* [PATCH v4 1/4] MdePkg: Add header for SEV-SNP secrets page struct
2022-12-21 15:50 [PATCH v4 0/4] Fix AP Jump Table Handling for SEV-SNP Roth, Michael
@ 2022-12-21 15:50 ` Roth, Michael
2022-12-21 15:50 ` [PATCH v4 2/4] MdePkg: Add PcdSevSnpSecretsAddress to export SEV-SNP secrets page Roth, Michael
` (3 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: Roth, Michael @ 2022-12-21 15:50 UTC (permalink / raw)
To: devel; +Cc: Tom Lendacky, ray.ni
This will be needed so that the AP Jump Table address can be stored for
use by the operating system later, and possibly for other things in the
future.
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Michael Roth <michael.roth@amd.com>
---
MdePkg/Include/Register/Amd/SnpSecretsPage.h | 56 ++++++++++++++++++++
1 file changed, 56 insertions(+)
create mode 100644 MdePkg/Include/Register/Amd/SnpSecretsPage.h
diff --git a/MdePkg/Include/Register/Amd/SnpSecretsPage.h b/MdePkg/Include/Register/Amd/SnpSecretsPage.h
new file mode 100644
index 0000000000..3188459150
--- /dev/null
+++ b/MdePkg/Include/Register/Amd/SnpSecretsPage.h
@@ -0,0 +1,56 @@
+/** @file
+Definitions for AMD SEV-SNP Secrets Page
+
+Copyright (c) 2022 AMD Inc. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef SNP_SECRETS_PAGE_H_
+#define SNP_SECRETS_PAGE_H_
+
+//
+// OS-defined area of secrets page
+//
+// As defined by "SEV-ES Guest-Hypervisor Communication Block Standardization",
+// revision 2.01, section 2.7, "SEV-SNP Secrets Page".
+//
+typedef PACKED struct _SNP_SECRETS_OS_AREA {
+ UINT32 Vmpl0MsgSeqNumLo;
+ UINT32 Vmpl1MsgSeqNumLo;
+ UINT32 Vmpl2MsgSeqNumLo;
+ UINT32 Vmpl3MsgSeqNumLo;
+ UINT64 ApJumpTablePa;
+ UINT32 Vmpl0MsgSeqNumHi;
+ UINT32 Vmpl1MsgSeqNumHi;
+ UINT32 Vmpl2MsgSeqNumHi;
+ UINT32 Vmpl3MsgSeqNumHi;
+ UINT8 Reserved2[22];
+ UINT16 Version;
+ UINT8 GuestUsage[32];
+} SNP_SECRETS_OS_AREA;
+
+#define VMPCK_KEY_LEN 32
+
+//
+// SEV-SNP Secrets page
+//
+// As defined by "SEV-SNP Firmware ABI", revision 1.51, section 8.17.2.5,
+// "PAGE_TYPE_SECRETS".
+//
+typedef PACKED struct _SNP_SECRETS_PAGE {
+ UINT32 Version;
+ UINT32 ImiEn : 1,
+ Reserved : 31;
+ UINT32 Fms;
+ UINT32 Reserved2;
+ UINT8 Gosvw[16];
+ UINT8 Vmpck0[VMPCK_KEY_LEN];
+ UINT8 Vmpck1[VMPCK_KEY_LEN];
+ UINT8 Vmpck2[VMPCK_KEY_LEN];
+ UINT8 Vmpck3[VMPCK_KEY_LEN];
+ SNP_SECRETS_OS_AREA OsArea;
+ UINT8 Reserved3[3840];
+} SNP_SECRETS_PAGE;
+
+#endif
--
2.25.1
^ permalink raw reply related [flat|nested] 7+ messages in thread* [PATCH v4 2/4] MdePkg: Add PcdSevSnpSecretsAddress to export SEV-SNP secrets page
2022-12-21 15:50 [PATCH v4 0/4] Fix AP Jump Table Handling for SEV-SNP Roth, Michael
2022-12-21 15:50 ` [PATCH v4 1/4] MdePkg: Add header for SEV-SNP secrets page struct Roth, Michael
@ 2022-12-21 15:50 ` Roth, Michael
2022-12-21 15:50 ` [PATCH v4 3/4] OvmfPkg: Initialize the PcdSevSnpSecretsAddress PCD during PEI phase Roth, Michael
` (2 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: Roth, Michael @ 2022-12-21 15:50 UTC (permalink / raw)
To: devel; +Cc: Tom Lendacky, ray.ni
OvmfPkg will initially use this to hand off the secrets page address to
UefiCpuPkg, which will need this PCD to access the SEV-SNP secrets page
address. Define this as an MdePkg PCD so it can be accessed by other
packages alongside the secrets page struct defined in MdePkg/Include.
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Michael Roth <michael.roth@amd.com>
---
MdePkg/MdePkg.dec | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
index e49b2d5b5f..a233a318ba 100644
--- a/MdePkg/MdePkg.dec
+++ b/MdePkg/MdePkg.dec
@@ -2429,5 +2429,9 @@
# @Prompt Memory encryption attribute
gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0|UINT64|0x0000002e
+ ## This dynamic PCD indicates the location of the SEV-SNP secrets page.
+ # @Prompt SEV-SNP secrets page address
+ gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0|UINT64|0x0000002f
+
[UserExtensions.TianoCore."ExtraFiles"]
MdePkgExtra.uni
--
2.25.1
^ permalink raw reply related [flat|nested] 7+ messages in thread* [PATCH v4 3/4] OvmfPkg: Initialize the PcdSevSnpSecretsAddress PCD during PEI phase
2022-12-21 15:50 [PATCH v4 0/4] Fix AP Jump Table Handling for SEV-SNP Roth, Michael
2022-12-21 15:50 ` [PATCH v4 1/4] MdePkg: Add header for SEV-SNP secrets page struct Roth, Michael
2022-12-21 15:50 ` [PATCH v4 2/4] MdePkg: Add PcdSevSnpSecretsAddress to export SEV-SNP secrets page Roth, Michael
@ 2022-12-21 15:50 ` Roth, Michael
2023-01-06 9:19 ` [edk2-devel] " Yao, Jiewen
2022-12-21 15:50 ` [PATCH v4 4/4] UefiCpuPkg: Store SEV-SNP AP jump table in the secrets page Roth, Michael
2022-12-21 17:34 ` [PATCH v4 0/4] Fix AP Jump Table Handling for SEV-SNP Roth, Michael
4 siblings, 1 reply; 7+ messages in thread
From: Roth, Michael @ 2022-12-21 15:50 UTC (permalink / raw)
To: devel; +Cc: Tom Lendacky, ray.ni
This needs to be set so that UefiCpuPkg can locate the SEV-SNP secrets
page later to set the AP Jump Table address.
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Michael Roth <michael.roth@amd.com>
---
OvmfPkg/AmdSev/AmdSevX64.dsc | 3 +++
OvmfPkg/CloudHv/CloudHvX64.dsc | 3 +++
OvmfPkg/IntelTdx/IntelTdxX64.dsc | 3 +++
OvmfPkg/Microvm/MicrovmX64.dsc | 3 +++
OvmfPkg/OvmfPkgIa32.dsc | 3 +++
OvmfPkg/OvmfPkgIa32X64.dsc | 3 +++
OvmfPkg/OvmfPkgX64.dsc | 3 +++
OvmfPkg/PlatformPei/AmdSev.c | 5 +++++
OvmfPkg/PlatformPei/PlatformPei.inf | 1 +
9 files changed, 27 insertions(+)
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index bb91e8c734..6c3b78d424 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -528,6 +528,9 @@
# Set ConfidentialComputing defaults
gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0
+ # Set SEV-SNP Secrets page address default
+ gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0
+
!include OvmfPkg/Include/Dsc/OvmfTpmPcds.dsc.inc
gEfiMdePkgTokenSpaceGuid.PcdFSBClock|1000000000
diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc
index 4d7107fd19..2cc73981b2 100644
--- a/OvmfPkg/CloudHv/CloudHvX64.dsc
+++ b/OvmfPkg/CloudHv/CloudHvX64.dsc
@@ -640,6 +640,9 @@
# Set ConfidentialComputing defaults
gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0
+ # Set SEV-SNP Secrets page address default
+ gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0
+
[PcdsDynamicHii]
!include OvmfPkg/Include/Dsc/OvmfTpmPcdsHii.dsc.inc
diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
index ea538fd783..b264eb9fc3 100644
--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
+++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
@@ -527,6 +527,9 @@
gEfiMdePkgTokenSpaceGuid.PcdFSBClock|1000000000
+ # Set SEV-SNP Secrets page address default
+ gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0
+
################################################################################
#
# Components Section - list of all EDK II Modules needed by this Platform.
diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc
index 285ba50671..b2eaa11a85 100644
--- a/OvmfPkg/Microvm/MicrovmX64.dsc
+++ b/OvmfPkg/Microvm/MicrovmX64.dsc
@@ -644,6 +644,9 @@
# Set ConfidentialComputing defaults
gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0
+ # Set SEV-SNP Secrets page address default
+ gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0
+
################################################################################
#
# Components Section - list of all EDK II Modules needed by this Platform.
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index dcf46d207d..2e04a3f8b1 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -666,6 +666,9 @@
# Set ConfidentialComputing defaults
gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0
+ # Set SEV-SNP Secrets page address default
+ gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0
+
!if $(CSM_ENABLE) == FALSE
gEfiMdePkgTokenSpaceGuid.PcdFSBClock|1000000000
!endif
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index d0746cb72b..4ebf2aff34 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -675,6 +675,9 @@
# Set ConfidentialComputing defaults
gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0
+ # Set SEV-SNP Secrets page address default
+ gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0
+
!if $(CSM_ENABLE) == FALSE
gEfiMdePkgTokenSpaceGuid.PcdFSBClock|1000000000
!endif
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 2caa4d2ecc..6f8f368977 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -703,6 +703,9 @@
# Set ConfidentialComputing defaults
gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0
+ # Set SEV-SNP Secrets page address default
+ gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0
+
!if $(CSM_ENABLE) == FALSE
gEfiMdePkgTokenSpaceGuid.PcdFSBClock|1000000000
!endif
diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
index e4e7b72e67..fa88c9ebd8 100644
--- a/OvmfPkg/PlatformPei/AmdSev.c
+++ b/OvmfPkg/PlatformPei/AmdSev.c
@@ -422,6 +422,11 @@ AmdSevInitialize (
//
if (MemEncryptSevSnpIsEnabled ()) {
PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSevSnp);
+ ASSERT_RETURN_ERROR (PcdStatus);
+ PcdStatus = PcdSet64S (
+ PcdSevSnpSecretsAddress,
+ (UINT64)(UINTN)PcdGet32 (PcdOvmfSnpSecretsBase)
+ );
} else if (MemEncryptSevEsIsEnabled ()) {
PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSevEs);
} else {
diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
index 1fadadeb55..851af81248 100644
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -115,6 +115,7 @@
gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr
gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures
gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask
+ gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress
[FixedPcd]
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase
--
2.25.1
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [edk2-devel] [PATCH v4 3/4] OvmfPkg: Initialize the PcdSevSnpSecretsAddress PCD during PEI phase
2022-12-21 15:50 ` [PATCH v4 3/4] OvmfPkg: Initialize the PcdSevSnpSecretsAddress PCD during PEI phase Roth, Michael
@ 2023-01-06 9:19 ` Yao, Jiewen
0 siblings, 0 replies; 7+ messages in thread
From: Yao, Jiewen @ 2023-01-06 9:19 UTC (permalink / raw)
To: devel@edk2.groups.io, Michael.Roth@amd.com; +Cc: Tom Lendacky, Ni, Ray
Acked-by: Jiewen Yao <jiewen.yao@intel.com>
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Roth,
> Michael via groups.io
> Sent: Wednesday, December 21, 2022 11:51 PM
> To: devel@edk2.groups.io
> Cc: Tom Lendacky <thomas.lendacky@amd.com>; Ni, Ray <ray.ni@intel.com>
> Subject: [edk2-devel] [PATCH v4 3/4] OvmfPkg: Initialize the
> PcdSevSnpSecretsAddress PCD during PEI phase
>
> This needs to be set so that UefiCpuPkg can locate the SEV-SNP secrets
> page later to set the AP Jump Table address.
>
> Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
> Signed-off-by: Michael Roth <michael.roth@amd.com>
> ---
> OvmfPkg/AmdSev/AmdSevX64.dsc | 3 +++
> OvmfPkg/CloudHv/CloudHvX64.dsc | 3 +++
> OvmfPkg/IntelTdx/IntelTdxX64.dsc | 3 +++
> OvmfPkg/Microvm/MicrovmX64.dsc | 3 +++
> OvmfPkg/OvmfPkgIa32.dsc | 3 +++
> OvmfPkg/OvmfPkgIa32X64.dsc | 3 +++
> OvmfPkg/OvmfPkgX64.dsc | 3 +++
> OvmfPkg/PlatformPei/AmdSev.c | 5 +++++
> OvmfPkg/PlatformPei/PlatformPei.inf | 1 +
> 9 files changed, 27 insertions(+)
>
> diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc
> b/OvmfPkg/AmdSev/AmdSevX64.dsc
> index bb91e8c734..6c3b78d424 100644
> --- a/OvmfPkg/AmdSev/AmdSevX64.dsc
> +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
> @@ -528,6 +528,9 @@
> # Set ConfidentialComputing defaults
>
> gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0
>
>
>
> + # Set SEV-SNP Secrets page address default
>
> + gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0
>
> +
>
> !include OvmfPkg/Include/Dsc/OvmfTpmPcds.dsc.inc
>
>
>
> gEfiMdePkgTokenSpaceGuid.PcdFSBClock|1000000000
>
> diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc
> b/OvmfPkg/CloudHv/CloudHvX64.dsc
> index 4d7107fd19..2cc73981b2 100644
> --- a/OvmfPkg/CloudHv/CloudHvX64.dsc
> +++ b/OvmfPkg/CloudHv/CloudHvX64.dsc
> @@ -640,6 +640,9 @@
> # Set ConfidentialComputing defaults
>
> gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0
>
>
>
> + # Set SEV-SNP Secrets page address default
>
> + gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0
>
> +
>
> [PcdsDynamicHii]
>
> !include OvmfPkg/Include/Dsc/OvmfTpmPcdsHii.dsc.inc
>
>
>
> diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
> b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
> index ea538fd783..b264eb9fc3 100644
> --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
> +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
> @@ -527,6 +527,9 @@
>
>
> gEfiMdePkgTokenSpaceGuid.PcdFSBClock|1000000000
>
>
>
> + # Set SEV-SNP Secrets page address default
>
> + gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0
>
> +
>
>
> ################################################################
> ################
>
> #
>
> # Components Section - list of all EDK II Modules needed by this Platform.
>
> diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc
> b/OvmfPkg/Microvm/MicrovmX64.dsc
> index 285ba50671..b2eaa11a85 100644
> --- a/OvmfPkg/Microvm/MicrovmX64.dsc
> +++ b/OvmfPkg/Microvm/MicrovmX64.dsc
> @@ -644,6 +644,9 @@
> # Set ConfidentialComputing defaults
>
> gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0
>
>
>
> + # Set SEV-SNP Secrets page address default
>
> + gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0
>
> +
>
>
> ################################################################
> ################
>
> #
>
> # Components Section - list of all EDK II Modules needed by this Platform.
>
> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> index dcf46d207d..2e04a3f8b1 100644
> --- a/OvmfPkg/OvmfPkgIa32.dsc
> +++ b/OvmfPkg/OvmfPkgIa32.dsc
> @@ -666,6 +666,9 @@
> # Set ConfidentialComputing defaults
>
> gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0
>
>
>
> + # Set SEV-SNP Secrets page address default
>
> + gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0
>
> +
>
> !if $(CSM_ENABLE) == FALSE
>
> gEfiMdePkgTokenSpaceGuid.PcdFSBClock|1000000000
>
> !endif
>
> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> index d0746cb72b..4ebf2aff34 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> @@ -675,6 +675,9 @@
> # Set ConfidentialComputing defaults
>
> gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0
>
>
>
> + # Set SEV-SNP Secrets page address default
>
> + gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0
>
> +
>
> !if $(CSM_ENABLE) == FALSE
>
> gEfiMdePkgTokenSpaceGuid.PcdFSBClock|1000000000
>
> !endif
>
> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> index 2caa4d2ecc..6f8f368977 100644
> --- a/OvmfPkg/OvmfPkgX64.dsc
> +++ b/OvmfPkg/OvmfPkgX64.dsc
> @@ -703,6 +703,9 @@
> # Set ConfidentialComputing defaults
>
> gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0
>
>
>
> + # Set SEV-SNP Secrets page address default
>
> + gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0
>
> +
>
> !if $(CSM_ENABLE) == FALSE
>
> gEfiMdePkgTokenSpaceGuid.PcdFSBClock|1000000000
>
> !endif
>
> diff --git a/OvmfPkg/PlatformPei/AmdSev.c
> b/OvmfPkg/PlatformPei/AmdSev.c
> index e4e7b72e67..fa88c9ebd8 100644
> --- a/OvmfPkg/PlatformPei/AmdSev.c
> +++ b/OvmfPkg/PlatformPei/AmdSev.c
> @@ -422,6 +422,11 @@ AmdSevInitialize (
> //
>
> if (MemEncryptSevSnpIsEnabled ()) {
>
> PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr,
> CCAttrAmdSevSnp);
>
> + ASSERT_RETURN_ERROR (PcdStatus);
>
> + PcdStatus = PcdSet64S (
>
> + PcdSevSnpSecretsAddress,
>
> + (UINT64)(UINTN)PcdGet32 (PcdOvmfSnpSecretsBase)
>
> + );
>
> } else if (MemEncryptSevEsIsEnabled ()) {
>
> PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr,
> CCAttrAmdSevEs);
>
> } else {
>
> diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf
> b/OvmfPkg/PlatformPei/PlatformPei.inf
> index 1fadadeb55..851af81248 100644
> --- a/OvmfPkg/PlatformPei/PlatformPei.inf
> +++ b/OvmfPkg/PlatformPei/PlatformPei.inf
> @@ -115,6 +115,7 @@
> gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr
>
> gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures
>
> gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask
>
> + gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress
>
>
>
> [FixedPcd]
>
> gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase
>
> --
> 2.25.1
>
>
>
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v4 4/4] UefiCpuPkg: Store SEV-SNP AP jump table in the secrets page
2022-12-21 15:50 [PATCH v4 0/4] Fix AP Jump Table Handling for SEV-SNP Roth, Michael
` (2 preceding siblings ...)
2022-12-21 15:50 ` [PATCH v4 3/4] OvmfPkg: Initialize the PcdSevSnpSecretsAddress PCD during PEI phase Roth, Michael
@ 2022-12-21 15:50 ` Roth, Michael
2022-12-21 17:34 ` [PATCH v4 0/4] Fix AP Jump Table Handling for SEV-SNP Roth, Michael
4 siblings, 0 replies; 7+ messages in thread
From: Roth, Michael @ 2022-12-21 15:50 UTC (permalink / raw)
To: devel; +Cc: Tom Lendacky, ray.ni
A full-featured SEV-SNP guest will not rely on the AP jump table, and
will instead use the AP Creation interface defined by the GHCB. However,
a guest is still allowed to use the AP jump table if desired.
However, unlike with SEV-ES guests, SEV-SNP guests should not
store/retrieve the jump table address via GHCB requests to the
hypervisor, they should instead store/retrieve it via the SEV-SNP
secrets page. Implement the store side of this for OVMF.
Suggested-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Michael Roth <michael.roth@amd.com>
---
UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 1 +
UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 10 ++++++++++
2 files changed, 11 insertions(+)
diff --git a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
index 8c8b81d933..0c36538d59 100644
--- a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
+++ b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
@@ -85,3 +85,4 @@
gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard ## CONSUMES
gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase ## CONSUMES
gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr ## CONSUMES
+ gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress ## CONSUMES
diff --git a/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c b/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c
index beab06a5b1..8edc612772 100644
--- a/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c
+++ b/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c
@@ -15,6 +15,7 @@
#include <Library/CcExitLib.h>
#include <Register/Amd/Fam17Msr.h>
#include <Register/Amd/Ghcb.h>
+#include <Register/Amd/SnpSecretsPage.h>
#include <Protocol/Timer.h>
@@ -217,6 +218,15 @@ GetSevEsAPMemory (
DEBUG ((DEBUG_INFO, "Dxe: SevEsAPMemory = %lx\n", (UINTN)StartAddress));
+ if (ConfidentialComputingGuestHas (CCAttrAmdSevSnp)) {
+ SNP_SECRETS_PAGE *Secrets;
+
+ Secrets = (SNP_SECRETS_PAGE *)(INTN)PcdGet64 (PcdSevSnpSecretsAddress);
+ Secrets->OsArea.ApJumpTablePa = (UINT64)(UINTN)StartAddress;
+
+ return (UINTN)StartAddress;
+ }
+
//
// Save the SevEsAPMemory as the AP jump table.
//
--
2.25.1
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [PATCH v4 0/4] Fix AP Jump Table Handling for SEV-SNP
2022-12-21 15:50 [PATCH v4 0/4] Fix AP Jump Table Handling for SEV-SNP Roth, Michael
` (3 preceding siblings ...)
2022-12-21 15:50 ` [PATCH v4 4/4] UefiCpuPkg: Store SEV-SNP AP jump table in the secrets page Roth, Michael
@ 2022-12-21 17:34 ` Roth, Michael
4 siblings, 0 replies; 7+ messages in thread
From: Roth, Michael @ 2022-12-21 17:34 UTC (permalink / raw)
To: devel
Cc: Tom Lendacky, ray.ni, Michael D Kinney, Liming Gao, Zhiguang Liu,
Ard Biesheuvel, Jiewen Yao, Gerd Hoffmann, Eric Dong, Rahul Kumar
On Wed, Dec 21, 2022 at 09:50:43AM -0600, Michael Roth wrote:
> A full-featured SEV-SNP guest will not rely on the AP jump table, and
> will instead use the AP Creation interface defined by the GHCB. However,
> a guest is still allowed to use the AP jump table if desired.
>
> However, unlike with SEV-ES guests, SEV-SNP guests should not
> store/retrieve the jump table address via GHCB requests to the
> hypervisor, they should instead store/retrieve it via the SEV-SNP
> secrets page.
>
> This series implements the store side of this for OVMF by introducing a
> PCD that can be used to pass the SEV-SNP secrets page address to
> UefiCpuPkg, where the jump table address is allocated. It also
> introduces a struct that defines the SEV-SNP secrets page format
> according to the GHCB v2.01 and SEV-SNP FW ABI specifications.
>
> v4:
> - Move storing of jump table address after relevant comment rather
> than before it. (Tom)
>
> v3:
> - Break up single patch into a set of patches containing the specific
> changes for each package. (Ray)
>
> v2:
> - Update Secrets OS area to match latest GHCB 2.01 spec (Tom)
> - Move Secrets header file into ./Register/AMD subdirectory (Tom)
> - Fix CI EccCheck due to assignment in variable declaration
>
> ----------------------------------------------------------------
> Michael Roth (4):
> MdePkg: Add header for SEV-SNP secrets page struct
> MdePkg: Add PcdSevSnpSecretsAddress to export SEV-SNP secrets page
> OvmfPkg: Initialize the PcdSevSnpSecretsAddress PCD during PEI phase
> UefiCpuPkg: Store SEV-SNP AP jump table in the secrets page
Adding some Cc's from Maintainers.txt that I should have included originally:
Patch 1/2:
Michael D Kinney <michael.d.kinney@intel.com>
Liming Gao <gaoliming@byosoft.com.cn>
Zhiguang Liu <zhiguang.liu@intel.com>
Patch 3:
Ard Biesheuvel <ardb+tianocore@kernel.org>
Jiewen Yao <jiewen.yao@intel.com>
Gerd Hoffmann <kraxel@redhat.com>
Patch 4:
Eric Dong <eric.dong@intel.com>
Rahul Kumar <rahul1.kumar@intel.com>
Thanks,
Mike
>
> MdePkg/Include/Register/Amd/SnpSecretsPage.h | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++
> MdePkg/MdePkg.dec | 4 ++++
> OvmfPkg/AmdSev/AmdSevX64.dsc | 3 +++
> OvmfPkg/CloudHv/CloudHvX64.dsc | 3 +++
> OvmfPkg/IntelTdx/IntelTdxX64.dsc | 3 +++
> OvmfPkg/Microvm/MicrovmX64.dsc | 3 +++
> OvmfPkg/OvmfPkgIa32.dsc | 3 +++
> OvmfPkg/OvmfPkgIa32X64.dsc | 3 +++
> OvmfPkg/OvmfPkgX64.dsc | 3 +++
> OvmfPkg/PlatformPei/AmdSev.c | 5 +++++
> OvmfPkg/PlatformPei/PlatformPei.inf | 1 +
> UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 1 +
> UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 10 ++++++++++
> 13 files changed, 98 insertions(+)
> create mode 100644 MdePkg/Include/Register/Amd/SnpSecretsPage.h
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread