From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+118516+7686176+12367111@groups.io>
Received: from mail05.groups.io (mail05.groups.io [45.79.224.7])
	by spool.mail.gandi.net (Postfix) with ESMTPS id AC2B57803E5
	for <rebecca@openfw.io>; Thu,  2 May 2024 14:36:07 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=wM9BcyT2f3Qc4YsH/dqlkZwDi46aI8jOfveoyASpf3s=;
 c=relaxed/simple; d=groups.io;
 h=Received-SPF:From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding:Content-Type;
 s=20240206; t=1714660566; v=1;
 b=iTcdPLp8DA2eQ8Es56Jae1xGdBN/o5F4z7RnQFRC1Oant9h6V7Rwn9kVtYiMIU0WOzcQh+DF
 AGRa9qI9UKv2/j0AEGSAN8CDWlkwlq6x0PbZe2gj++mXhKly9nL2LpyDuPvcDrXRykzCfSSL0kx
 gGCXPeqNxwKyU8JzDpwQTXe8nXBj8aebM9lyjXirzl0SMKEfutqhXW2z20lnpzU/9AK5pQ9SfLl
 ni0xQgDVW8m80n1ZBNAF2Cebue6OnKA5/DDqiA6BPk3i4t+OZmIGQMEuIcZLrHNLb3FhuaBWkne
 v4Gq/njwwvGJbSUll/4PgecyHM1GFeVCkvAf617McDfOQ==
X-Received: by 127.0.0.2 with SMTP id FTcOYY7687511xAKnRUL0wcP; Thu, 02 May 2024 07:36:06 -0700
X-Received: from NAM04-MW2-obe.outbound.protection.outlook.com (NAM04-MW2-obe.outbound.protection.outlook.com [40.107.101.42])
 by mx.groups.io with SMTP id smtpd.web10.7090.1714660565601192000
 for <devel@edk2.groups.io>;
 Thu, 02 May 2024 07:36:05 -0700
X-Received: from MN2PR15CA0065.namprd15.prod.outlook.com (2603:10b6:208:237::34)
 by CY5PR12MB6621.namprd12.prod.outlook.com (2603:10b6:930:43::15) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7519.34; Thu, 2 May
 2024 14:35:58 +0000
X-Received: from MN1PEPF0000F0E5.namprd04.prod.outlook.com
 (2603:10b6:208:237:cafe::3f) by MN2PR15CA0065.outlook.office365.com
 (2603:10b6:208:237::34) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7544.29 via Frontend
 Transport; Thu, 2 May 2024 14:35:58 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17)
 smtp.mailfrom=amd.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=amd.com;
Received-SPF: Pass (protection.outlook.com: domain of amd.com designates
 165.204.84.17 as permitted sender) receiver=protection.outlook.com;
 client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C
X-Received: from SATLEXMB04.amd.com (165.204.84.17) by
 MN1PEPF0000F0E5.mail.protection.outlook.com (10.167.242.43) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.20.7544.18 via Frontend Transport; Thu, 2 May 2024 14:35:58 +0000
X-Received: from aiemdee.amd.com (10.180.168.240) by SATLEXMB04.amd.com
 (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Thu, 2 May
 2024 09:35:54 -0500
From: "Alexey Kardashevskiy via groups.io" <aik=amd.com@groups.io>
To: <devel@edk2.groups.io>
CC: Tom Lendacky <thomas.lendacky@amd.com>, Liming Gao
	<gaoliming@byosoft.com.cn>, Michael D Kinney <michael.d.kinney@intel.com>,
	Zhiguang Liu <zhiguang.liu@intel.com>, Ard Biesheuvel
	<ardb+tianocore@kernel.org>, Erdem Aktas <erdemaktas@google.com>, "Gerd
 Hoffmann" <kraxel@redhat.com>, Jiewen Yao <jiewen.yao@intel.com>, Michael
 Roth <michael.roth@amd.com>, Min Xu <min.m.xu@intel.com>, Alexey
 Kardashevskiy <aik@amd.com>
Subject: [edk2-devel] [PATCH ovmf v3 3/5] OvmfPkg: Add AMD SEV-ES DebugSwap feature support
Date: Fri, 3 May 2024 00:34:43 +1000
Message-ID: <20240502143445.526098-4-aik@amd.com>
In-Reply-To: <20240502143445.526098-1-aik@amd.com>
References: <20240502143445.526098-1-aik@amd.com>
MIME-Version: 1.0
X-Originating-IP: [10.180.168.240]
X-ClientProxiedBy: SATLEXMB03.amd.com (10.181.40.144) To SATLEXMB04.amd.com
 (10.181.40.145)
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: MN1PEPF0000F0E5:EE_|CY5PR12MB6621:EE_
X-MS-Office365-Filtering-Correlation-Id: f98e551f-309d-42e0-b057-08dc6ab52eae
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Message-Info: 
	=?us-ascii?Q?Gu8MDpXbcyJy16clBElM+UhwWc4vWA15IuhoT9ecIiCjgyXvmbU7tRmqChMo?=
 =?us-ascii?Q?RG2SWaqLKz1Oyk5F80NxcYnKHf1z1XInOjm9FOSTsE0rSfs5+MaVbfiffVv1?=
 =?us-ascii?Q?e4SDu2wjVdiStHTNISf+RumZzI3TfrMPMqnOju6IZw98z9UArxgsnl2OZYOw?=
 =?us-ascii?Q?S/4UvOQElfYtLZ719l+MtYMjs0eqqLLHDmCDA+HyXdsdPuhVm9C7uDY6vh5G?=
 =?us-ascii?Q?Yl1VuLJsTI651lyo+LSBj4EM7gd1JcwAXXDThcJIlCYz11Is7OoyKTr1OQnu?=
 =?us-ascii?Q?VdL5XKh/8cQIHOABf2gr9qbYYahtDbym3vzb8z1b5bJ+SfXDVm0zhNnictgD?=
 =?us-ascii?Q?q4zd48NKjJj/A1oXfk5z+6sRQsUVFnxZibV4p8gefDarn6IAP6ztx/naC28/?=
 =?us-ascii?Q?Wr459Tc1xHRF5b/uODjtgCr1ceAvM5ptgVRoAG4uD6GPqDtfFQXmMs7CspsX?=
 =?us-ascii?Q?Tf+crV+zuySNM0qWJFH3M91SU5oElTHzig531JME37D7Z5kLdoAtnPSnPqOC?=
 =?us-ascii?Q?CGb0UFTYx2FQtvGRbcdgXtD2tFWw+oHCftUIx82khqjXLOdQDzNEk/cEoXCl?=
 =?us-ascii?Q?Ph2esR9o7oQXUw8EHaL19+51L5OUdPC78lRmo3J54u4Vmlm0bw3a+kcXMbPx?=
 =?us-ascii?Q?dbrVZQgUirqweG0iSs0Xz7AMDsKCA6Wqy8Pqfvy+hi+ox+BsFkBRfEXFjiYA?=
 =?us-ascii?Q?z8fGljLEpMxkjlKzo8Os3z6iSyUnhE5Z2pWqEQ/iVGrnNdn+0WctkTJ0WUfT?=
 =?us-ascii?Q?yaXd9TQjopiNSCLwqQkDJy7vZxccyO9S9h9Yb+QpmH8IfCBE2LQ68np2aQ1M?=
 =?us-ascii?Q?T7noDwC52J8jvCO3LXOtoIaM3AsPI++8CfX7AzdtU0E51xF1nlVwtQ30vN8F?=
 =?us-ascii?Q?sls5Sij1BwmjXKvuiViLFCSE9POX+ly1I+rZI2O0gQ5id4B6nqkrkvR5fj8/?=
 =?us-ascii?Q?4GxlQtluYURnkmRWhS+oHmP9XMU+64UZIydEO+YERwHqJO+GE7KAm/tPBK+X?=
 =?us-ascii?Q?XLv8JjIEgrWYSxGmnKqgNED9bRKhekRINaqZ06pW2UKHJSGt6raSDu7NR+n/?=
 =?us-ascii?Q?KhHjKE8K7Mda+SAq+sdiOTNzi1XdGpwy8U1SA3fhcwUSOTGY1pGPUuATGjCS?=
 =?us-ascii?Q?kaSnFtXaFVTMgF/HwD5P6mKfHANT4202qV32Jyxh7sx9K+6FFhqt64+pJ8Xs?=
 =?us-ascii?Q?aeGy+W5ucg6yPtu5tQcYmduly7v55SUgxFjp0z9da1gwM9MUL8Pqlc+Y53fG?=
 =?us-ascii?Q?yt2b6WMhktjTEf5p2H91vaGvEuratq/L4TenEDk76hUc3fNqCtwAmlmSEciT?=
 =?us-ascii?Q?CLLd2660TesI7oNe9+Z0ui4U5uKrCF/lTNI31NxY+r3Z3HYcIUr21GwTbmSF?=
 =?us-ascii?Q?sLDJqOg=3D?=
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 May 2024 14:35:58.3030
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f98e551f-309d-42e0-b057-08dc6ab52eae
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	MN1PEPF0000F0E5.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY5PR12MB6621
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Resent-Date: Thu, 02 May 2024 07:36:05 -0700
Resent-From: aik@amd.com
Reply-To: devel@edk2.groups.io,aik@amd.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
X-Gm-Message-State: MYQhog9Xuxb0cHaVF8fJOezUx7686176AA=
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20240206 header.b=iTcdPLp8;
	dmarc=pass (policy=none) header.from=groups.io;
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io

The SEV-ES DebugSwap feature enables type B swaping of debug registers
on #VMEXIT and makes #DB and DR7 intercepts unnecessary and unwanted.

When DebugSwap is enabled, this stops booting if #VC for #DB or
DB7 read/write occurs as this signals unwanted interaction from the HV.

This adds new API which uses SEV-ES working area in PEI and SEC.

This does not change the existing behavour for DXE just yet but soon.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Michael Roth <michael.roth@amd.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
---
 OvmfPkg/Include/Library/MemEncryptSevLib.h                         | 12 ++=
+++++++
 OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c | 27 ++=
+++++++++++++++---
 OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c | 19 ++=
++++++++++++
 OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c | 19 ++=
++++++++++++
 OvmfPkg/Library/CcExitLib/CcExitVcHandler.c                        |  8 ++=
++++
 5 files changed, 82 insertions(+), 3 deletions(-)

diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/L=
ibrary/MemEncryptSevLib.h
index 4fa9c0d70083..0fa86aecc38c 100644
--- a/OvmfPkg/Include/Library/MemEncryptSevLib.h
+++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h
@@ -166,6 +166,18 @@ MemEncryptSevGetEncryptionMask (
   VOID
   );
=20
+/**
+  Returns a boolean to indicate whether DebugSwap is enabled.
+
+  @retval TRUE           DebugSwap is enabled
+  @retval FALSE          DebugSwap is not enabled
+**/
+BOOLEAN
+EFIAPI
+MemEncryptSevEsDebugSwapIsEnabled (
+  VOID
+  );
+
 /**
   Returns the encryption state of the specified virtual address range.
=20
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibIntern=
al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
index 4aba0075b9e2..ebc4c9bb5d06 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
@@ -40,19 +40,25 @@ AmdMemEncryptionAttrCheck (
   IN  CONFIDENTIAL_COMPUTING_GUEST_ATTR  Attr
   )
 {
+  UINT64  CurrentLevel;
+
+  CurrentLevel =3D CurrentAttr & CCAttrTypeMask;
+
   switch (Attr) {
     case CCAttrAmdSev:
       //
       // SEV is automatically enabled if SEV-ES or SEV-SNP is active.
       //
-      return CurrentAttr >=3D CCAttrAmdSev;
+      return CurrentLevel >=3D CCAttrAmdSev;
     case CCAttrAmdSevEs:
       //
       // SEV-ES is automatically enabled if SEV-SNP is active.
       //
-      return CurrentAttr >=3D CCAttrAmdSevEs;
+      return CurrentLevel >=3D CCAttrAmdSevEs;
     case CCAttrAmdSevSnp:
-      return CurrentAttr =3D=3D CCAttrAmdSevSnp;
+      return CurrentLevel =3D=3D CCAttrAmdSevSnp;
+    case CCAttrFeatureAmdSevDebugSwap:
+      return !!(CurrentAttr & CCAttrFeatureAmdSevDebugSwap);
     default:
       return FALSE;
   }
@@ -159,3 +165,18 @@ MemEncryptSevGetEncryptionMask (
=20
   return mSevEncryptionMask;
 }
+
+/**
+  Returns a boolean to indicate whether DebugSwap is enabled.
+
+  @retval TRUE           DebugSwap is enabled
+  @retval FALSE          DebugSwap is not enabled
+**/
+BOOLEAN
+EFIAPI
+MemEncryptSevEsDebugSwapIsEnabled (
+  VOID
+  )
+{
+  return ConfidentialComputingGuestHas (CCAttrFeatureAmdSevDebugSwap);
+}
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibIntern=
al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
index 41d1246a5b31..e2ebc8afcaee 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
@@ -141,3 +141,22 @@ MemEncryptSevGetEncryptionMask (
=20
   return SevEsWorkArea->EncryptionMask;
 }
+
+/**
+  Returns a boolean to indicate whether DebugSwap is enabled.
+
+  @retval TRUE           DebugSwap is enabled
+  @retval FALSE          DebugSwap is not enabled
+**/
+BOOLEAN
+EFIAPI
+MemEncryptSevEsDebugSwapIsEnabled (
+  VOID
+  )
+{
+  MSR_SEV_STATUS_REGISTER  Msr;
+
+  Msr.Uint32 =3D InternalMemEncryptSevStatus ();
+
+  return Msr.Bits.DebugSwap ? TRUE : FALSE;
+}
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibIntern=
al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
index 27148c7e337a..0e82dc85b299 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
@@ -142,6 +142,25 @@ MemEncryptSevGetEncryptionMask (
   return SevEsWorkArea->EncryptionMask;
 }
=20
+/**
+  Returns a boolean to indicate whether DebugSwap is enabled.
+
+  @retval TRUE           DebugSwap is enabled
+  @retval FALSE          DebugSwap is not enabled
+**/
+BOOLEAN
+EFIAPI
+MemEncryptSevEsDebugSwapIsEnabled (
+  VOID
+  )
+{
+  MSR_SEV_STATUS_REGISTER  Msr;
+
+  Msr.Uint32 =3D InternalMemEncryptSevStatus ();
+
+  return Msr.Bits.DebugSwap ? TRUE : FALSE;
+}
+
 /**
   Locate the page range that covers the initial (pre-SMBASE-relocation) SM=
RAM
   Save State Map.
diff --git a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c b/OvmfPkg/Library/=
CcExitLib/CcExitVcHandler.c
index da8f1e5db9fa..29e244df3007 100644
--- a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
+++ b/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
@@ -1609,6 +1609,10 @@ Dr7WriteExit (
   UINT64                     *Register;
   UINT64                     Status;
=20
+  if (MemEncryptSevEsDebugSwapIsEnabled ()) {
+    return UnsupportedExit (Ghcb, Regs, InstructionData);
+  }
+
   Ext       =3D &InstructionData->Ext;
   SevEsData =3D (SEV_ES_PER_CPU_DATA *)(Ghcb + 1);
=20
@@ -1659,6 +1663,10 @@ Dr7ReadExit (
   SEV_ES_PER_CPU_DATA        *SevEsData;
   UINT64                     *Register;
=20
+  if (MemEncryptSevEsDebugSwapIsEnabled ()) {
+    return UnsupportedExit (Ghcb, Regs, InstructionData);
+  }
+
   Ext       =3D &InstructionData->Ext;
   SevEsData =3D (SEV_ES_PER_CPU_DATA *)(Ghcb + 1);
=20
--=20
2.44.0



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118516): https://edk2.groups.io/g/devel/message/118516
Mute This Topic: https://groups.io/mt/105863824/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-