From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+119461+7686176+12367111@groups.io>
Received: from mail05.groups.io (mail05.groups.io [45.79.224.7])
	by spool.mail.gandi.net (Postfix) with ESMTPS id E66DCD802AD
	for <rebecca@openfw.io>; Wed,  5 Jun 2024 02:12:08 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=lcp1jYQQL0Ndovd5zkc4kRnpwfmWrJ2G1XjO5qj5RgY=;
 c=relaxed/simple; d=groups.io;
 h=Received-SPF:From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding:Content-Type;
 s=20240206; t=1717553528; v=1;
 b=iKYM9T6qYMRauCKfFBmR4tq3gvJ+q6EzkjkDKsBuQ+2FMTAFX5PUPVpMbvvGJsGvYAj0MX7G
 vWSW9UE2B1Bf9APSum7GsGRYv+tiR6SR17Kso/84G2KxUFLDLXssswO5Bopcn1v91anU+EYyvhO
 p0trUXxqv9v/MdxShy84rgsiczEMld5//rxLU2jVzTPEq/I2fGbYDw2iTg9hTqMjODsrFm7WhUo
 brvA8eFSrMqP9/De8ogYsXcA3o9r0iMTX+qpdZMx4ZOF1CHhEyab5mwrHz4ifZ/WnVMXgl1czHL
 u4U6Muhnlym773CpBzYXe9A9uThE/RnlJjZQg8EQ0NooA==
X-Received: by 127.0.0.2 with SMTP id l1o6YY7687511xPjoJ0wTGPJ; Tue, 04 Jun 2024 19:12:07 -0700
X-Received: from NAM02-SN1-obe.outbound.protection.outlook.com (NAM02-SN1-obe.outbound.protection.outlook.com [40.107.96.71])
 by mx.groups.io with SMTP id smtpd.web10.5291.1717553526850199505
 for <devel@edk2.groups.io>;
 Tue, 04 Jun 2024 19:12:06 -0700
X-Received: from BL1PR13CA0241.namprd13.prod.outlook.com (2603:10b6:208:2ba::6)
 by SA0PR12MB7001.namprd12.prod.outlook.com (2603:10b6:806:2c0::11) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7633.21; Wed, 5 Jun
 2024 02:12:04 +0000
X-Received: from BL6PEPF00020E65.namprd04.prod.outlook.com
 (2603:10b6:208:2ba:cafe::8) by BL1PR13CA0241.outlook.office365.com
 (2603:10b6:208:2ba::6) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7656.15 via Frontend
 Transport; Wed, 5 Jun 2024 02:12:04 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17)
 smtp.mailfrom=amd.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=amd.com;
Received-SPF: Pass (protection.outlook.com: domain of amd.com designates
 165.204.84.17 as permitted sender) receiver=protection.outlook.com;
 client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C
X-Received: from SATLEXMB04.amd.com (165.204.84.17) by
 BL6PEPF00020E65.mail.protection.outlook.com (10.167.249.26) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.20.7633.15 via Frontend Transport; Wed, 5 Jun 2024 02:12:04 +0000
X-Received: from aiemdee.2.ozlabs.ru (10.180.168.240) by SATLEXMB04.amd.com
 (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Tue, 4 Jun
 2024 21:12:00 -0500
From: "Alexey Kardashevskiy via groups.io" <aik=amd.com@groups.io>
To: <devel@edk2.groups.io>
CC: Tom Lendacky <thomas.lendacky@amd.com>, Liming Gao
	<gaoliming@byosoft.com.cn>, Michael D Kinney <michael.d.kinney@intel.com>,
	Zhiguang Liu <zhiguang.liu@intel.com>, Ard Biesheuvel
	<ardb+tianocore@kernel.org>, Erdem Aktas <erdemaktas@google.com>, "Gerd
 Hoffmann" <kraxel@redhat.com>, Jiewen Yao <jiewen.yao@intel.com>, Michael
 Roth <michael.roth@amd.com>, Min Xu <min.m.xu@intel.com>, Alexey
 Kardashevskiy <aik@amd.com>
Subject: [edk2-devel] [PATCH ovmf v4 3/5] OvmfPkg: Add AMD SEV-ES DebugVirtualization feature support
Date: Wed, 5 Jun 2024 12:09:44 +1000
Message-ID: <20240605020946.1224515-4-aik@amd.com>
In-Reply-To: <20240605020946.1224515-1-aik@amd.com>
References: <20240605020946.1224515-1-aik@amd.com>
MIME-Version: 1.0
X-Originating-IP: [10.180.168.240]
X-ClientProxiedBy: SATLEXMB03.amd.com (10.181.40.144) To SATLEXMB04.amd.com
 (10.181.40.145)
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BL6PEPF00020E65:EE_|SA0PR12MB7001:EE_
X-MS-Office365-Filtering-Correlation-Id: d3e921c0-9ae9-428c-087f-08dc8504e4de
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Message-Info: 
	=?us-ascii?Q?CgkdzpCXs0J9aQgb5uk/M8+LhXKgk047N+Bzrq5cKKI7WK39g17mUg8E9SgM?=
 =?us-ascii?Q?8Ik9Yo4u2Dg+8eIZt6D/i+GgMs+fC2AnQ8BdYPAd/J9ocgF1VEDIiTTSzOKa?=
 =?us-ascii?Q?liBJrYyD4EhJy+aQ4B/2pfZZgWLIaCsGrO+GOjbYWp9reb3QL8PcFnQ/9A2A?=
 =?us-ascii?Q?5uGCoc1Uf3NXH/Tf23rQwrinLMPaj8PlMNajDYuSPBIEyzsiS8zm3Ws61M1M?=
 =?us-ascii?Q?EiFMPyXUEbdNt3p4c7VxjKVQmxqrOnjET9k/lMiLAEpK6uPvj3stCSIlmzJb?=
 =?us-ascii?Q?r0h7qvTnQCJ2henOJDwaivwwaoX+Y3oV+6oFCx5PYqtE2d+JJqiykyBpm6fM?=
 =?us-ascii?Q?OfOTy1+httQlJXQbywCvthK8TpcpQvwNSWE2EArK+6NFhswISPcZpvWlfzJj?=
 =?us-ascii?Q?3hVhUL1rTmDQ5pTML8LpQth739VKhXtOMA+s29amF0Qbhw3LfjC0ySHL13fd?=
 =?us-ascii?Q?JKIN0Tq+ogfo1MJSduqKbm8NiXaX4ZNreI3kVYJo7G67lnNjrTuWQLW4xlyv?=
 =?us-ascii?Q?9hnia2qJJGTaOQl9QS3PLgMugYAF5LfS7k16yvr5SUVJJCyBe3feM/TrtVG5?=
 =?us-ascii?Q?eYwriaZYJVEC0r38Zu2dCesQgQfulwRS+ryfc6EAagroDRIBg9JtX77y/Bwi?=
 =?us-ascii?Q?BOlcHsS8Ann/IRPS2CFRldGKoSsKKPe6GPlDXGVSgX5OCNYWYckDAmUkupbg?=
 =?us-ascii?Q?3pEK05ULU7d4Q9tYonKWE3suqX2zIc5/u5XHHAyi7ZOkKvcRD4ackj2hk7wn?=
 =?us-ascii?Q?+DP4qNuP6KY0QwbMyjnI7gsCKJf6pEpRsI+udWMlYHEOweCVXdpVw4AY/S52?=
 =?us-ascii?Q?3q8i3q7CEy+Iw7J8EhQn6b4IIy/UIOvztjHpqliO2M6TQsKsCIx264PqccZ4?=
 =?us-ascii?Q?1ap2+66oNznX7GEqRYH3FrUxp/ylFdeve3ZeO53vBqefAOBlkXmR7ApeT9OY?=
 =?us-ascii?Q?bzFscWH2jZV05fbLHDv+vTJZs0x+UzZLfbcqIinj0N3BjI5LNjGefZes9zTs?=
 =?us-ascii?Q?xQ/NFjcMkUnjUjzGDMxugJdiJ+y52e1X8pxF6nPs4IsrhGDIZxPBGyuxo+FH?=
 =?us-ascii?Q?JvnskiN9+x9hN9mZwkT4Zgi/zAAUE6Py1rJC/EpPNme7qQtdE78YMZN9uF8F?=
 =?us-ascii?Q?J89RZE/nu3RlSNwHQtfusQVmP27Iyox5VSL75zvFjVFGDp9MfcXNsD7rXQdz?=
 =?us-ascii?Q?HSVWnbBJr8X5pZW418W2L4L6pzSbU/Cr62u2eatD8VcFvLYyyB1R5P4DJZ/N?=
 =?us-ascii?Q?MBkHUFu6Or1mBV9hPiT1sjWgk4X3nzGfubXut7ea+RcrCnYaP2JbKaJmMVsa?=
 =?us-ascii?Q?tof/pXby/gmXlmd/6hmqMOR/kdYu7Q/xtFPDN1ZF98BXLtFYKXwhLXGPbX05?=
 =?us-ascii?Q?KodWduk=3D?=
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Jun 2024 02:12:04.5106
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: d3e921c0-9ae9-428c-087f-08dc8504e4de
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	BL6PEPF00020E65.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB7001
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Resent-Date: Tue, 04 Jun 2024 19:12:07 -0700
Resent-From: aik@amd.com
Reply-To: devel@edk2.groups.io,aik@amd.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
X-Gm-Message-State: IiuSIcxxr2QTyKZKnf28Sv7vx7686176AA=
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20240206 header.b=iKYM9T6q;
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io;
	dmarc=pass (policy=none) header.from=groups.io

The SEV-ES DebugVirtualization feature enables type B swapping of
debug registers on #VMEXIT and makes #DB and DR7 intercepts
unnecessary and unwanted.

When DebugVirtualization is enabled, this stops booting if
#VC for #DB or DB7 read/write occurs as this signals unwanted
interaction from the HV.

Add new API to PEI, SEC, DXE.

This does not change the existing behaviour yet.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Michael Roth <michael.roth@amd.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
---
Changes:
v4:
* s/DebugSwap/DebugVirtualization/
---
 OvmfPkg/Include/Library/MemEncryptSevLib.h                         | 12 ++=
+++++++
 OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c | 27 ++=
+++++++++++++++---
 OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c | 15 ++=
+++++++++
 OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c | 15 ++=
+++++++++
 OvmfPkg/Library/CcExitLib/CcExitVcHandler.c                        |  8 ++=
++++
 5 files changed, 74 insertions(+), 3 deletions(-)

diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/L=
ibrary/MemEncryptSevLib.h
index 4fa9c0d70083..c5653539d8d8 100644
--- a/OvmfPkg/Include/Library/MemEncryptSevLib.h
+++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h
@@ -166,6 +166,18 @@ MemEncryptSevGetEncryptionMask (
   VOID
   );
=20
+/**
+  Returns a boolean to indicate whether DebugVirtualization is enabled.
+
+  @retval TRUE           DebugVirtualization is enabled
+  @retval FALSE          DebugVirtualization is not enabled
+**/
+BOOLEAN
+EFIAPI
+MemEncryptSevEsDebugVirtualizationIsEnabled (
+  VOID
+  );
+
 /**
   Returns the encryption state of the specified virtual address range.
=20
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibIntern=
al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
index 4aba0075b9e2..9947d663deae 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
@@ -40,19 +40,25 @@ AmdMemEncryptionAttrCheck (
   IN  CONFIDENTIAL_COMPUTING_GUEST_ATTR  Attr
   )
 {
+  UINT64  CurrentLevel;
+
+  CurrentLevel =3D CurrentAttr & CCAttrTypeMask;
+
   switch (Attr) {
     case CCAttrAmdSev:
       //
       // SEV is automatically enabled if SEV-ES or SEV-SNP is active.
       //
-      return CurrentAttr >=3D CCAttrAmdSev;
+      return CurrentLevel >=3D CCAttrAmdSev;
     case CCAttrAmdSevEs:
       //
       // SEV-ES is automatically enabled if SEV-SNP is active.
       //
-      return CurrentAttr >=3D CCAttrAmdSevEs;
+      return CurrentLevel >=3D CCAttrAmdSevEs;
     case CCAttrAmdSevSnp:
-      return CurrentAttr =3D=3D CCAttrAmdSevSnp;
+      return CurrentLevel =3D=3D CCAttrAmdSevSnp;
+    case CCAttrFeatureAmdSevEsDebugVirtualization:
+      return !!(CurrentAttr & CCAttrFeatureAmdSevEsDebugVirtualization);
     default:
       return FALSE;
   }
@@ -159,3 +165,18 @@ MemEncryptSevGetEncryptionMask (
=20
   return mSevEncryptionMask;
 }
+
+/**
+  Returns a boolean to indicate whether DebugVirtualization is enabled.
+
+  @retval TRUE           DebugVirtualization is enabled
+  @retval FALSE          DebugVirtualization is not enabled
+**/
+BOOLEAN
+EFIAPI
+MemEncryptSevEsDebugVirtualizationIsEnabled (
+  VOID
+  )
+{
+  return ConfidentialComputingGuestHas (CCAttrFeatureAmdSevEsDebugVirtuali=
zation);
+}
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibIntern=
al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
index 41d1246a5b31..7d823ad639f4 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
@@ -141,3 +141,18 @@ MemEncryptSevGetEncryptionMask (
=20
   return SevEsWorkArea->EncryptionMask;
 }
+
+/**
+  Returns a boolean to indicate whether DebugVirtualization is enabled.
+
+  @retval TRUE           DebugVirtualization is enabled
+  @retval FALSE          DebugVirtualization is not enabled
+**/
+BOOLEAN
+EFIAPI
+MemEncryptSevEsDebugVirtualizationIsEnabled (
+  VOID
+  )
+{
+  return FALSE;
+}
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibIntern=
al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
index 27148c7e337a..33a326ac1571 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
@@ -142,6 +142,21 @@ MemEncryptSevGetEncryptionMask (
   return SevEsWorkArea->EncryptionMask;
 }
=20
+/**
+  Returns a boolean to indicate whether DebugVirtualization is enabled.
+
+  @retval TRUE           DebugVirtualization is enabled
+  @retval FALSE          DebugVirtualization is not enabled
+**/
+BOOLEAN
+EFIAPI
+MemEncryptSevEsDebugVirtualizationIsEnabled (
+  VOID
+  )
+{
+  return FALSE;
+}
+
 /**
   Locate the page range that covers the initial (pre-SMBASE-relocation) SM=
RAM
   Save State Map.
diff --git a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c b/OvmfPkg/Library/=
CcExitLib/CcExitVcHandler.c
index da8f1e5db9fa..2031fa9e22e6 100644
--- a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
+++ b/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
@@ -1609,6 +1609,10 @@ Dr7WriteExit (
   UINT64                     *Register;
   UINT64                     Status;
=20
+  if (MemEncryptSevEsDebugVirtualizationIsEnabled ()) {
+    return UnsupportedExit (Ghcb, Regs, InstructionData);
+  }
+
   Ext       =3D &InstructionData->Ext;
   SevEsData =3D (SEV_ES_PER_CPU_DATA *)(Ghcb + 1);
=20
@@ -1659,6 +1663,10 @@ Dr7ReadExit (
   SEV_ES_PER_CPU_DATA        *SevEsData;
   UINT64                     *Register;
=20
+  if (MemEncryptSevEsDebugVirtualizationIsEnabled ()) {
+    return UnsupportedExit (Ghcb, Regs, InstructionData);
+  }
+
   Ext       =3D &InstructionData->Ext;
   SevEsData =3D (SEV_ES_PER_CPU_DATA *)(Ghcb + 1);
=20
--=20
2.44.0



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119461): https://edk2.groups.io/g/devel/message/119461
Mute This Topic: https://groups.io/mt/106496085/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-