From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-yw1-f202.google.com (mail-yw1-f202.google.com [209.85.128.202]) by mx.groups.io with SMTP id smtpd.web12.408.1663879879839377455 for ; Thu, 22 Sep 2022 13:51:19 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@google.com header.s=20210112 header.b=KzzUoWeK; spf=pass (domain: flex--dionnaglaze.bounces.google.com, ip: 209.85.128.202, mailfrom: 3xsosywskbs8otzyylrwlkprzzrwp.nzxopgpwpovn.rczfad.tz@flex--dionnaglaze.bounces.google.com) Received: by mail-yw1-f202.google.com with SMTP id 00721157ae682-34d3fbc7cfcso69956227b3.7 for ; Thu, 22 Sep 2022 13:51:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date; bh=xd2whC9qbm1PkebsNpD1wafDbshwOX1lxXJzCSWXBsA=; b=KzzUoWeKnKhd8Dtpt1WqwV4UY30kVgzlG5a4FZ9Qxj70JYay+XWzO8efHs1acKCsKI uAkFsADc9gfUW+/Bhf/vd3xB4lzWv6Kl7S+EhDD1Np0YhqRY4+yt76QZcZRj2kBSJ7LM wOWIazlCzv3brbSg/tv1wzZPVoifvh3oah18SUSq2dsexq7k41j3PnUqH8HC39iFp1vi VBV+fnZl4UJ6u3UmUnvx3uODLtg0AjyhkEsbHh23C3h0TVfg/+Y7/txRJhKRljVNTtNE GqP/EI7VokUn1Oywy3ZBTxgd3YQT6sC/N2f/x2QYBEUZDVZrDjX4VyQtTjVMM4xw9ZTQ +kXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date; bh=xd2whC9qbm1PkebsNpD1wafDbshwOX1lxXJzCSWXBsA=; b=NonyyWTCBswBmaLrJGHu3eFOBVt6sDEAO7l+/MTnxdfp+0KVa7AIVFkmXPSufBZlJb RwojnihMW0OyCWOJxvrl+3g8+LJjIh5g6YoTQMqYV3icdeC5HGMPLWRr096uFMmr7EUs dlLDYnzJFtcMHFAsIDcrfaZg0Emn9YCjCGXWPseGBzUQVvuGKW0zGPIXQi1ZLPuVYF0y WBOEpajr+HnQhZSry43h/mLOY1vQJoMamUrtXUuqcwRsrcHkvniA1Y+s+D34PDkY7N1g hNeANNZFVCjAm6SmmhflznVn1bUQUcctnKVv5Dn1mXOw8xQhF0KhwazpvaVx77V3C4Dj Nw1Q== X-Gm-Message-State: ACrzQf2DbbTzwun5zq+00esLexiwvafbaAnncaVhyi+ntTVDTu8n0hwS CJO6UYTnQeicDnjBpPJ/GFqO4PZ9geDnKhAxryUufi7QGYXgJseVl/T5MqXbEUPBZbWdjVzm483 ThRZjGjeeLZZKOeg4lH1OxKETqnXBFdo6dgDh9IWfEqAt5V/WlUNBH/tFLW9Z5rxm8bVOMM1N X-Google-Smtp-Source: AMsMyM4cxRzxOZ+7CvkEZA+Eea3H3vUK3HdhrDij69/sBVVxoxb3EExNtBOk784JooFl6z1Ms3ipPV8WmGAKatD8tw== X-Received: from dionnaglaze.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:2ee6]) (user=dionnaglaze job=sendgmr) by 2002:a81:ac04:0:b0:340:e323:f318 with SMTP id k4-20020a81ac04000000b00340e323f318mr5128521ywh.165.1663879878971; Thu, 22 Sep 2022 13:51:18 -0700 (PDT) Date: Thu, 22 Sep 2022 20:50:50 +0000 In-Reply-To: <20220922205052.1198237-1-dionnaglaze@google.com> Mime-Version: 1.0 References: <20220922205052.1198237-1-dionnaglaze@google.com> X-Mailer: git-send-email 2.37.3.998.g577e59143f-goog Message-ID: <20220922205052.1198237-2-dionnaglaze@google.com> Subject: [PATCH 1/3] OvmfPkg: Realize EfiMemoryAcceptProtocol in AmdSevDxe From: "Dionna Glaze" To: devel@edk2.groups.io Cc: Dionna Glaze , Gerd Hoffmann , James Bottomley , Jiewen Yao , Tom Lendacky , Sophia Wolf Content-Type: text/plain; charset="UTF-8" From: Sophia Wolf When a guest OS does not support unaccepted memory, the unaccepted memory must be accepted before returning a memory map to the caller. EfiMemoryAcceptProtocol is defined in MdePkg and is implementated / Installed in AmdSevDxe for AMD SEV-SNP memory acceptance. Cc: Gerd Hoffmann Cc: James Bottomley Cc: Jiewen Yao Cc: Tom Lendacky Signed-off-by: Sophia Wolf --- OvmfPkg/AmdSevDxe/AmdSevDxe.c | 27 ++++++++++++++ OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 3 ++ OvmfPkg/Include/Library/MemEncryptSevLib.h | 14 ++++++++ .../Ia32/MemEncryptSevLib.c | 17 +++++++++ .../X64/DxeSnpSystemRamValidate.c | 35 +++++++++++++++++++ .../X64/PeiSnpSystemRamValidate.c | 17 +++++++++ .../X64/SecSnpSystemRamValidate.c | 18 ++++++++++ 7 files changed, 131 insertions(+) diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c index 662d3c4ccb..74b82a5814 100644 --- a/OvmfPkg/AmdSevDxe/AmdSevDxe.c +++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c @@ -20,6 +20,7 @@ #include #include #include +#include STATIC CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION mSnpBootDxeTable = { SIGNATURE_32 ('A', 'M', 'D', 'E'), @@ -31,6 +32,25 @@ STATIC CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION mSnpBootDxeTable = { FixedPcdGet32 (PcdOvmfCpuidSize), }; +EFI_HANDLE mAmdSevDxeHandle = NULL; + +EFI_STATUS +EFIAPI +AmdSevMemoryAccept ( + IN EFI_MEMORY_ACCEPT_PROTOCOL *This, + IN EFI_PHYSICAL_ADDRESS StartAddress, + IN UINTN Size +) +{ + MemEncryptSnpAcceptPages (StartAddress, Size / SIZE_4KB); + + return EFI_SUCCESS; +} + +EFI_MEMORY_ACCEPT_PROTOCOL mMemoryAcceptProtocol = { + AmdSevMemoryAccept +}; + EFI_STATUS EFIAPI AmdSevDxeEntryPoint ( @@ -147,6 +167,13 @@ AmdSevDxeEntryPoint ( } } + Status = gBS->InstallProtocolInterface (&mAmdSevDxeHandle, + &gEfiMemoryAcceptProtocolGuid, EFI_NATIVE_INTERFACE, + &mMemoryAcceptProtocol); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Install EfiMemoryAcceptProtocol failed.\n")); + } + // // If its SEV-SNP active guest then install the CONFIDENTIAL_COMPUTING_SEV_SNP_BLOB. // It contains the location for both the Secrets and CPUID page. diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf index 9acf860cf2..5ddddabc32 100644 --- a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf +++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf @@ -47,6 +47,9 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize +[Protocols] + gEfiMemoryAcceptProtocolGuid + [Guids] gConfidentialComputingSevSnpBlobGuid diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/Library/MemEncryptSevLib.h index 4fa9c0d700..05ec10471d 100644 --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h @@ -228,4 +228,18 @@ MemEncryptSevSnpPreValidateSystemRam ( IN UINTN NumPages ); +/** + Accept pages system RAM when SEV-SNP is enabled in the guest VM. + + @param[in] BaseAddress Base address + @param[in] NumPages Number of pages starting from the base address + +**/ +VOID +EFIAPI +MemEncryptSnpAcceptPages ( + IN PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages + ); + #endif // _MEM_ENCRYPT_SEV_LIB_H_ diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c b/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c index f92299fc77..f0747d792e 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c @@ -153,3 +153,20 @@ MemEncryptSevSnpPreValidateSystemRam ( { ASSERT (FALSE); } + +/** + Accept pages system RAM when SEV-SNP is enabled in the guest VM. + + @param[in] BaseAddress Base address + @param[in] NumPages Number of pages starting from the base address + +**/ +VOID +EFIAPI +MemEncryptSnpAcceptPages ( + IN PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages + ) +{ + ASSERT (FALSE); +} diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRamValidate.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRamValidate.c index d3a95e4913..7693e0ca66 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRamValidate.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRamValidate.c @@ -14,6 +14,7 @@ #include #include "SnpPageStateChange.h" +#include "VirtualMemory.h" /** Pre-validate the system RAM when SEV-SNP is enabled in the guest VM. @@ -38,3 +39,37 @@ MemEncryptSevSnpPreValidateSystemRam ( // ASSERT (FALSE); } + +/** + Accept pages system RAM when SEV-SNP is enabled in the guest VM. + + @param[in] BaseAddress Base address + @param[in] NumPages Number of pages starting from the base address + +**/ +VOID +EFIAPI +MemEncryptSnpAcceptPages ( + IN PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages + ) +{ + EFI_STATUS Status; + + if (!MemEncryptSevSnpIsEnabled ()) { + return; + } + if (BaseAddress >= SIZE_4GB) { + Status = InternalMemEncryptSevCreateIdentityMap1G ( + 0, + BaseAddress, + EFI_PAGES_TO_SIZE (NumPages) + ); + if (EFI_ERROR (Status)) { + ASSERT (FALSE); + CpuDeadLoop (); + } + } + + InternalSetPageState (BaseAddress, NumPages, SevSnpPagePrivate, TRUE); +} diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c index 4970165444..1c52bfe691 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c @@ -126,3 +126,20 @@ MemEncryptSevSnpPreValidateSystemRam ( BaseAddress = EndAddress; } } + +/** + Accept pages system RAM when SEV-SNP is enabled in the guest VM. + + @param[in] BaseAddress Base address + @param[in] NumPages Number of pages starting from the base address + +**/ +VOID +EFIAPI +MemEncryptSnpAcceptPages ( + IN PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages + ) +{ + ASSERT (FALSE); +} diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c index 7797febb8a..edfebf6ef4 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c @@ -10,6 +10,7 @@ #include #include +#include #include #include "SnpPageStateChange.h" @@ -80,3 +81,20 @@ MemEncryptSevSnpPreValidateSystemRam ( InternalSetPageState (BaseAddress, NumPages, SevSnpPagePrivate, TRUE); } + +/** + Accept pages system RAM when SEV-SNP is enabled in the guest VM. + + @param[in] BaseAddress Base address + @param[in] NumPages Number of pages starting from the base address + +**/ +VOID +EFIAPI +MemEncryptSnpAcceptPages ( + IN PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages + ) +{ + ASSERT(FALSE); +} -- 2.37.3.998.g577e59143f-goog