From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id AC2B57803E5 for ; Thu, 2 May 2024 14:36:07 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=wM9BcyT2f3Qc4YsH/dqlkZwDi46aI8jOfveoyASpf3s=; c=relaxed/simple; d=groups.io; h=Received-SPF:From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding:Content-Type; s=20240206; t=1714660566; v=1; b=iTcdPLp8DA2eQ8Es56Jae1xGdBN/o5F4z7RnQFRC1Oant9h6V7Rwn9kVtYiMIU0WOzcQh+DF AGRa9qI9UKv2/j0AEGSAN8CDWlkwlq6x0PbZe2gj++mXhKly9nL2LpyDuPvcDrXRykzCfSSL0kx gGCXPeqNxwKyU8JzDpwQTXe8nXBj8aebM9lyjXirzl0SMKEfutqhXW2z20lnpzU/9AK5pQ9SfLl ni0xQgDVW8m80n1ZBNAF2Cebue6OnKA5/DDqiA6BPk3i4t+OZmIGQMEuIcZLrHNLb3FhuaBWkne v4Gq/njwwvGJbSUll/4PgecyHM1GFeVCkvAf617McDfOQ== X-Received: by 127.0.0.2 with SMTP id FTcOYY7687511xAKnRUL0wcP; Thu, 02 May 2024 07:36:06 -0700 X-Received: from NAM04-MW2-obe.outbound.protection.outlook.com (NAM04-MW2-obe.outbound.protection.outlook.com [40.107.101.42]) by mx.groups.io with SMTP id smtpd.web10.7090.1714660565601192000 for ; Thu, 02 May 2024 07:36:05 -0700 X-Received: from MN2PR15CA0065.namprd15.prod.outlook.com (2603:10b6:208:237::34) by CY5PR12MB6621.namprd12.prod.outlook.com (2603:10b6:930:43::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7519.34; Thu, 2 May 2024 14:35:58 +0000 X-Received: from MN1PEPF0000F0E5.namprd04.prod.outlook.com (2603:10b6:208:237:cafe::3f) by MN2PR15CA0065.outlook.office365.com (2603:10b6:208:237::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7544.29 via Frontend Transport; Thu, 2 May 2024 14:35:58 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C X-Received: from SATLEXMB04.amd.com (165.204.84.17) by MN1PEPF0000F0E5.mail.protection.outlook.com (10.167.242.43) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.7544.18 via Frontend Transport; Thu, 2 May 2024 14:35:58 +0000 X-Received: from aiemdee.amd.com (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Thu, 2 May 2024 09:35:54 -0500 From: "Alexey Kardashevskiy via groups.io" To: CC: Tom Lendacky , Liming Gao , Michael D Kinney , Zhiguang Liu , Ard Biesheuvel , Erdem Aktas , "Gerd Hoffmann" , Jiewen Yao , Michael Roth , Min Xu , Alexey Kardashevskiy Subject: [edk2-devel] [PATCH ovmf v3 3/5] OvmfPkg: Add AMD SEV-ES DebugSwap feature support Date: Fri, 3 May 2024 00:34:43 +1000 Message-ID: <20240502143445.526098-4-aik@amd.com> In-Reply-To: <20240502143445.526098-1-aik@amd.com> References: <20240502143445.526098-1-aik@amd.com> MIME-Version: 1.0 X-Originating-IP: [10.180.168.240] X-ClientProxiedBy: SATLEXMB03.amd.com (10.181.40.144) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: MN1PEPF0000F0E5:EE_|CY5PR12MB6621:EE_ X-MS-Office365-Filtering-Correlation-Id: f98e551f-309d-42e0-b057-08dc6ab52eae X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?Gu8MDpXbcyJy16clBElM+UhwWc4vWA15IuhoT9ecIiCjgyXvmbU7tRmqChMo?= =?us-ascii?Q?RG2SWaqLKz1Oyk5F80NxcYnKHf1z1XInOjm9FOSTsE0rSfs5+MaVbfiffVv1?= =?us-ascii?Q?e4SDu2wjVdiStHTNISf+RumZzI3TfrMPMqnOju6IZw98z9UArxgsnl2OZYOw?= =?us-ascii?Q?S/4UvOQElfYtLZ719l+MtYMjs0eqqLLHDmCDA+HyXdsdPuhVm9C7uDY6vh5G?= =?us-ascii?Q?Yl1VuLJsTI651lyo+LSBj4EM7gd1JcwAXXDThcJIlCYz11Is7OoyKTr1OQnu?= =?us-ascii?Q?VdL5XKh/8cQIHOABf2gr9qbYYahtDbym3vzb8z1b5bJ+SfXDVm0zhNnictgD?= =?us-ascii?Q?q4zd48NKjJj/A1oXfk5z+6sRQsUVFnxZibV4p8gefDarn6IAP6ztx/naC28/?= =?us-ascii?Q?Wr459Tc1xHRF5b/uODjtgCr1ceAvM5ptgVRoAG4uD6GPqDtfFQXmMs7CspsX?= =?us-ascii?Q?Tf+crV+zuySNM0qWJFH3M91SU5oElTHzig531JME37D7Z5kLdoAtnPSnPqOC?= =?us-ascii?Q?CGb0UFTYx2FQtvGRbcdgXtD2tFWw+oHCftUIx82khqjXLOdQDzNEk/cEoXCl?= =?us-ascii?Q?Ph2esR9o7oQXUw8EHaL19+51L5OUdPC78lRmo3J54u4Vmlm0bw3a+kcXMbPx?= =?us-ascii?Q?dbrVZQgUirqweG0iSs0Xz7AMDsKCA6Wqy8Pqfvy+hi+ox+BsFkBRfEXFjiYA?= =?us-ascii?Q?z8fGljLEpMxkjlKzo8Os3z6iSyUnhE5Z2pWqEQ/iVGrnNdn+0WctkTJ0WUfT?= =?us-ascii?Q?yaXd9TQjopiNSCLwqQkDJy7vZxccyO9S9h9Yb+QpmH8IfCBE2LQ68np2aQ1M?= =?us-ascii?Q?T7noDwC52J8jvCO3LXOtoIaM3AsPI++8CfX7AzdtU0E51xF1nlVwtQ30vN8F?= =?us-ascii?Q?sls5Sij1BwmjXKvuiViLFCSE9POX+ly1I+rZI2O0gQ5id4B6nqkrkvR5fj8/?= =?us-ascii?Q?4GxlQtluYURnkmRWhS+oHmP9XMU+64UZIydEO+YERwHqJO+GE7KAm/tPBK+X?= =?us-ascii?Q?XLv8JjIEgrWYSxGmnKqgNED9bRKhekRINaqZ06pW2UKHJSGt6raSDu7NR+n/?= =?us-ascii?Q?KhHjKE8K7Mda+SAq+sdiOTNzi1XdGpwy8U1SA3fhcwUSOTGY1pGPUuATGjCS?= =?us-ascii?Q?kaSnFtXaFVTMgF/HwD5P6mKfHANT4202qV32Jyxh7sx9K+6FFhqt64+pJ8Xs?= =?us-ascii?Q?aeGy+W5ucg6yPtu5tQcYmduly7v55SUgxFjp0z9da1gwM9MUL8Pqlc+Y53fG?= =?us-ascii?Q?yt2b6WMhktjTEf5p2H91vaGvEuratq/L4TenEDk76hUc3fNqCtwAmlmSEciT?= =?us-ascii?Q?CLLd2660TesI7oNe9+Z0ui4U5uKrCF/lTNI31NxY+r3Z3HYcIUr21GwTbmSF?= =?us-ascii?Q?sLDJqOg=3D?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 May 2024 14:35:58.3030 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: f98e551f-309d-42e0-b057-08dc6ab52eae X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: MN1PEPF0000F0E5.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY5PR12MB6621 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Thu, 02 May 2024 07:36:05 -0700 Resent-From: aik@amd.com Reply-To: devel@edk2.groups.io,aik@amd.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: MYQhog9Xuxb0cHaVF8fJOezUx7686176AA= Content-Transfer-Encoding: quoted-printable Content-Type: text/plain X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=iTcdPLp8; dmarc=pass (policy=none) header.from=groups.io; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io The SEV-ES DebugSwap feature enables type B swaping of debug registers on #VMEXIT and makes #DB and DR7 intercepts unnecessary and unwanted. When DebugSwap is enabled, this stops booting if #VC for #DB or DB7 read/write occurs as this signals unwanted interaction from the HV. This adds new API which uses SEV-ES working area in PEI and SEC. This does not change the existing behavour for DXE just yet but soon. Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Cc: Jiewen Yao Cc: Michael Roth Cc: Min Xu Cc: Tom Lendacky Signed-off-by: Alexey Kardashevskiy --- OvmfPkg/Include/Library/MemEncryptSevLib.h | 12 ++= +++++++ OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c | 27 ++= +++++++++++++++--- OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c | 19 ++= ++++++++++++ OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c | 19 ++= ++++++++++++ OvmfPkg/Library/CcExitLib/CcExitVcHandler.c | 8 ++= ++++ 5 files changed, 82 insertions(+), 3 deletions(-) diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/L= ibrary/MemEncryptSevLib.h index 4fa9c0d70083..0fa86aecc38c 100644 --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h @@ -166,6 +166,18 @@ MemEncryptSevGetEncryptionMask ( VOID ); =20 +/** + Returns a boolean to indicate whether DebugSwap is enabled. + + @retval TRUE DebugSwap is enabled + @retval FALSE DebugSwap is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevEsDebugSwapIsEnabled ( + VOID + ); + /** Returns the encryption state of the specified virtual address range. =20 diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibIntern= al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c index 4aba0075b9e2..ebc4c9bb5d06 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c @@ -40,19 +40,25 @@ AmdMemEncryptionAttrCheck ( IN CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr ) { + UINT64 CurrentLevel; + + CurrentLevel =3D CurrentAttr & CCAttrTypeMask; + switch (Attr) { case CCAttrAmdSev: // // SEV is automatically enabled if SEV-ES or SEV-SNP is active. // - return CurrentAttr >=3D CCAttrAmdSev; + return CurrentLevel >=3D CCAttrAmdSev; case CCAttrAmdSevEs: // // SEV-ES is automatically enabled if SEV-SNP is active. // - return CurrentAttr >=3D CCAttrAmdSevEs; + return CurrentLevel >=3D CCAttrAmdSevEs; case CCAttrAmdSevSnp: - return CurrentAttr =3D=3D CCAttrAmdSevSnp; + return CurrentLevel =3D=3D CCAttrAmdSevSnp; + case CCAttrFeatureAmdSevDebugSwap: + return !!(CurrentAttr & CCAttrFeatureAmdSevDebugSwap); default: return FALSE; } @@ -159,3 +165,18 @@ MemEncryptSevGetEncryptionMask ( =20 return mSevEncryptionMask; } + +/** + Returns a boolean to indicate whether DebugSwap is enabled. + + @retval TRUE DebugSwap is enabled + @retval FALSE DebugSwap is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevEsDebugSwapIsEnabled ( + VOID + ) +{ + return ConfidentialComputingGuestHas (CCAttrFeatureAmdSevDebugSwap); +} diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibIntern= al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c index 41d1246a5b31..e2ebc8afcaee 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c @@ -141,3 +141,22 @@ MemEncryptSevGetEncryptionMask ( =20 return SevEsWorkArea->EncryptionMask; } + +/** + Returns a boolean to indicate whether DebugSwap is enabled. + + @retval TRUE DebugSwap is enabled + @retval FALSE DebugSwap is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevEsDebugSwapIsEnabled ( + VOID + ) +{ + MSR_SEV_STATUS_REGISTER Msr; + + Msr.Uint32 =3D InternalMemEncryptSevStatus (); + + return Msr.Bits.DebugSwap ? TRUE : FALSE; +} diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibIntern= al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c index 27148c7e337a..0e82dc85b299 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c @@ -142,6 +142,25 @@ MemEncryptSevGetEncryptionMask ( return SevEsWorkArea->EncryptionMask; } =20 +/** + Returns a boolean to indicate whether DebugSwap is enabled. + + @retval TRUE DebugSwap is enabled + @retval FALSE DebugSwap is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevEsDebugSwapIsEnabled ( + VOID + ) +{ + MSR_SEV_STATUS_REGISTER Msr; + + Msr.Uint32 =3D InternalMemEncryptSevStatus (); + + return Msr.Bits.DebugSwap ? TRUE : FALSE; +} + /** Locate the page range that covers the initial (pre-SMBASE-relocation) SM= RAM Save State Map. diff --git a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c b/OvmfPkg/Library/= CcExitLib/CcExitVcHandler.c index da8f1e5db9fa..29e244df3007 100644 --- a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c +++ b/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c @@ -1609,6 +1609,10 @@ Dr7WriteExit ( UINT64 *Register; UINT64 Status; =20 + if (MemEncryptSevEsDebugSwapIsEnabled ()) { + return UnsupportedExit (Ghcb, Regs, InstructionData); + } + Ext =3D &InstructionData->Ext; SevEsData =3D (SEV_ES_PER_CPU_DATA *)(Ghcb + 1); =20 @@ -1659,6 +1663,10 @@ Dr7ReadExit ( SEV_ES_PER_CPU_DATA *SevEsData; UINT64 *Register; =20 + if (MemEncryptSevEsDebugSwapIsEnabled ()) { + return UnsupportedExit (Ghcb, Regs, InstructionData); + } + Ext =3D &InstructionData->Ext; SevEsData =3D (SEV_ES_PER_CPU_DATA *)(Ghcb + 1); =20 --=20 2.44.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#118516): https://edk2.groups.io/g/devel/message/118516 Mute This Topic: https://groups.io/mt/105863824/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-