From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM04-BN8-obe.outbound.protection.outlook.com (NAM04-BN8-obe.outbound.protection.outlook.com [40.107.100.76]) by mx.groups.io with SMTP id smtpd.web09.1114.1610045404595933728 for ; Thu, 07 Jan 2021 10:50:04 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amdcloud.onmicrosoft.com header.s=selector2-amdcloud-onmicrosoft-com header.b=rNng7Z0i; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.100.76, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ijIGw8g0iPZcSU05haQWk1jSAm1AaYobGFt8ByhjK2MC5aYsntNKpoJULhbdc3buuuF4ai9Yggvh2YlsetqJz1FXxukcuL4o2tEiASiEAZqOK+bY3fh6HX1aC7t83w7VLWwh3zEPDOL9Tu4V1PUJlWVWEhbUrM78LwkEtnP8mtTdw9/q+66wrfQGlVOi6hPWERKh/kg8xSqye5Jc3+rmA1yC0BqFR6F0A2tP5lNckDjPTjy4hS8ZDs/BpK9HwHNuXDPImdkSO7POqT3tT53cbuK9Ppo/N1kCho14Bf0V7Jca7ERcqvterL3XjX+NCcMxcBM31YJNGkn+HEOId14/jA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dUtGaYd1tpdJVMzOA49uF3PSmI6aCbdZsqdZTq99y5k=; b=eI1c00AwCFwyqPyzNf5bNfFkf0gKIRlLs1z3ppktaPiinnS+Rh3u6cSpHXNftHhV34BemeyQACd57lH4Q4VZ5iqtkCwBJ8yvmBrIw7bWKEO3ZkzUut18jpvmCPHA1/VtnEyx4eU5o6D4mBSVigu7J3utAEUi5ZfXYs37nDjTQ8OUEdeD4keRO8ohAKHpqz0Clb0/to0IMBXw6ulMd3iBlIysLTwnXskRK7cTc71AktXPCLKWA7bW1GD2B1EaK3i02E9EtKocuk1dHAIVSdjHyDIFswGE1NQ21BaQaFbUYuCL1j2onSC8/rYnYQJRFgF7gALIYCzIZzvZt1o9fcXjUA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector2-amdcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dUtGaYd1tpdJVMzOA49uF3PSmI6aCbdZsqdZTq99y5k=; b=rNng7Z0i49mYCfa5kOMpvmxYcNnja3x7eM76bbbznIJhpwqjWaVBqyIAEPB8W2DN7ob84pVsekfnILJTtwsEmsvsDBeXBSyRJIOd65Xd7954lIeCV+36Ee7Mj6+ROuD0o4OMjLS/i7R6/CVdSw+EXbMiKnEyNrNiAxjn4FHczd0= Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com; Received: from DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) by DM5PR1201MB0121.namprd12.prod.outlook.com (2603:10b6:4:56::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3721.23; Thu, 7 Jan 2021 18:50:02 +0000 Received: from DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::d95e:b9d:1d6a:e845]) by DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::d95e:b9d:1d6a:e845%12]) with mapi id 15.20.3721.024; Thu, 7 Jan 2021 18:50:02 +0000 From: "Lendacky, Thomas" To: devel@edk2.groups.io CC: Brijesh Singh , James Bottomley , Jordan Justen , Laszlo Ersek , Ard Biesheuvel Subject: [PATCH v3 05/15] OvmfPkg/ResetVector: Save the encryption mask at boot time Date: Thu, 7 Jan 2021 12:48:15 -0600 Message-ID: <2609724859cf21f0c6d45bc323e94465dca4e621.1610045305.git.thomas.lendacky@amd.com> X-Mailer: git-send-email 2.30.0 In-Reply-To: References: X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: DM3PR12CA0100.namprd12.prod.outlook.com (2603:10b6:0:55::20) To DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from tlendack-t1.amd.com (165.204.77.1) by DM3PR12CA0100.namprd12.prod.outlook.com (2603:10b6:0:55::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3742.6 via Frontend Transport; Thu, 7 Jan 2021 18:50:01 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 01cece98-e22f-426e-6093-08d8b33d0a66 X-MS-TrafficTypeDiagnostic: DM5PR1201MB0121: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4125; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: G7+f9MCId5+EBIRQ907FJLo5w34sieAKzk9x8KqybKU3uVUGx4MHNf6aIYoq5qzS35+AKzxMYPTJoSNmxt+7X4cMgF8n5fi6JxnIiuEFPoZPcaVCncX6Dz4dyBnekPIx+pRBw/cflRPqUbk3n3g079v7GEwHwGRGJzXZl5ettordcP2VcQCGt18JA8B+daH+GFfNZDaQZAl8tPm/X1Ec9Ftb/7k4tZ680SwXW73xiT6hlA0Se9I4SWCVyql3RekR2uWOiF0IRBgijbZTmoZm9cDUOTvfxFs0t/pJCWNqsjWtjvq3IoVXWU1/x7rNHIc0oi4eL1pZ/WhDyclcp/amRMxIA5y7UUb/qUnaNVkCoWP+N6BfokUuJcVZp8iv843DywdNH/HfRXdkkiKUY8Pog5CGZXWhJXsrG1E8bqTUMbvpOXTTFqrMh8+jwGOAxKlB2oUzjEHtPT71i1o5I+07oQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR12MB1355.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(39860400002)(136003)(366004)(346002)(376002)(396003)(54906003)(36756003)(316002)(52116002)(16526019)(186003)(6666004)(7696005)(4326008)(83380400001)(66556008)(66946007)(6916009)(956004)(2906002)(8936002)(5660300002)(6486002)(66476007)(8676002)(86362001)(478600001)(966005)(2616005)(26005)(19627235002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?yHWlTM7NGeLMV9if91STZBZem6zt3mhbkBGpgOz7PIRxuxRAgUTFXqXZsqTe?= =?us-ascii?Q?lwZYZoxQ34kZ/4hzlQbY7eak5r/q8xRWDm1B1GhfCHZQ+xKD0zD4BEcROoc/?= =?us-ascii?Q?UYavVQq20yz6U9xodHzgPtnLEgt3+WXE9ApJ9FwpNrmG10q7vYKK+4sPJWZE?= =?us-ascii?Q?xvwUWur8HTe7zQJd+2IEGqAKowzmAN0nP0aSGrRwHM5kqqXB71oEMd+kyvGR?= =?us-ascii?Q?dEu2ZqKgamoTry7vXbRbvQBVkUV8eClWGjjoqDxf92DUWdAaFtiE7SSILe4P?= =?us-ascii?Q?sez6lXl3wH2EZ9ay9PlZhVs5xXcLGq15HDIaiKumoVdHp/Uj99T8m86K5s7X?= =?us-ascii?Q?DjgM9GZF2bhdS1vQUfkPaOqVBz7z2LeyWKox5IqRU6G7rRwyVHSf6T2ewtr1?= =?us-ascii?Q?9cDggL4ivYy/ifKkOX17s1YOdardn6qrYEiNRAsm50Rz4zO4G6rc+rkj0EIx?= =?us-ascii?Q?mauMpiPkg8Ye/xjlFt49j4NAnj9BfHXZ2ta0rMw7jPTc+ASIyUzuEyJsEiVC?= =?us-ascii?Q?IKiHjvf9dDzDbZcEs6IoWvKjb2c+RaIiZMsb7XNL8hHHOEnxZyOacH2lr0yj?= =?us-ascii?Q?SJGfGoJVsU6oNlvjdQ+Ls1dktXLwLjaSV6iCx/e26Uo8KvCsrUD5WheIQZhO?= =?us-ascii?Q?SiLcGkCQ5v5RysYjE7lLeJDfFbmJDttlenvS454oaEqaVY4tX614mtyQVpTm?= =?us-ascii?Q?BFiN51gz5RcMdyv9pmOi4D1jqK2jmwWLmKcUp+QpAl2OnyswjIf8oTWPAQ7j?= =?us-ascii?Q?NMtV8KF4PnATKw1YkDmPV9o9y9Vmjbxp/ektLOlGMorgFUekzskTrhzMIxZj?= =?us-ascii?Q?lgR99FZ9nhl/4/xHNBsdlpxI8jEEwHiXkqOEIRzDiVXqswk/KOtNCbAsKj2M?= =?us-ascii?Q?7UvVIn0T3/Cq7XxlvGHyumZCaZpALGIUPn7LKC5CMi5xmDAXCyrxDPkeFP9G?= =?us-ascii?Q?1QOnvv8bzjH2XVXJ95x5g3UGmfD1OcuxQMCjpUMSfp8uJCfd43LTjQldsLrE?= =?us-ascii?Q?p2bp?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-AuthSource: DM5PR12MB1355.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jan 2021 18:50:02.1133 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-Network-Message-Id: 01cece98-e22f-426e-6093-08d8b33d0a66 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Qt60jkBGabJPPvrbQpzzwLc2h/Wl6CN0lkcAUa4qDrnRFw5NuzSftBM8hwDh3jbWK1+yhIt5wrgEKjDa7/TODg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1201MB0121 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3108 The early assembler code performs validation for some of the SEV-related information, specifically the encryption bit position. To avoid having to re-validate the encryption bit position as the system proceeds through its boot phases, save the validated encryption bit position in the SEV-ES work area for use by later phases. Cc: Jordan Justen Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Brijesh Singh Reviewed-by: Laszlo Ersek Signed-off-by: Tom Lendacky --- OvmfPkg/Include/Library/MemEncryptSevLib.h | 2 ++ OvmfPkg/ResetVector/Ia32/PageTables64.asm | 10 +++++++++- OvmfPkg/ResetVector/ResetVector.nasmb | 1 + 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/L= ibrary/MemEncryptSevLib.h index dc09c61e58bb..a2c70aa550fe 100644 --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h @@ -29,6 +29,8 @@ typedef struct _SEC_SEV_ES_WORK_AREA { UINT8 Reserved1[7]; =20 UINT64 RandomData; + + UINT64 EncryptionMask; } SEC_SEV_ES_WORK_AREA; =20 /** diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVecto= r/Ia32/PageTables64.asm index a1771dfdec23..5fae8986d9da 100644 --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm @@ -145,7 +145,7 @@ GetSevEncBit: =20 ; The encryption bit position is always above 31 sub ebx, 32 - jns SevExit + jns SevSaveMask =20 ; Encryption bit was reported as 31 or below, enter a HLT loop SevEncBitLowHlt: @@ -153,6 +153,14 @@ SevEncBitLowHlt: hlt jmp SevEncBitLowHlt =20 +SevSaveMask: + xor edx, edx + bts edx, ebx + + mov dword[SEV_ES_WORK_AREA_ENC_MASK], 0 + mov dword[SEV_ES_WORK_AREA_ENC_MASK + 4], edx + jmp SevExit + NoSev: ; ; Perform an SEV-ES sanity check by seeing if a #VC exception occurred= . diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re= setVector.nasmb index d3aa87982959..5fbacaed5f9d 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -74,6 +74,7 @@ %define GHCB_SIZE (FixedPcdGet32 (PcdOvmfSecGhcbSize)) %define SEV_ES_WORK_AREA (FixedPcdGet32 (PcdSevEsWorkAreaBase)) %define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + = 8) + %define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) = + 16) %define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase)= + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize)) %include "Ia32/Flat32ToFlat64.asm" %include "Ia32/PageTables64.asm" --=20 2.30.0