From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.107.223.59]) by mx.groups.io with SMTP id smtpd.web11.13587.1619103109133785923 for ; Thu, 22 Apr 2021 07:51:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=eAIx30FO; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.223.59, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZrphB8aNvFdTwJ/2b+X2GNjv9WbUeOfIKbd39hhjzRjnUiIXaaUxdJyp8/SAzfO9lRcZgT1Ezh0NS3pqOFV+pjAwmQuWcRqMzCt7RCdaUDdimc0rFmcfI3d/pjYEmuKUvEAL1fkvteSDPi5eMfn/oGK0kLUBmqbJgSk07OmGa5JZXVEd2O7MHmrnVPu7m9/QndgKP/rSCrhvYwaTElLDcp+yvLidWOqiR6ZUWnrvH2V+O6a/Fm+ZEAGgDo7f+h3pzXUIOJvq18dPI733KM/zcQRja6pXK54Lvzgn1OqqhuCZgdibmyTEL1MHcfWVMSn//LKQX9bKnvj8hMzJdPTR3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oVa0uWEB140CLKECWfeZyykD0cHlVLHD3jhjzVkRz9o=; b=kPC22X/uKbh8z35o1Q88+B7yzDrktjev3sjXjFd4WrO51qB1JJf7vPpzKIpjGjQVmuvgI7JUZaP7Yjomwes68RjeyK++dalIScgWLUQGcsrgFxsY2fr1IMlTkChaeJUYGtNOUmPZIGUTY2FxSH8Fr6oaqTnmgWYOM7csrSg3VJINW6xCEazCFE73JCmL6Rnv9VZlEmIpo4vDEpYAV2+ZdaQ6DfYxUDfss66QAByxUfbW7gda4r2nhJMZcD5f70P6mTqxXEiq22pUNBTHLmGYC04lSBMYvdAGuIt5v6r9maoGQ1X3bYT7fa8hLpxuslWMyYvdZB1FCjGZ+m6Nky2Vkw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oVa0uWEB140CLKECWfeZyykD0cHlVLHD3jhjzVkRz9o=; b=eAIx30FO85J2VMlov4mKwaTVpU/g+QDAV752iqP6nCET2vVl3a92RHHGXQ8rjfKEoqKCbgVmLnIBSo4GoyJV82m5B15Vx2EM7xcrTQlIGfW1EeiptZ3pdMy6CaDRGgYzcA/Xa9hCqsdDCFr5BN5XCr6xy3KJe07rF51yEqHDaKw= Authentication-Results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=amd.com; Received: from DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) by DM6PR12MB4960.namprd12.prod.outlook.com (2603:10b6:5:1bc::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3933.32; Thu, 22 Apr 2021 14:51:47 +0000 Received: from DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::b914:4704:ad6f:aba9]) by DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::b914:4704:ad6f:aba9%12]) with mapi id 15.20.4065.023; Thu, 22 Apr 2021 14:51:47 +0000 Subject: Re: [edk2-devel] [PATCH 3/3] OvmfPkg/PlatformPei: Mark TPM MMIO range as unencrypted for SEV To: Laszlo Ersek , devel@edk2.groups.io Cc: Joerg Roedel , Borislav Petkov , Ard Biesheuvel , Jordan Justen , Brijesh Singh , James Bottomley , Jiewen Yao , Min Xu References: <1677B2EC90F30786.1355@groups.io> <007e59ea-3933-7b93-afff-4023f3111558@amd.com> <08f723a5-9883-7785-91c0-9e5627836288@redhat.com> From: "Lendacky, Thomas" Message-ID: <372353dd-f6d3-9fa2-f79a-16840822c43b@amd.com> Date: Thu, 22 Apr 2021 09:51:45 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 In-Reply-To: <08f723a5-9883-7785-91c0-9e5627836288@redhat.com> X-Originating-IP: [67.79.209.213] X-ClientProxiedBy: SN4PR0501CA0067.namprd05.prod.outlook.com (2603:10b6:803:41::44) To DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from office-linux.texastahm.com (67.79.209.213) by SN4PR0501CA0067.namprd05.prod.outlook.com (2603:10b6:803:41::44) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.16 via Frontend Transport; Thu, 22 Apr 2021 14:51:46 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 2e27c9a9-c53f-498f-a82a-08d9059e2751 X-MS-TrafficTypeDiagnostic: DM6PR12MB4960: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: nY3zWIziUBFahgBi29d2PvOdnzsrfjd5zBkB1Q+xoIitCaM1gKvXwZucI9bDI0J9kDNBfjCp5A9CEUQg2xNZhBToxNZE3EQgATAs7VbOHKxjHQSRt2cKXZpL+PpyN+x9wY/pvYNStluT6DYZHymCL6cgHhXAHQZdbH+dyDLqmXFqRlmPcgeI2JDB2XPJU7c8MFHfI3mAYCu7e/eOiXHZXPTY+1I2z3++Owoz/mEbHpZsRBkz+x4tsQ3k7UFiAqK/GdoNgz/UGTgd3waz+uADjrz4E0dfg6rPxJM+rHpOl7Yubexmg1zmYTIcgUdVnxcM+TsdQU0vbXR598Ygu3dIb086ECxotD0idV8U7/ns8QKEM7B0JSnGyzheqh0MdrEBo82nEJfwRwkEbcCL9GcCTg+Al1BFrI3aJc6v5/1iaFuZ8gDEnDDZCidUPvzE+sclS4cJ7Om3RJpRjN+Fk8dhLzqtKcJgLQgoV3gUZTo/DX9MoVgEOGYGvggqS2hIDXke/12M1BLyAIY5wq+9xjTJHrKX/UHZC17bUNO7qtnWvS9/vP9QLxxYOyKmy31j5U8xMcLzNYm8PqE+pzsz8RC7zGMglYDv1K7PJe2/dPS4/3gyBKoPHrvlkUl4Z/qVuxE+aIbf1TfgDAY2v8+rWAm2yhEmAxbvwaM3Bkqhfp1CphB26P7TnUq2BMD0mh8dGXhmUW0lc1r0UoJKyQ0v2GtBJn6y5YNh55Pm1bfTTNzwHfnPZvqou9LYL+lkwkb0CyjaRmm5KO9MNY3seyMDWHPjMQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR12MB1355.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(376002)(136003)(39850400004)(346002)(366004)(396003)(4001150100001)(38100700002)(966005)(86362001)(956004)(19627235002)(26005)(31686004)(316002)(54906003)(5660300002)(2616005)(16526019)(66556008)(6506007)(66946007)(53546011)(4326008)(31696002)(8936002)(83380400001)(2906002)(45080400002)(8676002)(6512007)(36756003)(186003)(6486002)(478600001)(66476007)(43740500002)(45980500001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?RUdsNlEzUUdDTmZQdU5xbWRxSEVXZFlPdXpaWG10ZG4zRmRNUEFUVG9henNn?= =?utf-8?B?d0V1RjFuWEVIVjM0VFdhOUZRdG1jVzYwOE9GQ0cvNnpaUWNRMDZETHRLb2hX?= =?utf-8?B?M1FOK1prajFHQzVady9YRlN5aGxnV3EzUCs2QThEQnRHUmZxK2FCd2ovTWFE?= =?utf-8?B?a1FHdFVicU5wTnhUc1E1Nlh6KzZhZDIyMGo2V0NBWW9jY3ZuZWF3MmVWd2Fq?= =?utf-8?B?TUpUTHhDVXRZODVmWjFMWHZ4UEhZRVV3bXJjOGxkd05mejJIR2NXZnZ4RkV4?= =?utf-8?B?ekFQU0lJNDMrNnNHL01FOFhGQXoxZlJDNVhuUXV1YWowblJINlRBQk5ZcXpS?= =?utf-8?B?SGpTc055MWlxYXBrOXRMZFpsVno4aWorWGRNMUg0elR2NEY3UU1QUklISjZM?= =?utf-8?B?MFcxK0Z5T3dMTks3RnNQWXJ4WVpSL09HUVgybVhOd2VIZ1pKMmNCMkpuUnpo?= =?utf-8?B?WVNpNndtb3J5ZG1XdXdDam50TTU5cytwU2E3Z0k4MEl5WHZRN2o3bWZwK1BR?= =?utf-8?B?dXlOdkppMFR3cTlPRXlnNTZlMkZRaFNRVEwvakZ5QmZROG00bUNJUllrZTU0?= =?utf-8?B?TnU0NUZSOTArMHhNbk9Kd2Z4YlcxM2VIZXYvaktpV1pMaHNqdnJucWRHV2sv?= =?utf-8?B?RVgrMTZMOWhUaUdoZm90blIyREJ5S2hxSTVKU0w5bm9XRnpjM1Flc1lEaWRB?= =?utf-8?B?VHNxTWJYVjFhbyt3M3NZU3RhK1p1RHE0S3NLM3JBejI4YUN2N01obWFOMGgv?= =?utf-8?B?MnRuY1N2aEU3cFN1RlhObzFpVTk3QnZtWXBqWDBRdW1HRXVIbC9SZGxoZ2Zw?= =?utf-8?B?NmprakM0Ykp0SWMzTXdCbWlnS2wwVlVBQysyTXdTNUxOc0lSTXJMUldoUEVC?= =?utf-8?B?Y3d0aDIwNkVhcFNuZkM1Z01FZDMxeGpENStGZVhQRnBxV3NCVDVxK2V3SllU?= =?utf-8?B?TnJOVE5iVTR6MGE5ZWYwMi9mbUFwclpkbFcxUFJMb3VmWXV0cXA3K3JFMHhZ?= =?utf-8?B?dERUVm1kRU84dXF5eGZDR3JqenZjTURkVmFmWXVaL2x4OFRZMDBBMWkxTU1a?= =?utf-8?B?Y2RVQy8rcUhDV1VPa3pZL3FoTnRnUjJpdmRORTJtMmZuODBkUFMycFJQNFBX?= =?utf-8?B?b3UvNHB3Nzl4SFc5REpJU1NuQU1rLzhHMGo5cUZLTGFqWWRTM2owT2wrazR1?= =?utf-8?B?ejFRVjUyOXlZM0tsUzQvWlZQcUptdnYxQjhNbWxpUXBhcXhyV2Jtbm56Nlg1?= =?utf-8?B?NHR6SmdhYStSS2pobjUzSHNnQWdaMHA3TDJvNWMwaGdNTHNXVWZWUStFSVph?= =?utf-8?B?YkFtWUxmelVHWVV5UDZJQk83UFAxR0RENlhzMU1rOENmM3FxZzlqTXhnZHc2?= =?utf-8?B?UUM5NmR3YjRkcWVnSUxEWEs5Y213cjNjY0daNFpWMnZpbmNpYURhTlBDb1N2?= =?utf-8?B?bEszT242UVJvayt3emUxUlBaWG9JUzhpelB6UmptVWpNU0VMSjlJRDc2UVhY?= =?utf-8?B?eXMyUG1tVmlNeUsvLzJhQk1pSk40MnBTSWprbkNiUWo2blVTR1lpWjJxcXFS?= =?utf-8?B?eWNDQXhGdEZLaVU0OER3aXdub2gyeExVdVJUekI1UVRCM0E0L3VHSENSUnRB?= =?utf-8?B?SE9CcW5YTmgzWTh5RFA4eFRMZUcvOGYwa0tjWXdWOG56MG9YR3kwbEtvK01m?= =?utf-8?B?UjM4WnpEVURHdytjai9yb1NVMUVaeVlFQTdSanZHOG5UTGdVcUV0T1V4YlNN?= =?utf-8?Q?KzCqrXp05SjPwy3kiRcR7bOdZ6nznInbu4I702M?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2e27c9a9-c53f-498f-a82a-08d9059e2751 X-MS-Exchange-CrossTenant-AuthSource: DM5PR12MB1355.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Apr 2021 14:51:47.4629 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: JPAORZylt3v2BQ+MtUVRDxLB/UTK7A//oURmDJK6FCdUb96+/wAEpx9T2AyAD9X8v9w7H+g/MSzL38zJpttD/g== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB4960 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 4/22/21 2:34 AM, Laszlo Ersek wrote: > On 04/21/21 01:13, Lendacky, Thomas wrote: >> On 4/20/21 5:54 PM, Lendacky, Thomas via groups.io wrote: >>> From: Tom Lendacky >>> >>> BZ: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D3345&data=04%7C01%7Cthomas.lendacky%40amd.com%7C6b8da1f9a3bf4fb5f01e08d905613998%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637546737416495415%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=5vPlHPzGlS2%2Bqu3U4RPMITpyY%2F2ZxKJlaVYfFZItONQ%3D&reserved=0 >>> >>> The TPM support in OVMF performs MMIO accesses during the PEI phase. At >>> this point, MMIO ranges have not been marked un-encyrpted, so an SEV-ES >>> guest will fail attempting to perform MMIO to an encrypted address. > > (1) The subject says SEV, not SEV-ES, and the code in the patch too > suggests SEV, not SEV-ES. If that's correct, can you please update the > commit message? Yes, I'll update the commit message. The action is correct for all SEV guests in general, but it is only with SEV-ES, where the tighter MMIO checks can be performed, that an actual issue shows up. > >>> >>> Read the PcdTpmBaseAddress and mark the specification defined range >>> (0x5000 in length) as un-encrypted, to allow an SEV-ES guest to process >>> the MMIO requests. >>> >>> Cc: Laszlo Ersek >>> Cc: Ard Biesheuvel >>> Cc: Jordan Justen >>> Cc: Brijesh Singh >>> Cc: James Bottomley >>> Cc: Jiewen Yao >>> Cc: Min Xu >>> Signed-off-by: Tom Lendacky >>> --- >>> OvmfPkg/PlatformPei/PlatformPei.inf | 1 + >>> OvmfPkg/PlatformPei/AmdSev.c | 19 +++++++++++++++++++ >>> 2 files changed, 20 insertions(+) >>> >>> diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf >>> index 6ef77ba7bb21..de60332e9390 100644 >>> --- a/OvmfPkg/PlatformPei/PlatformPei.inf >>> +++ b/OvmfPkg/PlatformPei/PlatformPei.inf >>> @@ -113,6 +113,7 @@ [Pcd] >>> >>> [FixedPcd] >>> gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress >>> + gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress >>> gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIMemoryNVS >>> gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIReclaimMemory >>> gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiReservedMemoryType >>> diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c >>> index dddffdebda4b..d524929f9e10 100644 >>> --- a/OvmfPkg/PlatformPei/AmdSev.c >>> +++ b/OvmfPkg/PlatformPei/AmdSev.c >>> @@ -141,6 +141,7 @@ AmdSevInitialize ( >>> ) >>> { >>> UINT64 EncryptionMask; >>> + UINT64 TpmBaseAddress; >>> RETURN_STATUS PcdStatus; >>> >>> // >>> @@ -206,6 +207,24 @@ AmdSevInitialize ( >>> } >>> } >>> >>> + // >>> + // PEI TPM support will perform MMIO accesses, be sure this range is not >>> + // marked encrypted. >>> + // >>> + TpmBaseAddress = PcdGet64 (PcdTpmBaseAddress); >>> + if (TpmBaseAddress != 0) { >>> + RETURN_STATUS DecryptStatus; >>> + >>> + DecryptStatus = MemEncryptSevClearPageEncMask ( >>> + 0, >>> + TpmBaseAddress, >>> + EFI_SIZE_TO_PAGES (0x5000), >>> + FALSE >>> + ); >>> + >>> + ASSERT_RETURN_ERROR (DecryptStatus); >>> + } >>> + >> >> Laszlo, I'm not sure if this is the best way to approach this. It is >> simple and straight forward and the TCG/TPM support is one of the few >> (only?) pieces of code that does actual MMIO during PEI that is bitten >> by not having the address marked as shared/unencrypted. > > In SEC, I think we have MMIO access too (LAPIC -- > InitializeApicTimer()); why does that work? > > Hmm... Is that because we're immediately in x2apic mode, and that means > CPUID plus MSR accesses, and not MMIO? (I'm reminded of commit > decb365b0016 ("OvmfPkg: select LocalApicLib instance with x2apic > support", 2015-11-30).) And, we have #VC handling in SEC too. > > Anyway: I think the TPM (MMIO) access you see comes from this PEIM: > > OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf > > The driver uses the following library instance: > > SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf > > This library instance is what depends on "PcdTpmBaseAddress". > > And it's not just that decrypting the TPM MMIO range in PlatformPei > "looks awkward", but I don't even see it immediately why PlatformPei is > guaranteed to be dispatched before Tcg2ConfigPei. The effective depex of > Tcg2ConfigPei is just "gEfiPeiPcdPpiGuid" (on X64), according to the > build report file. If Tcg2ConfigPei runs first, whatever we do in > PlatformPei is too late. > > I also don't like that, with this patch, we'd decrypt the TPM range even > if OVMF weren't built with "-D TPM_ENABLE". Namely, OVMF uses > "PcdTpmBaseAddress" as fixed (not dynamic), inheriting the nonzero > default from "SecurityPkg.dec". (In ArmVirtQemu, PcdTpmBaseAddress is > set dynamically, which is why Tcg2ConfigPei has an ARM-specific depex > too.) > > > (2) So, can you please try the following, in the > "OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf" module: I'll take the input from each of your emails on this and see how that all works. Thanks for the insight and knowledge! Tom > >> diff --git a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf >> index 6776ec931ce0..0d0572b83599 100644 >> --- a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf >> +++ b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf >> @@ -20,13 +20,16 @@ [Defines] >> ENTRY_POINT = Tcg2ConfigPeimEntryPoint >> >> [Sources] >> + MemEncrypt.h >> Tcg2ConfigPeim.c >> Tpm12Support.h >> >> [Sources.IA32, Sources.X64] >> + MemEncryptSev.c >> Tpm12Support.c >> >> [Sources.ARM, Sources.AARCH64] >> + MemEncryptNull.c >> Tpm12SupportNull.c >> >> [Packages] >> @@ -43,6 +46,7 @@ [LibraryClasses] >> >> [LibraryClasses.IA32, LibraryClasses.X64] >> BaseLib >> + MemEncryptSevLib >> Tpm12DeviceLib >> >> [Guids] >> @@ -56,6 +60,9 @@ [Ppis] >> [Pcd] >> gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid ## PRODUCES >> >> +[Pcd.IA32, Pcd.X64] >> + gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress ## SOMETIMES_CONSUMES >> + >> [Depex.IA32, Depex.X64] >> TRUE >> > > In the "MemEncrypt.h" file, declare a function called > InternalTpmDecryptAddressRange(). The function definition in > "MemEncryptNull.c" should do nothing, while the one in "MemEncryptSev.c" > should check MemEncryptSevIsEnabled(), and then make the above-seen > MemEncryptSevClearPageEncMask() call. > > The new InternalTpmDecryptAddressRange() function should be called from > Tcg2ConfigPeimEntryPoint(), before the latter calls > InternalTpm12Detect(). Regarding error checking... if > InternalTpmDecryptAddressRange() fails, I think we can log an error > message, and hang with CpuDeadLoop(). > > (An alternative approach would be to call MemEncryptSevIsEnabled() and > MemEncryptSevClearPageEncMask() regardless of architecture, i.e., also > on ARM / AARCH64. In addition to that, we'd have to implement a Null > instance of MemEncryptSevLib, and resolve MemEncryptSevLib to the Null > instance in the ArmVirtPkg DSC files. But I don't like that: the library > *class* carries SEV in the name, which is inherently X64-specific, thus > I wouldn't even like the lib *class* to leak into ArmVirtPkg.) > > > (3) If the approach in (2) works, then please don't forget to update the > patch subject (it currently refers to PlatformPei). > > > (4) The argument of the EFI_SIZE_TO_PAGES() function-like macro should > have type UINTN. The constant 0x5000 has type "int" (INT32); please cast > it to UINTN. > > (In fact I would prefer a new macro for 0x5000, somewhere in the > "MdePkg/Include/IndustryStandard/Tpm*.h" files; but I can see that > SecurityPkg already open-codes the 0x5000 constant in > "Tcg/Tcg2Acpi/Tpm.asl" and "Tcg/TcgSmm/Tpm.asl", so meh.) > > Thanks > Laszlo >