From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by mx.groups.io with SMTP id smtpd.web10.30789.1679443023007772831 for ; Tue, 21 Mar 2023 16:57:03 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=joKJb+7z; spf=pass (domain: intel.com, ip: 134.134.136.65, mailfrom: ray.ni@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1679443023; x=1710979023; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=ofRTwljEH04EFviwAXRjiaowHhrwMUdVvcESqwFhXlc=; b=joKJb+7zK3nlg9wsuigL+nvfNrvtyF5u7+P5clqvnuOhcer+kik+4KzX LnQ6vCxR1YTfZLddmJTjwjzM4kFM4YPbsyIf3RiJ5MYrbR5h5JGHZUJoH mF11CA6wz7OahJf9ivkDFEb1oSLiz4/gJfYJJs+oeM2Jr9aGr1UVUDbFU 2h9pZyrHOEMV9dYJpj3aI0R56UJH8N6Jr2F2aZVwXe0XV/9hawBl4Ctxx wIf8TgZKt895JTtlrz5IsUwNfQAXFWUe5JLKNeIsvkVCEGcgxn671aOPn QlOVEBc4jumILVrig2zo4+d9mTSB5X+gZB00Alszfn2NAuwkCKifQPJdw A==; X-IronPort-AV: E=McAfee;i="6600,9927,10656"; a="341441496" X-IronPort-AV: E=Sophos;i="5.98,280,1673942400"; d="scan'208";a="341441496" Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Mar 2023 16:56:56 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10656"; a="805627723" X-IronPort-AV: E=Sophos;i="5.98,280,1673942400"; d="scan'208";a="805627723" Received: from shwdeopenlab706.ccr.corp.intel.com ([10.239.55.95]) by orsmga004.jf.intel.com with ESMTP; 21 Mar 2023 16:56:55 -0700 From: "Ni, Ray" To: devel@edk2.groups.io Cc: Michael D Kinney , Liming Gao , Zhiguang Liu Subject: [PATCH 1/6] MdePkg: Add TME-MK related CPUID and MSR definitions Date: Wed, 22 Mar 2023 07:56:45 +0800 Message-Id: <20230321235650.675-2-ray.ni@intel.com> X-Mailer: git-send-email 2.39.1.windows.1 In-Reply-To: <20230321235650.675-1-ray.ni@intel.com> References: <20230321235650.675-1-ray.ni@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable TME (Total Memory Encryption) is the capability to encrypt the entirety of physical memory of a system. TME-MK (Total Memory Encryption-Multi-Key) builds on TME and adds support for multiple encryption keys. The patch adds some necessary CPUID/MSR definitions for TME-MK. Signed-off-by: Ray Ni Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu --- .../Include/Register/Intel/ArchitecturalMsr.h | 106 +++++++++++++++++- MdePkg/Include/Register/Intel/Cpuid.h | 9 +- 2 files changed, 112 insertions(+), 3 deletions(-) diff --git a/MdePkg/Include/Register/Intel/ArchitecturalMsr.h b/MdePkg/Incl= ude/Register/Intel/ArchitecturalMsr.h index 071a8c689c..76d80660da 100644 --- a/MdePkg/Include/Register/Intel/ArchitecturalMsr.h +++ b/MdePkg/Include/Register/Intel/ArchitecturalMsr.h @@ -6,7 +6,7 @@ returned is a single 32-bit or 64-bit value, then a data structure is no= t=0D provided for that MSR.=0D =0D - Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.
=0D + Copyright (c) 2016 - 2023, Intel Corporation. All rights reserved.
=0D SPDX-License-Identifier: BSD-2-Clause-Patent=0D =0D @par Specification Reference:=0D @@ -5679,6 +5679,110 @@ typedef union { **/=0D #define MSR_IA32_X2APIC_SELF_IPI 0x0000083F=0D =0D +/**=0D + Memory Encryption Activation MSR. If CPUID.07H:ECX.[13] =3D 1.=0D +=0D + @param ECX MSR_IA32_TME_ACTIVATE (0x00000982)=0D + @param EAX Lower 32-bits of MSR value.=0D + Described by the type MSR_IA32_TME_ACTIVATE_REGISTER.=0D + @param EDX Upper 32-bits of MSR value.=0D + Described by the type MSR_IA32_TME_ACTIVATE_REGISTER.=0D +=0D + Example usage=0D + @code=0D + MSR_IA32_TME_ACTIVATE_REGISTER Msr;=0D +=0D + Msr.Uint64 =3D AsmReadMsr64 (MSR_IA32_TME_ACTIVATE);=0D + AsmWriteMsr64 (MSR_IA32_TME_ACTIVATE, Msr.Uint64);=0D + @endcode=0D + @note MSR_IA32_TME_ACTIVATE is defined as IA32_TME_ACTIVATE in SDM.=0D +**/=0D +#define MSR_IA32_TME_ACTIVATE 0x00000982=0D +=0D +/**=0D + MSR information returned for MSR index #MSR_IA32_TME_ACTIVATE=0D +**/=0D +typedef union {=0D + ///=0D + /// Individual bit fields=0D + ///=0D + struct {=0D + ///=0D + /// [Bit 0] Lock R/O: Will be set upon successful WRMSR (or first SMI)= ;=0D + /// written value ignored..=0D + ///=0D + UINT32 Lock : 1;=0D + ///=0D + /// [Bit 1] Hardware Encryption Enable: This bit also enables MKTME; M= KTME=0D + /// cannot be enabled without enabling encryption hardware.=0D + ///=0D + UINT32 TmeEnable : 1;=0D + ///=0D + /// [Bit 2] Key Select:=0D + /// 0: Create a new TME key (expected cold/warm boot).=0D + /// 1: Restore the TME key from storage (Expected when resume from sta= ndby).=0D + ///=0D + UINT32 KeySelect : 1;=0D + ///=0D + /// [Bit 3] Save TME Key for Standby: Save key into storage to be used= when=0D + /// resume from standby.=0D + /// Note: This may not be supported in all processors.=0D + ///=0D + UINT32 SaveKeyForStandby : 1;=0D + ///=0D + /// [Bit 7:4] TME Policy/Encryption Algorithm: Only algorithms enumera= ted in=0D + /// IA32_TME_CAPABILITY are allowed.=0D + /// For example:=0D + /// 0000 =E2=80=93 AES-XTS-128.=0D + /// 0001 =E2=80=93 AES-XTS-128 with integrity.=0D + /// 0010 =E2=80=93 AES-XTS-256.=0D + /// Other values are invalid.=0D + ///=0D + UINT32 TmePolicy : 4;=0D + UINT32 Reserved : 23;=0D + ///=0D + /// [Bit 31] TME Encryption Bypass Enable: When encryption hardware is= enabled:=0D + /// * Total Memory Encryption is enabled using a CPU generated ephemer= al key=0D + /// based on a hardware random number generator when this bit is set= to 0.=0D + /// * Total Memory Encryption is bypassed (no encryption/decryption fo= r KeyID0)=0D + /// when this bit is set to 1.=0D + /// Software must inspect Hardware Encryption Enable (bit 1) and TME e= ncryption=0D + /// bypass Enable (bit 31) to determine if TME encryption is enabled.= =0D + ///=0D + UINT32 TmeBypassMode : 1;=0D + ///=0D + /// [Bit 35:32] MK_TME_KEYID_BITS: Reserved if MKTME is not enumerated= , otherwise:=0D + /// The number of key identifier bits to allocate to MKTME usage.=0D + /// Similar to enumeration, this is an encoded value.=0D + /// Writing a value greater than MK_TME_MAX_KEYID_BITS will result in = #GP.=0D + /// Writing a non-zero value to this field will #GP if bit 1 of EAX (H= ardware=0D + /// Encryption Enable) is not also set to =E2=80=981, as encryption ha= rdware must be=0D + /// enabled to use MKTME.=0D + /// Example: To support 255 keys, this field would be set to a value o= f 8.=0D + ///=0D + UINT32 MkTmeKeyidBits : 4;=0D + UINT32 Reserved2 : 12;=0D + ///=0D + /// [Bit 63:48] MK_TME_CRYPTO_ALGS: Reserved if MKTME is not enumerate= d, otherwise:=0D + /// Bit 48: AES-XTS 128.=0D + /// Bit 49: AES-XTS 128 with integrity.=0D + /// Bit 50: AES-XTS 256.=0D + /// Bit 63:51: Reserved (#GP)=0D + /// Bitmask for BIOS to set which encryption algorithms are allowed fo= r MKTME, would=0D + /// be later enforced by the key loading ISA ('1=3D allowed)=0D + ///=0D + UINT32 MkTmeCryptoAlgs : 16;=0D + } Bits;=0D + ///=0D + /// All bit fields as a 32-bit value=0D + ///=0D + UINT32 Uint32;=0D + ///=0D + /// All bit fields as a 64-bit value=0D + ///=0D + UINT64 Uint64;=0D +} MSR_IA32_TME_ACTIVATE_REGISTER;=0D +=0D /**=0D Silicon Debug Feature Control (R/W). If CPUID.01H:ECX.[11] =3D 1.=0D =0D diff --git a/MdePkg/Include/Register/Intel/Cpuid.h b/MdePkg/Include/Registe= r/Intel/Cpuid.h index 350bf60252..1fb880c85c 100644 --- a/MdePkg/Include/Register/Intel/Cpuid.h +++ b/MdePkg/Include/Register/Intel/Cpuid.h @@ -6,7 +6,7 @@ If a register returned is a single 32-bit value, then a data structure i= s=0D not provided for that register.=0D =0D - Copyright (c) 2015 - 2021, Intel Corporation. All rights reserved.
=0D + Copyright (c) 2015 - 2023, Intel Corporation. All rights reserved.
=0D SPDX-License-Identifier: BSD-2-Clause-Patent=0D =0D @par Specification Reference:=0D @@ -1490,7 +1490,12 @@ typedef union { /// RDPKRU/WRPKRU instructions).=0D ///=0D UINT32 OSPKE : 1;=0D - UINT32 Reserved5 : 9;=0D + UINT32 Reserved8 : 8;=0D + ///=0D + /// [Bit 13] If 1, the following MSRs are supported: IA32_TME_CAPABILI= TY, IA32_TME_ACTIVATE,=0D + /// IA32_TME_EXCLUDE_MASK, and IA32_TME_EXCLUDE_BASE.=0D + ///=0D + UINT32 TME_EN : 1;=0D ///=0D /// [Bits 14] AVX512_VPOPCNTDQ. (Intel Xeon Phi only.).=0D ///=0D --=20 2.39.1.windows.1