 (PcdSevEsWorkA= reaBase); - if (SevEsWorkArea !=3D NULL) { - mSevEncryptionMask =3D SevEsWorkArea->EncryptionMask; - } else { - CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx; - - // - // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position) - // - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NUL= L); - mSevEncryptionMask =3D LShiftU64 (1, Ebx.Bits.PtePosBits); - } - - mSevEncryptionMaskSaved =3D TRUE; + SevEsWorkArea =3D GetSevEsWorkArea (); + if (SevEsWorkArea =3D=3D NULL) { + return 0; } =20 - return mSevEncryptionMask; + return SevEsWorkArea->EncryptionMask; } diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibIntern= al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c index 5d912b2a4a5e..80aceba01bcf 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c @@ -18,7 +18,33 @@ #include =20 /** - Reads and sets the status of SEV features. + Read the workarea to determine whether SEV is enabled. If enabled, + then return the SevEsWorkArea pointer. + + **/ +STATIC +SEC_SEV_ES_WORK_AREA * +EFIAPI +GetSevEsWorkArea ( + VOID + ) +{ + OVMF_WORK_AREA *WorkArea; + + WorkArea =3D (OVMF_WORK_AREA *)FixedPcdGet32 (PcdOvmfWorkAreaBase); + + // + // If its not SEV guest then SevEsWorkArea is not valid. + // + if ((WorkArea =3D=3D NULL) || (WorkArea->Header.GuestType !=3D GUEST_TYP= E_AMD_SEV)) { + return NULL; + } + + return (SEC_SEV_ES_WORK_AREA *)FixedPcdGet32 (PcdSevEsWorkAreaBase); +} + +/** + Read the SEV Status MSR value from the workarea =20 **/ STATIC @@ -28,38 +54,14 @@ InternalMemEncryptSevStatus ( VOID ) { - UINT32 RegEax; - CPUID_MEMORY_ENCRYPTION_INFO_EAX Eax; - BOOLEAN ReadSevMsr; - SEC_SEV_ES_WORK_AREA *SevEsWorkArea; + SEC_SEV_ES_WORK_AREA *SevEsWorkArea; =20 - ReadSevMsr =3D FALSE; - - SevEsWorkArea =3D (SEC_SEV_ES_WORK_AREA *)FixedPcdGet32 (PcdSevEsWorkAre= aBase); - if ((SevEsWorkArea !=3D NULL) && (SevEsWorkArea->EncryptionMask !=3D 0))= { - // - // The MSR has been read before, so it is safe to read it again and av= oid - // having to validate the CPUID information. - // - ReadSevMsr =3D TRUE; - } else { - // - // Check if memory encryption leaf exist - // - AsmCpuid (CPUID_EXTENDED_FUNCTION, &RegEax, NULL, NULL, NULL); - if (RegEax >=3D CPUID_MEMORY_ENCRYPTION_INFO) { - // - // CPUID Fn8000_001F[EAX] Bit 1 (Sev supported) - // - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, &Eax.Uint32, NULL, NULL, NUL= L); - - if (Eax.Bits.SevBit) { - ReadSevMsr =3D TRUE; - } - } + SevEsWorkArea =3D GetSevEsWorkArea (); + if (SevEsWorkArea =3D=3D NULL) { + return 0; } =20 - return ReadSevMsr ? AsmReadMsr32 (MSR_SEV_STATUS) : 0; + return (UINT32)(UINTN)SevEsWorkArea->SevStatusMsrValue; } =20 /** @@ -130,22 +132,14 @@ MemEncryptSevGetEncryptionMask ( VOID ) { - CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx; - SEC_SEV_ES_WORK_AREA *SevEsWorkArea; - UINT64 EncryptionMask; + SEC_SEV_ES_WORK_AREA *SevEsWorkArea; =20 - SevEsWorkArea =3D (SEC_SEV_ES_WORK_AREA *)FixedPcdGet32 (PcdSevEsWorkAre= aBase); - if (SevEsWorkArea !=3D NULL) { - EncryptionMask =3D SevEsWorkArea->EncryptionMask; - } else { - // - // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position) - // - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL)= ; - EncryptionMask =3D LShiftU64 (1, Ebx.Bits.PtePosBits); + SevEsWorkArea =3D GetSevEsWorkArea (); + if (SevEsWorkArea =3D=3D NULL) { + return 0; } =20 - return EncryptionMask; + return SevEsWorkArea->EncryptionMask; } =20 /** --=20 2.25.1