From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from NAM04-MW2-obe.outbound.protection.outlook.com (NAM04-MW2-obe.outbound.protection.outlook.com [40.107.101.79])
 by mx.groups.io with SMTP id smtpd.web08.11281.1652984413935099561
 for <devel@edk2.groups.io>;
 Thu, 19 May 2022 11:20:14 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@amd.com header.s=selector1 header.b=M4C4+nVP;
 spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.101.79, mailfrom: michael.roth@amd.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=Cr5fnUMx8Oh41hGfoE4XjhX2pOcV/OwpbxwkPF/8nWgaU7B+/gTufHkaT0pXTwpY/LMTM6A92PmnadU7+kJXZfBo6ZEcxEnepAJBs1pB37o1hCIa452kVI33ZleVJ59z8iBZf02s9Qy2P4ljcM/D514uTfVKMGuFfXUGrZ4FhhXLDltVNRejRI+8rYUs4i6glv/rikvGixOaSXYPVXs3APgo7GlEB8ilKshy1+fNUvHLb3UFCxj7qT54wHz9Ms1F95c/gPTa4kn1NKMfhQHQwZn0m1YrpRCv9jYQfx0XPGjHzbZC15+4nemIb3fKDtXtgRIzakEAwllzmkxtHqm3oQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=3WHXZOc9T7LUjFPCS7oVzzXE/UWtr9PNTyCtoxEb8qs=;
 b=CGdLCBmNwgH8iyenOf92DCJEMSN0Hoj1XUyHcnPnnsxnHqonwZSfctqfj6GRs6wi+SIT0SMI8/pPLLhES8l1XafKNzQdRv55ENJYagr+b199OaIw8LZ8L3U+t+r9k2g2RuJ5n1W3VmttsbnyA+J8PoxkJnDYa849SWhS3MbaN+AexcW6f51p0tBi17Fy5ZPv+AulhysGYZpykSMku6bft2bL9D4uZs40qNpIdVQX9JFD3UfV3UIlvHGbQwGK+pfRr8sITJwKd8eEDfB3FGv1vAWLoowcuWeMNoy8YNR8NoNXfB007+8KZkwM+GSRNMbN/salpMBh3c+noEDDmDtScg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 165.204.84.17) smtp.rcpttodomain=intel.com smtp.mailfrom=amd.com; dmarc=pass
 (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com;
 dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=3WHXZOc9T7LUjFPCS7oVzzXE/UWtr9PNTyCtoxEb8qs=;
 b=M4C4+nVPNLKjMCMP2OGEkAYorUv+uMEzBLxxkLiAZ22AdNTiR9VwJmzt7Id7IbvBnXyxvSeWiiIGe7XWMTok8KudIWN4NnyCvUjwZF8kIdMcWKHVOk23xrNhLVxvKLstvYoiZja80EWbVEeSH1cAowhrl2paVFg4P0X0Mi4vNW4=
Received: from BN9PR03CA0285.namprd03.prod.outlook.com (2603:10b6:408:f5::20)
 by DS7PR12MB5720.namprd12.prod.outlook.com (2603:10b6:8:73::21) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5273.15; Thu, 19 May
 2022 18:20:11 +0000
Received: from BN8NAM11FT004.eop-nam11.prod.protection.outlook.com
 (2603:10b6:408:f5:cafe::8) by BN9PR03CA0285.outlook.office365.com
 (2603:10b6:408:f5::20) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5273.15 via Frontend
 Transport; Thu, 19 May 2022 18:20:11 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17)
 smtp.mailfrom=amd.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=amd.com;
Received-SPF: Pass (protection.outlook.com: domain of amd.com designates
 165.204.84.17 as permitted sender) receiver=protection.outlook.com;
 client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C
Received: from SATLEXMB04.amd.com (165.204.84.17) by
 BN8NAM11FT004.mail.protection.outlook.com (10.13.176.164) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.20.5273.14 via Frontend Transport; Thu, 19 May 2022 18:20:11 +0000
Received: from localhost (10.180.168.240) by SATLEXMB04.amd.com
 (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Thu, 19 May
 2022 13:20:10 -0500
Date: Thu, 19 May 2022 13:19:52 -0500
From: Michael Roth <michael.roth@amd.com>
To: "Ni, Ray" <ray.ni@intel.com>
CC: "devel@edk2.groups.io" <devel@edk2.groups.io>, Tom Lendacky
	<thomas.lendacky@amd.com>
Subject: Re: [edk2-devel] [PATCH v2] UefiCpuPkg: Store SEV-SNP AP jump table in the secrets page
Message-ID: <20220519181952.wsr52rnhzkfdvaqa@amd.com>
References: <20220516120217.553061-1-michael.roth@amd.com>
 <MWHPR11MB16315AE5073820CBE4345EF08CCE9@MWHPR11MB1631.namprd11.prod.outlook.com>
MIME-Version: 1.0
In-Reply-To: <MWHPR11MB16315AE5073820CBE4345EF08CCE9@MWHPR11MB1631.namprd11.prod.outlook.com>
Return-Path: Michael.Roth@amd.com
X-Originating-IP: [10.180.168.240]
X-ClientProxiedBy: SATLEXMB03.amd.com (10.181.40.144) To SATLEXMB04.amd.com
 (10.181.40.145)
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: fbe47041-db19-4a5c-5bf1-08da39c43640
X-MS-TrafficTypeDiagnostic: DS7PR12MB5720:EE_
X-Microsoft-Antispam-PRVS: 
	<DS7PR12MB57201D02D2D79B81E6F5CBF495D09@DS7PR12MB5720.namprd12.prod.outlook.com>
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	gMXSlYb7KKcyoJ6viz1OOcr6RPOSfbOc4q6GekrGx/QEULBOOIlWe5aOvTHWNDQxHVxWrEzOxrUjoseOKevbp19WxIAunLY+9Ww1woncB681GmYMXEG4uk/m1nAUuLCV1H4x2iCOFZdLEzf4VUZpPNPGMiPVnrbNHXfiyS5B1E5JSXrgMmGRTH+cbybFHWlS8m+l0zx8uaaeZuiWxSxiO95bkblSQZ01LDh3y6W9FfDRCSqtjjWkNK969CNu1aDoAIjUgELcKEv0pbfRTzLozehnHnCyv4BdvlII/kxIYtXD3FotUEPUCTDs1dgJh4C9G3IQsLmXtp/UHfJCmFcLCFjfrxWCPWe9w8foVw4H+tXApxtLaf+pDtiqa8Z41jkeDFV0waOfSSArRa0jF0xooVUWcK4hOKDgSX7ibTJBYJPrrKykUZ5J+x7n6qZQ7jFFOx6JEEDZ9+Xy8c797ZIuPHzaugCaOf+FHZRbw4lztkCGL2ey6dC/IFeaqrO+azV0/S7bwPz9aj5Jwc1eDbDoLeqSCPN4JxN1EN+bdvYhtrANyEQp4wHIPFtLu4VML7hYSzplfT3SLP0EYKdlhHgDzbBi/gOxAG+Y8ZFpO+i1lzgn9MJTWs4/Sc0DOA725/1vPCRbc09sipHvP6fOugE8WvISehS0zF9JFVbgwo3M9Whss2O/xIczi1rHWxawWJ5SwZXsbJCZbs44g+MDMNDvMfJvc1A5HJi+m/vSWacaRPDhpwhg+p63JumeZuh7rJRlU5Eq5SJZYdJh4lDwjxcSinWob++K2jkU9S7DM0LKiAE=
X-Forefront-Antispam-Report: 
	CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230001)(4636009)(36840700001)(40470700004)(46966006)(4326008)(8676002)(6666004)(44832011)(36860700001)(70206006)(81166007)(70586007)(356005)(2906002)(966005)(5660300002)(30864003)(45080400002)(6916009)(8936002)(508600001)(82310400005)(83380400001)(19627235002)(2616005)(47076005)(426003)(336012)(1076003)(36756003)(186003)(16526019)(26005)(86362001)(40460700003)(54906003)(316002)(53546011)(36900700001);DIR:OUT;SFP:1101;
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 May 2022 18:20:11.2126
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: fbe47041-db19-4a5c-5bf1-08da39c43640
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	BN8NAM11FT004.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR12MB5720
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline

On Tue, May 17, 2022 at 02:17:28PM +0000, Ni, Ray wrote:
> can you please split the patches so one patch for one package?

Hi Ray,

Sorry I missed your reply somehow. I'll send a v3 that splits the
series in 4 patches:

  1/4 MdePkg: introduce SnpSecretPageDef.h
  2/4 MdePkg: introduce gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress PCD
  3/4 OvmfPkg: initialize PcdSevSnpSecretsAddress PCD
  4/4 UefiCpuPkg: use PcdSevSnpSecretsAddress to access secrets page and
      set AP jump table address

but if you were thinking something else just let me know.

Thanks!

-Mike

> 
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Michael Roth via groups.io
> > Sent: Monday, May 16, 2022 8:02 PM
> > To: devel@edk2.groups.io
> > Cc: Tom Lendacky <thomas.lendacky@amd.com>
> > Subject: [edk2-devel] [PATCH v2] UefiCpuPkg: Store SEV-SNP AP jump table in the secrets page
> > 
> > A full-featured SEV-SNP guest will not rely on the AP jump table, and
> > will instead use the AP Creation interface defined by the GHCB. However,
> > a guest is still allowed to use the AP jump table if desired.
> > 
> > However, unlike with SEV-ES guests, SEV-SNP guests should not
> > store/retrieve the jump table address via GHCB requests to the
> > hypervisor, they should instead store/retrieve it via the SEV-SNP
> > secrets page. Implement the store side of this for OVMF.
> > 
> > Suggested-by: Tom Lendacky <thomas.lendacky@amd.com>
> > Signed-off-by: Michael Roth <michael.roth@amd.com>
> > ---
> > v2:
> >  - Update Secrets OS area to match latest GHCB 2.01 spec
> >  - Move Secrets header file into ./Register/AMD subdirectory
> >  - Fix CI EccCheck due to assignment in variable declaration
> > 
> >  MdePkg/Include/Register/Amd/SnpSecretsPage.h  | 56 +++++++++++++++++++
> >  MdePkg/MdePkg.dec                             |  4 ++
> >  OvmfPkg/AmdSev/AmdSevX64.dsc                  |  3 +
> >  OvmfPkg/CloudHv/CloudHvX64.dsc                |  3 +
> >  OvmfPkg/IntelTdx/IntelTdxX64.dsc              |  3 +
> >  OvmfPkg/Microvm/MicrovmX64.dsc                |  3 +
> >  OvmfPkg/OvmfPkgIa32.dsc                       |  3 +
> >  OvmfPkg/OvmfPkgIa32X64.dsc                    |  3 +
> >  OvmfPkg/OvmfPkgX64.dsc                        |  3 +
> >  OvmfPkg/PlatformPei/AmdSev.c                  |  5 ++
> >  OvmfPkg/PlatformPei/PlatformPei.inf           |  1 +
> >  UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf |  1 +
> >  UefiCpuPkg/Library/MpInitLib/DxeMpLib.c       | 10 ++++
> >  13 files changed, 98 insertions(+)
> >  create mode 100644 MdePkg/Include/Register/Amd/SnpSecretsPage.h
> > 
> > diff --git a/MdePkg/Include/Register/Amd/SnpSecretsPage.h b/MdePkg/Include/Register/Amd/SnpSecretsPage.h
> > new file mode 100644
> > index 0000000000..3188459150
> > --- /dev/null
> > +++ b/MdePkg/Include/Register/Amd/SnpSecretsPage.h
> > @@ -0,0 +1,56 @@
> > +/** @file
> > 
> > +Definitions for AMD SEV-SNP Secrets Page
> > 
> > +
> > 
> > +Copyright (c) 2022 AMD Inc. All rights reserved.<BR>
> > 
> > +SPDX-License-Identifier: BSD-2-Clause-Patent
> > 
> > +
> > 
> > +**/
> > 
> > +
> > 
> > +#ifndef SNP_SECRETS_PAGE_H_
> > 
> > +#define SNP_SECRETS_PAGE_H_
> > 
> > +
> > 
> > +//
> > 
> > +// OS-defined area of secrets page
> > 
> > +//
> > 
> > +// As defined by "SEV-ES Guest-Hypervisor Communication Block Standardization",
> > 
> > +// revision 2.01, section 2.7, "SEV-SNP Secrets Page".
> > 
> > +//
> > 
> > +typedef PACKED struct _SNP_SECRETS_OS_AREA {
> > 
> > +  UINT32    Vmpl0MsgSeqNumLo;
> > 
> > +  UINT32    Vmpl1MsgSeqNumLo;
> > 
> > +  UINT32    Vmpl2MsgSeqNumLo;
> > 
> > +  UINT32    Vmpl3MsgSeqNumLo;
> > 
> > +  UINT64    ApJumpTablePa;
> > 
> > +  UINT32    Vmpl0MsgSeqNumHi;
> > 
> > +  UINT32    Vmpl1MsgSeqNumHi;
> > 
> > +  UINT32    Vmpl2MsgSeqNumHi;
> > 
> > +  UINT32    Vmpl3MsgSeqNumHi;
> > 
> > +  UINT8     Reserved2[22];
> > 
> > +  UINT16    Version;
> > 
> > +  UINT8     GuestUsage[32];
> > 
> > +} SNP_SECRETS_OS_AREA;
> > 
> > +
> > 
> > +#define VMPCK_KEY_LEN  32
> > 
> > +
> > 
> > +//
> > 
> > +// SEV-SNP Secrets page
> > 
> > +//
> > 
> > +// As defined by "SEV-SNP Firmware ABI", revision 1.51, section 8.17.2.5,
> > 
> > +// "PAGE_TYPE_SECRETS".
> > 
> > +//
> > 
> > +typedef PACKED struct _SNP_SECRETS_PAGE {
> > 
> > +  UINT32                 Version;
> > 
> > +  UINT32                 ImiEn    : 1,
> > 
> > +                         Reserved : 31;
> > 
> > +  UINT32                 Fms;
> > 
> > +  UINT32                 Reserved2;
> > 
> > +  UINT8                  Gosvw[16];
> > 
> > +  UINT8                  Vmpck0[VMPCK_KEY_LEN];
> > 
> > +  UINT8                  Vmpck1[VMPCK_KEY_LEN];
> > 
> > +  UINT8                  Vmpck2[VMPCK_KEY_LEN];
> > 
> > +  UINT8                  Vmpck3[VMPCK_KEY_LEN];
> > 
> > +  SNP_SECRETS_OS_AREA    OsArea;
> > 
> > +  UINT8                  Reserved3[3840];
> > 
> > +} SNP_SECRETS_PAGE;
> > 
> > +
> > 
> > +#endif
> > 
> > diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
> > index f1ebf9e251..a365bfcfe8 100644
> > --- a/MdePkg/MdePkg.dec
> > +++ b/MdePkg/MdePkg.dec
> > @@ -2417,5 +2417,9 @@
> >    # @Prompt Memory encryption attribute
> > 
> >    gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0|UINT64|0x0000002e
> > 
> > 
> > 
> > +  ## This dynamic PCD indicates the location of the SEV-SNP secrets page.
> > 
> > +  # @Prompt SEV-SNP secrets page address
> > 
> > +  gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0|UINT64|0x0000002f
> > 
> > +
> > 
> >  [UserExtensions.TianoCore."ExtraFiles"]
> > 
> >    MdePkgExtra.uni
> > 
> > diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
> > index f0700035c1..02306945fd 100644
> > --- a/OvmfPkg/AmdSev/AmdSevX64.dsc
> > +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
> > @@ -575,6 +575,9 @@
> >    # Set ConfidentialComputing defaults
> > 
> >    gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0
> > 
> > 
> > 
> > +  # Set SEV-SNP Secrets page address default
> > 
> > +  gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0
> > 
> > +
> > 
> >  !include OvmfPkg/OvmfTpmPcds.dsc.inc
> > 
> > 
> > 
> >    gEfiMdePkgTokenSpaceGuid.PcdFSBClock|100000000
> > 
> > diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc
> > index d1c85f60c7..7143698253 100644
> > --- a/OvmfPkg/CloudHv/CloudHvX64.dsc
> > +++ b/OvmfPkg/CloudHv/CloudHvX64.dsc
> > @@ -630,6 +630,9 @@
> >    # Set ConfidentialComputing defaults
> > 
> >    gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0
> > 
> > 
> > 
> > +  # Set SEV-SNP Secrets page address default
> > 
> > +  gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0
> > 
> > +
> > 
> >  [PcdsDynamicHii]
> > 
> >  !include OvmfPkg/OvmfTpmPcdsHii.dsc.inc
> > 
> > 
> > 
> > diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
> > index 80c331ea23..b19718c572 100644
> > --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
> > +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
> > @@ -512,6 +512,9 @@
> > 
> > 
> >    gEfiMdePkgTokenSpaceGuid.PcdFSBClock|100000000
> > 
> > 
> > 
> > +  # Set SEV-SNP Secrets page address default
> > 
> > +  gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0
> > 
> > +
> > 
> >  ################################################################################
> > 
> >  #
> > 
> >  # Components Section - list of all EDK II Modules needed by this Platform.
> > 
> > diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc
> > index 20c3c9c4d8..42673c29ee 100644
> > --- a/OvmfPkg/Microvm/MicrovmX64.dsc
> > +++ b/OvmfPkg/Microvm/MicrovmX64.dsc
> > @@ -613,6 +613,9 @@
> >    # Set ConfidentialComputing defaults
> > 
> >    gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0
> > 
> > 
> > 
> > +  # Set SEV-SNP Secrets page address default
> > 
> > +  gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0
> > 
> > +
> > 
> >  ################################################################################
> > 
> >  #
> > 
> >  # Components Section - list of all EDK II Modules needed by this Platform.
> > 
> > diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> > index 533bbdb435..8ffef069a3 100644
> > --- a/OvmfPkg/OvmfPkgIa32.dsc
> > +++ b/OvmfPkg/OvmfPkgIa32.dsc
> > @@ -649,6 +649,9 @@
> >    # Set ConfidentialComputing defaults
> > 
> >    gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0
> > 
> > 
> > 
> > +  # Set SEV-SNP Secrets page address default
> > 
> > +  gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0
> > 
> > +
> > 
> >  !if $(CSM_ENABLE) == FALSE
> > 
> >    gEfiMdePkgTokenSpaceGuid.PcdFSBClock|100000000
> > 
> >  !endif
> > 
> > diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> > index cb68e612bd..0b4d5001b2 100644
> > --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> > +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> > @@ -657,6 +657,9 @@
> >    # Set ConfidentialComputing defaults
> > 
> >    gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0
> > 
> > 
> > 
> > +  # Set SEV-SNP Secrets page address default
> > 
> > +  gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0
> > 
> > +
> > 
> >  !if $(CSM_ENABLE) == FALSE
> > 
> >    gEfiMdePkgTokenSpaceGuid.PcdFSBClock|100000000
> > 
> >  !endif
> > 
> > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> > index 71526bba31..3a3223be6b 100644
> > --- a/OvmfPkg/OvmfPkgX64.dsc
> > +++ b/OvmfPkg/OvmfPkgX64.dsc
> > @@ -680,6 +680,9 @@
> >    # Set ConfidentialComputing defaults
> > 
> >    gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0
> > 
> > 
> > 
> > +  # Set SEV-SNP Secrets page address default
> > 
> > +  gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0
> > 
> > +
> > 
> >  !if $(CSM_ENABLE) == FALSE
> > 
> >    gEfiMdePkgTokenSpaceGuid.PcdFSBClock|100000000
> > 
> >  !endif
> > 
> > diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
> > index 385562b44c..70352ca43b 100644
> > --- a/OvmfPkg/PlatformPei/AmdSev.c
> > +++ b/OvmfPkg/PlatformPei/AmdSev.c
> > @@ -408,6 +408,11 @@ AmdSevInitialize (
> >    //
> > 
> >    if (MemEncryptSevSnpIsEnabled ()) {
> > 
> >      PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSevSnp);
> > 
> > +    ASSERT_RETURN_ERROR (PcdStatus);
> > 
> > +    PcdStatus = PcdSet64S (
> > 
> > +                  PcdSevSnpSecretsAddress,
> > 
> > +                  (UINT64)(UINTN)PcdGet32 (PcdOvmfSnpSecretsBase)
> > 
> > +                  );
> > 
> >    } else if (MemEncryptSevEsIsEnabled ()) {
> > 
> >      PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSevEs);
> > 
> >    } else {
> > 
> > diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
> > index 00372fa0eb..c688e4ee24 100644
> > --- a/OvmfPkg/PlatformPei/PlatformPei.inf
> > +++ b/OvmfPkg/PlatformPei/PlatformPei.inf
> > @@ -114,6 +114,7 @@
> >    gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr
> > 
> >    gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures
> > 
> >    gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask
> > 
> > +  gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress
> > 
> > 
> > 
> >  [FixedPcd]
> > 
> >    gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase
> > 
> > diff --git a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
> > index e1cd0b3500..d8cfddcd82 100644
> > --- a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
> > +++ b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
> > @@ -80,3 +80,4 @@
> >    gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard                      ## CONSUMES
> > 
> >    gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase                           ## CONSUMES
> > 
> >    gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr           ## CONSUMES
> > 
> > +  gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress                     ## CONSUMES
> > 
> > diff --git a/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c b/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c
> > index 60d14a5a0e..4d6f7643db 100644
> > --- a/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c
> > +++ b/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c
> > @@ -15,6 +15,7 @@
> >  #include <Library/VmgExitLib.h>
> > 
> >  #include <Register/Amd/Fam17Msr.h>
> > 
> >  #include <Register/Amd/Ghcb.h>
> > 
> > +#include <Register/Amd/SnpSecretsPage.h>
> > 
> > 
> > 
> >  #include <Protocol/Timer.h>
> > 
> > 
> > 
> > @@ -216,6 +217,15 @@ GetSevEsAPMemory (
> > 
> > 
> >    DEBUG ((DEBUG_INFO, "Dxe: SevEsAPMemory = %lx\n", (UINTN)StartAddress));
> > 
> > 
> > 
> > +  if (ConfidentialComputingGuestHas (CCAttrAmdSevSnp)) {
> > 
> > +    SNP_SECRETS_PAGE  *Secrets;
> > 
> > +
> > 
> > +    Secrets                       = (SNP_SECRETS_PAGE *)(INTN)PcdGet64 (PcdSevSnpSecretsAddress);
> > 
> > +    Secrets->OsArea.ApJumpTablePa = (UINT64)(UINTN)StartAddress;
> > 
> > +
> > 
> > +    return (UINTN)StartAddress;
> > 
> > +  }
> > 
> > +
> > 
> >    //
> > 
> >    // Save the SevEsAPMemory as the AP jump table.
> > 
> >    //
> > 
> > --
> > 2.25.1
> > 
> > 
> > 
> > 
> > 
>