From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mx.groups.io with SMTP id smtpd.web10.4980.1688033346805069325 for ; Thu, 29 Jun 2023 03:09:10 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=j457Ax3S; spf=pass (domain: intel.com, ip: 134.134.136.24, mailfrom: dun.tan@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1688033350; x=1719569350; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=2F/kKqDFtJ+07YKZhZEXBMUoNlE5bcxN15/OKXQjaqo=; b=j457Ax3ShClAOcYSqj9Ev3WzyGehYRyCQk6QJ0uB/5rlhCNRD80tgeGv a+0RAWisiqZi56h3R1qTTKxjxxe6F70jz8QgZk+kmVdhBSw1Pk/64oilj qUMoqrBayV6QfUDayhwPv1tD5I1KPTR2HgNfmLQb0s/R1EYrhhO6S4MkP xz4gLz8Q8S88U8yGxWdlqk30wQyjMpI14QqILhV/U0uInBCyVxzFh8Gm2 x4MqFhkyS488IZsHEmLDXF4eZVp0U2SqcplJB6Qy7y7t9NeGbpt7mEvXc AN3SxFkYaTUFn91Nwb47lhT/uOGh3quPED+lSCPxpO9Tv+qYVEmtNUvRv g==; X-IronPort-AV: E=McAfee;i="6600,9927,10755"; a="364620228" X-IronPort-AV: E=Sophos;i="6.01,168,1684825200"; d="scan'208";a="364620228" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Jun 2023 03:09:10 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10755"; a="746974504" X-IronPort-AV: E=Sophos;i="6.01,168,1684825200"; d="scan'208";a="746974504" Received: from shwdeopenlab702.ccr.corp.intel.com ([10.239.55.158]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Jun 2023 03:09:08 -0700 From: "duntan" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Jiewen Yao , Jordan Justen , Gerd Hoffmann , Tom Lendacky , Ray Ni Subject: [Patch V8 01/14] OvmfPkg:Remove code that apply AddressEncMask to non-leaf entry Date: Thu, 29 Jun 2023 18:08:47 +0800 Message-Id: <20230629100847.1132-2-dun.tan@intel.com> X-Mailer: git-send-email 2.31.1.windows.1 In-Reply-To: <20230629100847.1132-1-dun.tan@intel.com> References: <20230629100847.1132-1-dun.tan@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Remove code that sets AddressEncMask for non-leaf entries when modifing smm page table by MemEncryptSevLib. In FvbServicesSmm driver, it calls MemEncryptSevClearMmioPageEncMask to clear AddressEncMask bit in page table for a specific range. In AMD SEV feature, this AddressEncMask bit in page table is used to indicate if the memory is guest private memory or shared memory. But all memory accessed by the hardware page table walker is treated as encrypted, regardless of whether the encryption bit is present. So remove the code to set the EncMask bit for smm non-leaf entries doesn't impact AMD SEV feature. The reason encryption mask should not be set for non-leaf entries is because CpuPageTableLib doesn't consume encryption mask PCD. In PiSmmCpuDxeSmm module, it will use CpuPageTableLib to modify smm page table in next patch. The encryption mask is overlapped with the PageTableBaseAddress field of non-leaf page table entries. If the encryption mask is set for smm non-leaf page table entries, issue happens when CpuPageTableLib code use the non-leaf entry PageTableBaseAddress field with the encryption mask set to find the next level page table. Signed-off-by: Dun Tan Cc: Ard Biesheuvel Cc: Jiewen Yao Cc: Jordan Justen Cc: Gerd Hoffmann Reviewed-by: Tom Lendacky Reviewed-by: Ray Ni --- OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c index cf2441b551..dee3fb8914 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c @@ -232,8 +232,14 @@ Split2MPageTo4K ( // // Fill in 2M page entry. // + // AddressEncMask is not set for non-leaf entries since CpuPageTableLib doesn't consume + // encryption mask PCD. The encryption mask is overlapped with the PageTableBaseAddress + // field of non-leaf page table entries. If encryption mask is set for non-leaf entries, + // issue happens when CpuPageTableLib code use the non-leaf entry PageTableBaseAddress + // field with the encryption mask set to find the next level page table. + // *PageEntry2M = ((UINT64)(UINTN)PageTableEntry1 | - IA32_PG_P | IA32_PG_RW | AddressEncMask); + IA32_PG_P | IA32_PG_RW); } /** @@ -352,7 +358,10 @@ SetPageTablePoolReadOnly ( PhysicalAddress += LevelSize[Level - 1]; } - PageTable[Index] = (UINT64)(UINTN)NewPageTable | AddressEncMask | + // + // AddressEncMask is not set for non-leaf entries because of the way CpuPageTableLib works + // + PageTable[Index] = (UINT64)(UINTN)NewPageTable | IA32_PG_P | IA32_PG_RW; PageTable = NewPageTable; } @@ -439,8 +448,10 @@ Split1GPageTo2M ( // // Fill in 1G page entry. // + // AddressEncMask is not set for non-leaf entries because of the way CpuPageTableLib works + // *PageEntry1G = ((UINT64)(UINTN)PageDirectoryEntry | - IA32_PG_P | IA32_PG_RW | AddressEncMask); + IA32_PG_P | IA32_PG_RW); PhysicalAddress2M = PhysicalAddress; for (IndexOfPageDirectoryEntries = 0; @@ -616,7 +627,11 @@ InternalMemEncryptSevCreateIdentityMap1G ( } SetMem (NewPageTable, EFI_PAGE_SIZE, 0); - PageMapLevel4Entry->Uint64 = (UINT64)(UINTN)NewPageTable | AddressEncMask; + + // + // AddressEncMask is not set for non-leaf entries because of the way CpuPageTableLib works + // + PageMapLevel4Entry->Uint64 = (UINT64)(UINTN)NewPageTable; PageMapLevel4Entry->Bits.MustBeZero = 0; PageMapLevel4Entry->Bits.ReadWrite = 1; PageMapLevel4Entry->Bits.Present = 1; -- 2.31.1.windows.1