[edk2-devel] [PATCH ovmf v4 0/5] Enable AMD SEV-ES DebugVirtualization

[edk2-devel] [PATCH ovmf v4 0/5] Enable AMD SEV-ES DebugVirtualization

[Alexey Kardashevskiy via groups.io]

This is to prevent #DB interception on SEV-ES VM with
enabled DebugVirtualization feature.

The previous conversation is here:
https://edk2.groups.io/g/devel/topic/patch_ovmf_v3_0_5_enable/105863808

This is based on sha1
7772e339bdbb Chao Li "ArmVirtPkg: Enable the non-hardcode version FdtNorFlashQemuLib".

Please comment. Thanks.



Alexey Kardashevskiy (5):
  MdePkg/Register/Amd: Define all bits from MSR_SEV_STATUS_REGISTER
  MdePkg: Add AMD SEV features to PcdConfidentialComputingGuestAttr
  OvmfPkg: Add AMD SEV-ES DebugVirtualization feature support
  UefiCpuPkg: Add AMD SEV-ES features support
  OvmfPkf: Enable AMD SEV-ES DebugVirtualization

 MdePkg/Include/ConfidentialComputingGuestAttr.h                    | 15 +++-
 MdePkg/Include/Register/Amd/Fam17Msr.h                             | 95 +++++++++++++++++++-
 OvmfPkg/Include/Library/MemEncryptSevLib.h                         | 12 +++
 OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c | 27 +++++-
 OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c | 19 ++++
 OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c | 19 ++++
 OvmfPkg/Library/CcExitLib/CcExitVcHandler.c                        |  8 ++
 OvmfPkg/PlatformPei/AmdSev.c                                       | 13 ++-
 UefiCpuPkg/Library/MpInitLib/MpLib.c                               | 12 ++-
 9 files changed, 205 insertions(+), 15 deletions(-)

-- 
2.44.0



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119458): https://edk2.groups.io/g/devel/message/119458
Mute This Topic: https://groups.io/mt/106496065/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH ovmf v4 1/5] MdePkg/Register/Amd: Define all bits from MSR_SEV_STATUS_REGISTER

[Alexey Kardashevskiy via groups.io]

For now we need DebugSwap but others are likely to be needed too.

Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
---
Changes:
v4:
* added more from April/2024 APM
---
 MdePkg/Include/Register/Amd/Fam17Msr.h | 95 +++++++++++++++++++-
 1 file changed, 91 insertions(+), 4 deletions(-)

diff --git a/MdePkg/Include/Register/Amd/Fam17Msr.h b/MdePkg/Include/Register/Amd/Fam17Msr.h
index f2d5ccb39dc7..286b337f70fa 100644
--- a/MdePkg/Include/Register/Amd/Fam17Msr.h
+++ b/MdePkg/Include/Register/Amd/Fam17Msr.h
@@ -126,19 +126,106 @@ typedef union {
     ///
     /// [Bit 0] Secure Encrypted Virtualization (Sev) is enabled
     ///
-    UINT32    SevBit    : 1;
+    UINT32    SevBit              : 1;
 
     ///
     /// [Bit 1] Secure Encrypted Virtualization Encrypted State (SevEs) is enabled
     ///
-    UINT32    SevEsBit  : 1;
+    UINT32    SevEsBit            : 1;
 
     ///
     /// [Bit 2] Secure Nested Paging (SevSnp) is enabled
     ///
-    UINT32    SevSnpBit : 1;
+    UINT32    SevSnpBit           : 1;
 
-    UINT32    Reserved2 : 29;
+    ///
+    /// [Bit 3] Virtual TOM feature is enabled in SEV_FEATURES[1]
+    ///
+    UINT32    vTOM                : 1;
+
+    ///
+    /// [Bit 4] ReflectVC feature is enabled in SEV_FEATURES[2]
+    ///
+    UINT32    ReflectVC           : 1;
+
+    ///
+    /// [Bit 5] Restricted Injection feature is enabled in SEV_FEATURES[3]
+    ///
+    UINT32    RestrictedInjection : 1;
+
+    ///
+    /// [Bit 6] Alternate Injection feature is enabled in SEV_FEATURES[4]
+    ///
+    UINT32    AlternateInjection  : 1;
+
+    ///
+    /// [Bit 7] Debug Virtualization feature is enabled in SEV_FEATURES[5]
+    ///
+    UINT32    DebugVirtualization : 1;
+
+    ///
+    /// [Bit 8]  PreventHostIBS feature is enabled in SEV_FEATURES[6]
+    ///
+    UINT32    PreventHostIBS      : 1;
+
+    ///
+    /// [Bit 9] BTB isolation feature is enabled in SEV_FEATURES[7]
+    ///
+    UINT32    SNPBTBIsolation     : 1;
+
+    ///
+    /// [Bit 10] VMPL SSS feature is enabled in SEV_FEATURES[8]
+    ///
+    UINT32    VmplSSS             : 1;
+
+    ///
+    /// [Bit 11] Secure TSC feature is enabled in SEV_FEATURES[9]
+    ///
+    UINT32    SecureTsc           : 1;
+
+    ///
+    /// [Bit 12] VMGEXIT Parameter feature is enabled in SEV_FEATURES[10]
+    ///
+    UINT32    VmgexitParameter    : 1;
+
+    ///
+    /// [Bit 13] PMC Virtualization feature is enabled in SEV_FEATURES[11]
+    ///
+    UINT32    PmcVirtualization   : 1;
+
+    ///
+    /// [Bit 14] IBS Virtualization feature is enabled in SEV_FEATURES[12]
+    ///
+    UINT32    IbsVirtualization   : 1;
+
+    ///
+    /// [Bit 15]
+    ///
+    UINT32    Reserved1           : 1;
+
+    ///
+    /// [Bit 16] VMSA Register Protection feature is enabled in SEV_FEATURES[14]
+    ///
+    UINT32    VmsaRegProt         : 1;
+
+    ///
+    /// [Bit 17] SMT Protection feature is enabled in SEV_FEATURES[15]
+    ///
+    UINT32    SmtProtection       : 1;
+    ///
+    ///
+    /// [Bit 18] Secure AVIC feature is enabled in SEV_FEATURES[16]
+    ///
+    UINT32    SecureAVIC          : 1;
+
+    UINT32    Reserved2           : 4;
+
+    ///
+    /// [Bit 23] IBPB on Entry feature is enabled in SEV_FEATURES[21]
+    ///
+    UINT32    IbpbOnEntry         : 1;
+
+    UINT32    Reserved3           : 8;
   } Bits;
   ///
   /// All bit fields as a 32-bit value
-- 
2.44.0



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119459): https://edk2.groups.io/g/devel/message/119459
Mute This Topic: https://groups.io/mt/106496074/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH ovmf v4 2/5] MdePkg: Add AMD SEV features to PcdConfidentialComputingGuestAttr

[Alexey Kardashevskiy via groups.io]

PcdConfidentialComputingGuestAttr so far only contained an SEV mode bit
but there are more other features which do not translate to levels
such as DebugVirtualization or SecureTsc.

Add the feature mask and the DebugVirtualization feature bit to the PCD.

Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
---
Changes:
v4:
* s/CCAttrFeatureAmdSevDebugSwap/CCAttrFeatureAmdSevEsDebugVirtualization/

v2:
* expanded features mask
* added type mask
---
 MdePkg/Include/ConfidentialComputingGuestAttr.h | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/MdePkg/Include/ConfidentialComputingGuestAttr.h b/MdePkg/Include/ConfidentialComputingGuestAttr.h
index 44e6df800207..f62158f77e03 100644
--- a/MdePkg/Include/ConfidentialComputingGuestAttr.h
+++ b/MdePkg/Include/ConfidentialComputingGuestAttr.h
@@ -29,9 +29,20 @@ typedef enum {
 
   /* The guest is running with Intel TDX memory encryption enabled. */
   CCAttrIntelTdx = 0x200,
+
+  CCAttrTypeMask = 0x000000000000ffff,
+
+  /* Features */
+
+  /* The AMD SEV-ES DebugVirtualization feature is enabled in SEV_STATUS */
+  CCAttrFeatureAmdSevEsDebugVirtualization = 0x0000000000010000,
+
+  CCAttrFeatureMask = 0xffffffffffff0000,
 } CONFIDENTIAL_COMPUTING_GUEST_ATTR;
 
-#define CC_GUEST_IS_TDX(x)  ((x) == CCAttrIntelTdx)
-#define CC_GUEST_IS_SEV(x)  ((x) == CCAttrAmdSev || (x) == CCAttrAmdSevEs || (x) == CCAttrAmdSevSnp)
+#define _CC_GUEST_IS_TDX(x)  ((x) == CCAttrIntelTdx)
+#define CC_GUEST_IS_TDX(x)   _CC_GUEST_IS_TDX((x) & CCAttrTypeMask)
+#define _CC_GUEST_IS_SEV(x)  ((x) == CCAttrAmdSev || (x) == CCAttrAmdSevEs || (x) == CCAttrAmdSevSnp)
+#define CC_GUEST_IS_SEV(x)   _CC_GUEST_IS_SEV((x) & CCAttrTypeMask)
 
 #endif
-- 
2.44.0



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119460): https://edk2.groups.io/g/devel/message/119460
Mute This Topic: https://groups.io/mt/106496083/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH ovmf v4 3/5] OvmfPkg: Add AMD SEV-ES DebugVirtualization feature support

[Alexey Kardashevskiy via groups.io]

The SEV-ES DebugVirtualization feature enables type B swapping of
debug registers on #VMEXIT and makes #DB and DR7 intercepts
unnecessary and unwanted.

When DebugVirtualization is enabled, this stops booting if
#VC for #DB or DB7 read/write occurs as this signals unwanted
interaction from the HV.

Add new API to PEI, SEC, DXE.

This does not change the existing behaviour yet.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Michael Roth <michael.roth@amd.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
---
Changes:
v4:
* s/DebugSwap/DebugVirtualization/
---
 OvmfPkg/Include/Library/MemEncryptSevLib.h                         | 12 +++++++++
 OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c | 27 +++++++++++++++++---
 OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c | 15 +++++++++++
 OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c | 15 +++++++++++
 OvmfPkg/Library/CcExitLib/CcExitVcHandler.c                        |  8 ++++++
 5 files changed, 74 insertions(+), 3 deletions(-)

diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/Library/MemEncryptSevLib.h
index 4fa9c0d70083..c5653539d8d8 100644
--- a/OvmfPkg/Include/Library/MemEncryptSevLib.h
+++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h
@@ -166,6 +166,18 @@ MemEncryptSevGetEncryptionMask (
   VOID
   );
 
+/**
+  Returns a boolean to indicate whether DebugVirtualization is enabled.
+
+  @retval TRUE           DebugVirtualization is enabled
+  @retval FALSE          DebugVirtualization is not enabled
+**/
+BOOLEAN
+EFIAPI
+MemEncryptSevEsDebugVirtualizationIsEnabled (
+  VOID
+  );
+
 /**
   Returns the encryption state of the specified virtual address range.
 
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
index 4aba0075b9e2..9947d663deae 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
@@ -40,19 +40,25 @@ AmdMemEncryptionAttrCheck (
   IN  CONFIDENTIAL_COMPUTING_GUEST_ATTR  Attr
   )
 {
+  UINT64  CurrentLevel;
+
+  CurrentLevel = CurrentAttr & CCAttrTypeMask;
+
   switch (Attr) {
     case CCAttrAmdSev:
       //
       // SEV is automatically enabled if SEV-ES or SEV-SNP is active.
       //
-      return CurrentAttr >= CCAttrAmdSev;
+      return CurrentLevel >= CCAttrAmdSev;
     case CCAttrAmdSevEs:
       //
       // SEV-ES is automatically enabled if SEV-SNP is active.
       //
-      return CurrentAttr >= CCAttrAmdSevEs;
+      return CurrentLevel >= CCAttrAmdSevEs;
     case CCAttrAmdSevSnp:
-      return CurrentAttr == CCAttrAmdSevSnp;
+      return CurrentLevel == CCAttrAmdSevSnp;
+    case CCAttrFeatureAmdSevEsDebugVirtualization:
+      return !!(CurrentAttr & CCAttrFeatureAmdSevEsDebugVirtualization);
     default:
       return FALSE;
   }
@@ -159,3 +165,18 @@ MemEncryptSevGetEncryptionMask (
 
   return mSevEncryptionMask;
 }
+
+/**
+  Returns a boolean to indicate whether DebugVirtualization is enabled.
+
+  @retval TRUE           DebugVirtualization is enabled
+  @retval FALSE          DebugVirtualization is not enabled
+**/
+BOOLEAN
+EFIAPI
+MemEncryptSevEsDebugVirtualizationIsEnabled (
+  VOID
+  )
+{
+  return ConfidentialComputingGuestHas (CCAttrFeatureAmdSevEsDebugVirtualization);
+}
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
index 41d1246a5b31..7d823ad639f4 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
@@ -141,3 +141,18 @@ MemEncryptSevGetEncryptionMask (
 
   return SevEsWorkArea->EncryptionMask;
 }
+
+/**
+  Returns a boolean to indicate whether DebugVirtualization is enabled.
+
+  @retval TRUE           DebugVirtualization is enabled
+  @retval FALSE          DebugVirtualization is not enabled
+**/
+BOOLEAN
+EFIAPI
+MemEncryptSevEsDebugVirtualizationIsEnabled (
+  VOID
+  )
+{
+  return FALSE;
+}
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
index 27148c7e337a..33a326ac1571 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
@@ -142,6 +142,21 @@ MemEncryptSevGetEncryptionMask (
   return SevEsWorkArea->EncryptionMask;
 }
 
+/**
+  Returns a boolean to indicate whether DebugVirtualization is enabled.
+
+  @retval TRUE           DebugVirtualization is enabled
+  @retval FALSE          DebugVirtualization is not enabled
+**/
+BOOLEAN
+EFIAPI
+MemEncryptSevEsDebugVirtualizationIsEnabled (
+  VOID
+  )
+{
+  return FALSE;
+}
+
 /**
   Locate the page range that covers the initial (pre-SMBASE-relocation) SMRAM
   Save State Map.
diff --git a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c b/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
index da8f1e5db9fa..2031fa9e22e6 100644
--- a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
+++ b/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
@@ -1609,6 +1609,10 @@ Dr7WriteExit (
   UINT64                     *Register;
   UINT64                     Status;
 
+  if (MemEncryptSevEsDebugVirtualizationIsEnabled ()) {
+    return UnsupportedExit (Ghcb, Regs, InstructionData);
+  }
+
   Ext       = &InstructionData->Ext;
   SevEsData = (SEV_ES_PER_CPU_DATA *)(Ghcb + 1);
 
@@ -1659,6 +1663,10 @@ Dr7ReadExit (
   SEV_ES_PER_CPU_DATA        *SevEsData;
   UINT64                     *Register;
 
+  if (MemEncryptSevEsDebugVirtualizationIsEnabled ()) {
+    return UnsupportedExit (Ghcb, Regs, InstructionData);
+  }
+
   Ext       = &InstructionData->Ext;
   SevEsData = (SEV_ES_PER_CPU_DATA *)(Ghcb + 1);
 
-- 
2.44.0



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119461): https://edk2.groups.io/g/devel/message/119461
Mute This Topic: https://groups.io/mt/106496085/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH ovmf v4 4/5] UefiCpuPkg: Add AMD SEV-ES features support

[Alexey Kardashevskiy via groups.io]

CONFIDENTIAL_COMPUTING_GUEST_ATTR is not a simple SEV level anymore
and includes a feature mask since the previous commit.

Fix AmdMemEncryptionAttrCheck to check the level and feature
correctly and add DebugVirtualization support.

Since the actual feature flag is not set yet, this should cause
no behavioural change.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
---
 UefiCpuPkg/Library/MpInitLib/MpLib.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c b/UefiCpuPkg/Library/MpInitLib/MpLib.c
index f97298887f96..444df2abdc1d 100644
--- a/UefiCpuPkg/Library/MpInitLib/MpLib.c
+++ b/UefiCpuPkg/Library/MpInitLib/MpLib.c
@@ -3196,19 +3196,25 @@ AmdMemEncryptionAttrCheck (
   IN  CONFIDENTIAL_COMPUTING_GUEST_ATTR  Attr
   )
 {
+  UINT64  CurrentLevel;
+
+  CurrentLevel = CurrentAttr & CCAttrTypeMask;
+
   switch (Attr) {
     case CCAttrAmdSev:
       //
       // SEV is automatically enabled if SEV-ES or SEV-SNP is active.
       //
-      return CurrentAttr >= CCAttrAmdSev;
+      return CurrentLevel >= CCAttrAmdSev;
     case CCAttrAmdSevEs:
       //
       // SEV-ES is automatically enabled if SEV-SNP is active.
       //
-      return CurrentAttr >= CCAttrAmdSevEs;
+      return CurrentLevel >= CCAttrAmdSevEs;
     case CCAttrAmdSevSnp:
-      return CurrentAttr == CCAttrAmdSevSnp;
+      return CurrentLevel == CCAttrAmdSevSnp;
+    case CCAttrFeatureAmdSevEsDebugVirtualization:
+      return !!(CurrentAttr & CCAttrFeatureAmdSevEsDebugVirtualization);
     default:
       return FALSE;
   }
-- 
2.44.0



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119462): https://edk2.groups.io/g/devel/message/119462
Mute This Topic: https://groups.io/mt/106496089/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH ovmf v4 5/5] OvmfPkf: Enable AMD SEV-ES DebugVirtualization

[Alexey Kardashevskiy via groups.io]

Write the feature bit into PcdConfidentialComputingGuestAttr
and enable DebugVirtualization in PEI, SEC, DXE.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Michael Roth <michael.roth@amd.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
---
Changes:
v4:
* s/DebugSwap/DebugVirtualization/g
* the feature is enabled here for all modes
---
 OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c |  6 +++++-
 OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c |  6 +++++-
 OvmfPkg/PlatformPei/AmdSev.c                                       | 13 ++++++++++---
 3 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
index 7d823ad639f4..f381b9255bb7 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
@@ -154,5 +154,9 @@ MemEncryptSevEsDebugVirtualizationIsEnabled (
   VOID
   )
 {
-  return FALSE;
+  MSR_SEV_STATUS_REGISTER  Msr;
+
+  Msr.Uint32 = InternalMemEncryptSevStatus ();
+
+  return Msr.Bits.DebugVirtualization ? TRUE : FALSE;
 }
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
index 33a326ac1571..946bed2ada13 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
@@ -154,7 +154,11 @@ MemEncryptSevEsDebugVirtualizationIsEnabled (
   VOID
   )
 {
-  return FALSE;
+  MSR_SEV_STATUS_REGISTER  Msr;
+
+  Msr.Uint32 = InternalMemEncryptSevStatus ();
+
+  return Msr.Bits.DebugVirtualization ? TRUE : FALSE;
 }
 
 /**
diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
index 88ca14507f5e..8562787035db 100644
--- a/OvmfPkg/PlatformPei/AmdSev.c
+++ b/OvmfPkg/PlatformPei/AmdSev.c
@@ -434,6 +434,7 @@ AmdSevInitialize (
   )
 {
   UINT64         EncryptionMask;
+  UINT64         CCGuestAttr;
   RETURN_STATUS  PcdStatus;
 
   //
@@ -517,13 +518,19 @@ AmdSevInitialize (
   // technology is active.
   //
   if (MemEncryptSevSnpIsEnabled ()) {
-    PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSevSnp);
+    CCGuestAttr = CCAttrAmdSevSnp;
   } else if (MemEncryptSevEsIsEnabled ()) {
-    PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSevEs);
+    CCGuestAttr = CCAttrAmdSevEs;
   } else {
-    PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSev);
+    CCGuestAttr = CCAttrAmdSev;
   }
 
+  if (MemEncryptSevEsDebugVirtualizationIsEnabled ()) {
+    CCGuestAttr |= CCAttrFeatureAmdSevEsDebugVirtualization;
+  }
+
+  PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCGuestAttr);
+
   ASSERT_RETURN_ERROR (PcdStatus);
 }
 
-- 
2.44.0



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119463): https://edk2.groups.io/g/devel/message/119463
Mute This Topic: https://groups.io/mt/106496092/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH ovmf v4 1/5] MdePkg/Register/Amd: Define all bits from MSR_SEV_STATUS_REGISTER

[Lendacky, Thomas via groups.io]

On 6/4/24 21:09, Alexey Kardashevskiy wrote:
> For now we need DebugSwap but others are likely to be needed too.
> 
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Zhiguang Liu <zhiguang.liu@intel.com>
> Signed-off-by: Alexey Kardashevskiy <aik@amd.com>

Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>

> ---
> Changes:
> v4:
> * added more from April/2024 APM
> ---
>   MdePkg/Include/Register/Amd/Fam17Msr.h | 95 +++++++++++++++++++-
>   1 file changed, 91 insertions(+), 4 deletions(-)
> 
> diff --git a/MdePkg/Include/Register/Amd/Fam17Msr.h b/MdePkg/Include/Register/Amd/Fam17Msr.h
> index f2d5ccb39dc7..286b337f70fa 100644
> --- a/MdePkg/Include/Register/Amd/Fam17Msr.h
> +++ b/MdePkg/Include/Register/Amd/Fam17Msr.h
> @@ -126,19 +126,106 @@ typedef union {
>       ///
>       /// [Bit 0] Secure Encrypted Virtualization (Sev) is enabled
>       ///
> -    UINT32    SevBit    : 1;
> +    UINT32    SevBit              : 1;
>   
>       ///
>       /// [Bit 1] Secure Encrypted Virtualization Encrypted State (SevEs) is enabled
>       ///
> -    UINT32    SevEsBit  : 1;
> +    UINT32    SevEsBit            : 1;
>   
>       ///
>       /// [Bit 2] Secure Nested Paging (SevSnp) is enabled
>       ///
> -    UINT32    SevSnpBit : 1;
> +    UINT32    SevSnpBit           : 1;
>   
> -    UINT32    Reserved2 : 29;
> +    ///
> +    /// [Bit 3] Virtual TOM feature is enabled in SEV_FEATURES[1]
> +    ///
> +    UINT32    vTOM                : 1;
> +
> +    ///
> +    /// [Bit 4] ReflectVC feature is enabled in SEV_FEATURES[2]
> +    ///
> +    UINT32    ReflectVC           : 1;
> +
> +    ///
> +    /// [Bit 5] Restricted Injection feature is enabled in SEV_FEATURES[3]
> +    ///
> +    UINT32    RestrictedInjection : 1;
> +
> +    ///
> +    /// [Bit 6] Alternate Injection feature is enabled in SEV_FEATURES[4]
> +    ///
> +    UINT32    AlternateInjection  : 1;
> +
> +    ///
> +    /// [Bit 7] Debug Virtualization feature is enabled in SEV_FEATURES[5]
> +    ///
> +    UINT32    DebugVirtualization : 1;
> +
> +    ///
> +    /// [Bit 8]  PreventHostIBS feature is enabled in SEV_FEATURES[6]
> +    ///
> +    UINT32    PreventHostIBS      : 1;
> +
> +    ///
> +    /// [Bit 9] BTB isolation feature is enabled in SEV_FEATURES[7]
> +    ///
> +    UINT32    SNPBTBIsolation     : 1;
> +
> +    ///
> +    /// [Bit 10] VMPL SSS feature is enabled in SEV_FEATURES[8]
> +    ///
> +    UINT32    VmplSSS             : 1;
> +
> +    ///
> +    /// [Bit 11] Secure TSC feature is enabled in SEV_FEATURES[9]
> +    ///
> +    UINT32    SecureTsc           : 1;
> +
> +    ///
> +    /// [Bit 12] VMGEXIT Parameter feature is enabled in SEV_FEATURES[10]
> +    ///
> +    UINT32    VmgexitParameter    : 1;
> +
> +    ///
> +    /// [Bit 13] PMC Virtualization feature is enabled in SEV_FEATURES[11]
> +    ///
> +    UINT32    PmcVirtualization   : 1;
> +
> +    ///
> +    /// [Bit 14] IBS Virtualization feature is enabled in SEV_FEATURES[12]
> +    ///
> +    UINT32    IbsVirtualization   : 1;
> +
> +    ///
> +    /// [Bit 15]
> +    ///
> +    UINT32    Reserved1           : 1;
> +
> +    ///
> +    /// [Bit 16] VMSA Register Protection feature is enabled in SEV_FEATURES[14]
> +    ///
> +    UINT32    VmsaRegProt         : 1;
> +
> +    ///
> +    /// [Bit 17] SMT Protection feature is enabled in SEV_FEATURES[15]
> +    ///
> +    UINT32    SmtProtection       : 1;
> +    ///
> +    ///
> +    /// [Bit 18] Secure AVIC feature is enabled in SEV_FEATURES[16]
> +    ///
> +    UINT32    SecureAVIC          : 1;
> +
> +    UINT32    Reserved2           : 4;
> +
> +    ///
> +    /// [Bit 23] IBPB on Entry feature is enabled in SEV_FEATURES[21]
> +    ///
> +    UINT32    IbpbOnEntry         : 1;
> +
> +    UINT32    Reserved3           : 8;
>     } Bits;
>     ///
>     /// All bit fields as a 32-bit value


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119481): https://edk2.groups.io/g/devel/message/119481
Mute This Topic: https://groups.io/mt/106496074/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH ovmf v4 3/5] OvmfPkg: Add AMD SEV-ES DebugVirtualization feature support

[Lendacky, Thomas via groups.io]

On 6/4/24 21:09, Alexey Kardashevskiy wrote:
> The SEV-ES DebugVirtualization feature enables type B swapping of
> debug registers on #VMEXIT and makes #DB and DR7 intercepts
> unnecessary and unwanted.
> 
> When DebugVirtualization is enabled, this stops booting if
> #VC for #DB or DB7 read/write occurs as this signals unwanted
> interaction from the HV.
> 
> Add new API to PEI, SEC, DXE.
> 
> This does not change the existing behaviour yet.
> 
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Erdem Aktas <erdemaktas@google.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Michael Roth <michael.roth@amd.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
> Signed-off-by: Alexey Kardashevskiy <aik@amd.com>

Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>

> ---
> Changes:
> v4:
> * s/DebugSwap/DebugVirtualization/
> ---
>   OvmfPkg/Include/Library/MemEncryptSevLib.h                         | 12 +++++++++
>   OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c | 27 +++++++++++++++++---
>   OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c | 15 +++++++++++
>   OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c | 15 +++++++++++
>   OvmfPkg/Library/CcExitLib/CcExitVcHandler.c                        |  8 ++++++
>   5 files changed, 74 insertions(+), 3 deletions(-)
> 
> diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/Library/MemEncryptSevLib.h
> index 4fa9c0d70083..c5653539d8d8 100644
> --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h
> +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h
> @@ -166,6 +166,18 @@ MemEncryptSevGetEncryptionMask (
>     VOID
>     );
>   
> +/**
> +  Returns a boolean to indicate whether DebugVirtualization is enabled.
> +
> +  @retval TRUE           DebugVirtualization is enabled
> +  @retval FALSE          DebugVirtualization is not enabled
> +**/
> +BOOLEAN
> +EFIAPI
> +MemEncryptSevEsDebugVirtualizationIsEnabled (
> +  VOID
> +  );
> +
>   /**
>     Returns the encryption state of the specified virtual address range.
>   
> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
> index 4aba0075b9e2..9947d663deae 100644
> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
> @@ -40,19 +40,25 @@ AmdMemEncryptionAttrCheck (
>     IN  CONFIDENTIAL_COMPUTING_GUEST_ATTR  Attr
>     )
>   {
> +  UINT64  CurrentLevel;
> +
> +  CurrentLevel = CurrentAttr & CCAttrTypeMask;
> +
>     switch (Attr) {
>       case CCAttrAmdSev:
>         //
>         // SEV is automatically enabled if SEV-ES or SEV-SNP is active.
>         //
> -      return CurrentAttr >= CCAttrAmdSev;
> +      return CurrentLevel >= CCAttrAmdSev;
>       case CCAttrAmdSevEs:
>         //
>         // SEV-ES is automatically enabled if SEV-SNP is active.
>         //
> -      return CurrentAttr >= CCAttrAmdSevEs;
> +      return CurrentLevel >= CCAttrAmdSevEs;
>       case CCAttrAmdSevSnp:
> -      return CurrentAttr == CCAttrAmdSevSnp;
> +      return CurrentLevel == CCAttrAmdSevSnp;
> +    case CCAttrFeatureAmdSevEsDebugVirtualization:
> +      return !!(CurrentAttr & CCAttrFeatureAmdSevEsDebugVirtualization);
>       default:
>         return FALSE;
>     }
> @@ -159,3 +165,18 @@ MemEncryptSevGetEncryptionMask (
>   
>     return mSevEncryptionMask;
>   }
> +
> +/**
> +  Returns a boolean to indicate whether DebugVirtualization is enabled.
> +
> +  @retval TRUE           DebugVirtualization is enabled
> +  @retval FALSE          DebugVirtualization is not enabled
> +**/
> +BOOLEAN
> +EFIAPI
> +MemEncryptSevEsDebugVirtualizationIsEnabled (
> +  VOID
> +  )
> +{
> +  return ConfidentialComputingGuestHas (CCAttrFeatureAmdSevEsDebugVirtualization);
> +}
> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
> index 41d1246a5b31..7d823ad639f4 100644
> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
> @@ -141,3 +141,18 @@ MemEncryptSevGetEncryptionMask (
>   
>     return SevEsWorkArea->EncryptionMask;
>   }
> +
> +/**
> +  Returns a boolean to indicate whether DebugVirtualization is enabled.
> +
> +  @retval TRUE           DebugVirtualization is enabled
> +  @retval FALSE          DebugVirtualization is not enabled
> +**/
> +BOOLEAN
> +EFIAPI
> +MemEncryptSevEsDebugVirtualizationIsEnabled (
> +  VOID
> +  )
> +{
> +  return FALSE;
> +}
> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
> index 27148c7e337a..33a326ac1571 100644
> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
> @@ -142,6 +142,21 @@ MemEncryptSevGetEncryptionMask (
>     return SevEsWorkArea->EncryptionMask;
>   }
>   
> +/**
> +  Returns a boolean to indicate whether DebugVirtualization is enabled.
> +
> +  @retval TRUE           DebugVirtualization is enabled
> +  @retval FALSE          DebugVirtualization is not enabled
> +**/
> +BOOLEAN
> +EFIAPI
> +MemEncryptSevEsDebugVirtualizationIsEnabled (
> +  VOID
> +  )
> +{
> +  return FALSE;
> +}
> +
>   /**
>     Locate the page range that covers the initial (pre-SMBASE-relocation) SMRAM
>     Save State Map.
> diff --git a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c b/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
> index da8f1e5db9fa..2031fa9e22e6 100644
> --- a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
> +++ b/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
> @@ -1609,6 +1609,10 @@ Dr7WriteExit (
>     UINT64                     *Register;
>     UINT64                     Status;
>   
> +  if (MemEncryptSevEsDebugVirtualizationIsEnabled ()) {
> +    return UnsupportedExit (Ghcb, Regs, InstructionData);
> +  }
> +
>     Ext       = &InstructionData->Ext;
>     SevEsData = (SEV_ES_PER_CPU_DATA *)(Ghcb + 1);
>   
> @@ -1659,6 +1663,10 @@ Dr7ReadExit (
>     SEV_ES_PER_CPU_DATA        *SevEsData;
>     UINT64                     *Register;
>   
> +  if (MemEncryptSevEsDebugVirtualizationIsEnabled ()) {
> +    return UnsupportedExit (Ghcb, Regs, InstructionData);
> +  }
> +
>     Ext       = &InstructionData->Ext;
>     SevEsData = (SEV_ES_PER_CPU_DATA *)(Ghcb + 1);
>   


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119482): https://edk2.groups.io/g/devel/message/119482
Mute This Topic: https://groups.io/mt/106496085/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH ovmf v4 4/5] UefiCpuPkg: Add AMD SEV-ES features support

[Lendacky, Thomas via groups.io]

On 6/4/24 21:09, Alexey Kardashevskiy wrote:
> CONFIDENTIAL_COMPUTING_GUEST_ATTR is not a simple SEV level anymore
> and includes a feature mask since the previous commit.
> 
> Fix AmdMemEncryptionAttrCheck to check the level and feature
> correctly and add DebugVirtualization support.
> 
> Since the actual feature flag is not set yet, this should cause
> no behavioural change.
> 
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> Cc: Rahul Kumar <rahul1.kumar@intel.com>
> Cc: Ray Ni <ray.ni@intel.com>
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
> Signed-off-by: Alexey Kardashevskiy <aik@amd.com>

Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>

> ---
>   UefiCpuPkg/Library/MpInitLib/MpLib.c | 12 +++++++++---
>   1 file changed, 9 insertions(+), 3 deletions(-)
> 
> diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c b/UefiCpuPkg/Library/MpInitLib/MpLib.c
> index f97298887f96..444df2abdc1d 100644
> --- a/UefiCpuPkg/Library/MpInitLib/MpLib.c
> +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.c
> @@ -3196,19 +3196,25 @@ AmdMemEncryptionAttrCheck (
>     IN  CONFIDENTIAL_COMPUTING_GUEST_ATTR  Attr
>     )
>   {
> +  UINT64  CurrentLevel;
> +
> +  CurrentLevel = CurrentAttr & CCAttrTypeMask;
> +
>     switch (Attr) {
>       case CCAttrAmdSev:
>         //
>         // SEV is automatically enabled if SEV-ES or SEV-SNP is active.
>         //
> -      return CurrentAttr >= CCAttrAmdSev;
> +      return CurrentLevel >= CCAttrAmdSev;
>       case CCAttrAmdSevEs:
>         //
>         // SEV-ES is automatically enabled if SEV-SNP is active.
>         //
> -      return CurrentAttr >= CCAttrAmdSevEs;
> +      return CurrentLevel >= CCAttrAmdSevEs;
>       case CCAttrAmdSevSnp:
> -      return CurrentAttr == CCAttrAmdSevSnp;
> +      return CurrentLevel == CCAttrAmdSevSnp;
> +    case CCAttrFeatureAmdSevEsDebugVirtualization:
> +      return !!(CurrentAttr & CCAttrFeatureAmdSevEsDebugVirtualization);
>       default:
>         return FALSE;
>     }


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119483): https://edk2.groups.io/g/devel/message/119483
Mute This Topic: https://groups.io/mt/106496089/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH ovmf v4 5/5] OvmfPkf: Enable AMD SEV-ES DebugVirtualization

[Lendacky, Thomas via groups.io]

On 6/4/24 21:09, Alexey Kardashevskiy wrote:
> Write the feature bit into PcdConfidentialComputingGuestAttr
> and enable DebugVirtualization in PEI, SEC, DXE.
> 
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Erdem Aktas <erdemaktas@google.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Michael Roth <michael.roth@amd.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
> Signed-off-by: Alexey Kardashevskiy <aik@amd.com>

Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>

> ---
> Changes:
> v4:
> * s/DebugSwap/DebugVirtualization/g
> * the feature is enabled here for all modes
> ---
>   OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c |  6 +++++-
>   OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c |  6 +++++-
>   OvmfPkg/PlatformPei/AmdSev.c                                       | 13 ++++++++++---
>   3 files changed, 20 insertions(+), 5 deletions(-)
> 
> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
> index 7d823ad639f4..f381b9255bb7 100644
> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
> @@ -154,5 +154,9 @@ MemEncryptSevEsDebugVirtualizationIsEnabled (
>     VOID
>     )
>   {
> -  return FALSE;
> +  MSR_SEV_STATUS_REGISTER  Msr;
> +
> +  Msr.Uint32 = InternalMemEncryptSevStatus ();
> +
> +  return Msr.Bits.DebugVirtualization ? TRUE : FALSE;
>   }
> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
> index 33a326ac1571..946bed2ada13 100644
> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
> @@ -154,7 +154,11 @@ MemEncryptSevEsDebugVirtualizationIsEnabled (
>     VOID
>     )
>   {
> -  return FALSE;
> +  MSR_SEV_STATUS_REGISTER  Msr;
> +
> +  Msr.Uint32 = InternalMemEncryptSevStatus ();
> +
> +  return Msr.Bits.DebugVirtualization ? TRUE : FALSE;
>   }
>   
>   /**
> diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
> index 88ca14507f5e..8562787035db 100644
> --- a/OvmfPkg/PlatformPei/AmdSev.c
> +++ b/OvmfPkg/PlatformPei/AmdSev.c
> @@ -434,6 +434,7 @@ AmdSevInitialize (
>     )
>   {
>     UINT64         EncryptionMask;
> +  UINT64         CCGuestAttr;
>     RETURN_STATUS  PcdStatus;
>   
>     //
> @@ -517,13 +518,19 @@ AmdSevInitialize (
>     // technology is active.
>     //
>     if (MemEncryptSevSnpIsEnabled ()) {
> -    PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSevSnp);
> +    CCGuestAttr = CCAttrAmdSevSnp;
>     } else if (MemEncryptSevEsIsEnabled ()) {
> -    PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSevEs);
> +    CCGuestAttr = CCAttrAmdSevEs;
>     } else {
> -    PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSev);
> +    CCGuestAttr = CCAttrAmdSev;
>     }
>   
> +  if (MemEncryptSevEsDebugVirtualizationIsEnabled ()) {
> +    CCGuestAttr |= CCAttrFeatureAmdSevEsDebugVirtualization;
> +  }
> +
> +  PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCGuestAttr);
> +
>     ASSERT_RETURN_ERROR (PcdStatus);
>   }
>   


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119484): https://edk2.groups.io/g/devel/message/119484
Mute This Topic: https://groups.io/mt/106496092/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH ovmf v4 5/5] OvmfPkf: Enable AMD SEV-ES DebugVirtualization

[Alexey Kardashevskiy via groups.io]

Thanks Tom!

Now, I've pushed it again to my github, 
https://github.com/tianocore/edk2/pull/5594 re-ran the tasks but "Review 
required" is still there so I assume re-posting patches won't help 
getting them in as I need more reviews, right?



On 6/6/24 04:54, Tom Lendacky wrote:
> On 6/4/24 21:09, Alexey Kardashevskiy wrote:
>> Write the feature bit into PcdConfidentialComputingGuestAttr
>> and enable DebugVirtualization in PEI, SEC, DXE.
>>
>> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
>> Cc: Erdem Aktas <erdemaktas@google.com>
>> Cc: Gerd Hoffmann <kraxel@redhat.com>
>> Cc: Jiewen Yao <jiewen.yao@intel.com>
>> Cc: Michael Roth <michael.roth@amd.com>
>> Cc: Min Xu <min.m.xu@intel.com>
>> Cc: Tom Lendacky <thomas.lendacky@amd.com>
>> Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
> 
> Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
> 
>> ---
>> Changes:
>> v4:
>> * s/DebugSwap/DebugVirtualization/g
>> * the feature is enabled here for all modes
>> ---
>>   OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c 
>> |  6 +++++-
>>   OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c 
>> |  6 +++++-
>>   OvmfPkg/PlatformPei/AmdSev.c                                       | 
>> 13 ++++++++++---
>>   3 files changed, 20 insertions(+), 5 deletions(-)
>>
>> diff --git 
>> a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c 
>> b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
>> index 7d823ad639f4..f381b9255bb7 100644
>> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
>> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
>> @@ -154,5 +154,9 @@ MemEncryptSevEsDebugVirtualizationIsEnabled (
>>     VOID
>>     )
>>   {
>> -  return FALSE;
>> +  MSR_SEV_STATUS_REGISTER  Msr;
>> +
>> +  Msr.Uint32 = InternalMemEncryptSevStatus ();
>> +
>> +  return Msr.Bits.DebugVirtualization ? TRUE : FALSE;
>>   }
>> diff --git 
>> a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c 
>> b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
>> index 33a326ac1571..946bed2ada13 100644
>> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
>> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
>> @@ -154,7 +154,11 @@ MemEncryptSevEsDebugVirtualizationIsEnabled (
>>     VOID
>>     )
>>   {
>> -  return FALSE;
>> +  MSR_SEV_STATUS_REGISTER  Msr;
>> +
>> +  Msr.Uint32 = InternalMemEncryptSevStatus ();
>> +
>> +  return Msr.Bits.DebugVirtualization ? TRUE : FALSE;
>>   }
>>   /**
>> diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
>> index 88ca14507f5e..8562787035db 100644
>> --- a/OvmfPkg/PlatformPei/AmdSev.c
>> +++ b/OvmfPkg/PlatformPei/AmdSev.c
>> @@ -434,6 +434,7 @@ AmdSevInitialize (
>>     )
>>   {
>>     UINT64         EncryptionMask;
>> +  UINT64         CCGuestAttr;
>>     RETURN_STATUS  PcdStatus;
>>     //
>> @@ -517,13 +518,19 @@ AmdSevInitialize (
>>     // technology is active.
>>     //
>>     if (MemEncryptSevSnpIsEnabled ()) {
>> -    PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, 
>> CCAttrAmdSevSnp);
>> +    CCGuestAttr = CCAttrAmdSevSnp;
>>     } else if (MemEncryptSevEsIsEnabled ()) {
>> -    PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, 
>> CCAttrAmdSevEs);
>> +    CCGuestAttr = CCAttrAmdSevEs;
>>     } else {
>> -    PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, 
>> CCAttrAmdSev);
>> +    CCGuestAttr = CCAttrAmdSev;
>>     }
>> +  if (MemEncryptSevEsDebugVirtualizationIsEnabled ()) {
>> +    CCGuestAttr |= CCAttrFeatureAmdSevEsDebugVirtualization;
>> +  }
>> +
>> +  PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, 
>> CCGuestAttr);
>> +
>>     ASSERT_RETURN_ERROR (PcdStatus);
>>   }

-- 
Alexey



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119555): https://edk2.groups.io/g/devel/message/119555
Mute This Topic: https://groups.io/mt/106496092/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-