From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.75]) by mx.groups.io with SMTP id smtpd.web12.6485.1627485743505261855 for ; Wed, 28 Jul 2021 08:22:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=BRsVtEjZ; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.94.75, mailfrom: brijesh.singh@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lyN4Wvja+Q9RObf5XSJGgdyC2WGXgEIaTdz7STfNhZwrTNx8fcDQg3gXecbXbh9ZbnoCgPPFHufwC3+iVy069BObzCwo/geh0mLVD/2w57Y7gRVl5b9AlftJNRxeAMnStBONFTh6hPNoJhf2B3lkum2VflGdO2Iqa9BL6OS3gvlzhKPkeziSL7kEtEc5i944ja1PLwufSVzwQ5ZJM80UZQm5vqQwB910+A+euqT8krXZ7nG/jQwU40DmUErlk2SB00Vjorxsc3EBUNz/O1hDzUK5y/jCJyVbFu2f/qKH5CgKyXy1SVkz75RPkK1tp0cKguKVppUfazoESqFloZ75wg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LQYfOH7BW5ICAitEgq18Z6XlM1Yk8E7dtQOoUDTQnoQ=; b=OrXwBeiAwsVDp46ah1hwcPO75Un5WdRUHSzNvMo0DNVbS97kwBdPf1pwemKAfztIUm/FKXX9UAXPKQAXPqQ4DgvqQ88QlTDI2vn20h4cKcG5x+zJ2qVPeO6R/AdAR2W5A7f2luioAF/E2c6GOI+V8tnh55+dXDdmCjqb/pGY7rUhnQEMTEDCRqObJzNeOgTQppNs0Pa+gpNVPI6S9sEg4FMWwfLBMJmDXjYCrzOnL4pYB9OiUxUPsFID3NxlTyQ+necJR9VThAoSV25hufa88dUolhP+QIEfFoNh64cYvvE13EtosdJ7nQLAiuW2uG9MYHp6cAbSXA71zyr/s1ba3Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LQYfOH7BW5ICAitEgq18Z6XlM1Yk8E7dtQOoUDTQnoQ=; b=BRsVtEjZYMunMnaAKnEGlt8XabB03uu5z6qAvvoPtir8klecZNSkCD1aKsbTcSeDlRdeptMKl97XHQe98G15Lr9WE3k26cWBOBjcZYjGux59bH5QcwcQOoUfBTBMVnsuSEizTOAmyXEQEkFf/RBD9vYtG+2rYZr6Attw1H2KlHQ= Authentication-Results: amd.com; dkim=none (message not signed) header.d=none;amd.com; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4446.namprd12.prod.outlook.com (2603:10b6:806:71::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.20; Wed, 28 Jul 2021 15:22:21 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa%3]) with mapi id 15.20.4373.019; Wed, 28 Jul 2021 15:22:21 +0000 Cc: brijesh.singh@amd.com, James Bottomley , "Xu, Min M" , Tom Lendacky , "Justen, Jordan L" , Ard Biesheuvel , Laszlo Ersek , Erdem Aktas , "Dong, Eric" , "Ni, Ray" , "Kumar, Rahul1" , "Kinney, Michael D" , Liming Gao , "Liu, Zhiguang" , Michael Roth Subject: Re: [RFC PATCH v4 00/27] Add AMD Secure Nested Paging (SEV-SNP) support To: "Yao, Jiewen" , "devel@edk2.groups.io" References: <20210628174223.1302-1-brijesh.singh@amd.com> From: "Brijesh Singh" Message-ID: <39b6b63f-4632-d654-a29a-80fc8a75e311@amd.com> Date: Wed, 28 Jul 2021 10:22:20 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 In-Reply-To: X-ClientProxiedBy: SN1PR12CA0095.namprd12.prod.outlook.com (2603:10b6:802:21::30) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) Return-Path: brijesh.singh@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from [10.236.31.95] (165.204.77.1) by SN1PR12CA0095.namprd12.prod.outlook.com (2603:10b6:802:21::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.17 via Frontend Transport; Wed, 28 Jul 2021 15:22:21 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 3d19c6b9-85f7-4502-a1c3-08d951db7ecd X-MS-TrafficTypeDiagnostic: SA0PR12MB4446: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: CunGnF87kZAseKssqVW3iEfvrRXQRZE/mTawTTNUWbR2aFq2ysAeHjmvMbiH3Tb5wLGc3VfkyEsF7zuuQS77Lgu7sZgEmkZZ6vFL24FCU1oA4ZPGnHiqnetohvOwguhAc1g4eBUoyRr3NEy6U8k/OYbe2UeZ4dEJcxI521q1L0eLQ/PKMs65CkMckBETfRDoCqcfs9BLRBUtttxjEhKD7hZ3Tc7juITofaRBZhqPzuUsySP7TtYgVXFFv/5Iid5fTcFMvXRFR8OF4xoFu+SavhleoXuVVFnjJ8LYPuJXrQ5HlwmvRcB3/ouMLbz9cXu9PobrpeCCzoVIszzQ2MJAeEdTHqHC+MXfvGFZRm3GS/h7hGj0Cwd1UP1S6pYrAsRSzHRW45Ag3BQu0XH6uNn4gVOE65xmJWjzRbRCtoW+P8xdp8RT7WVP6Z8r+hTasNdv40SjYMAoQOYYQ/2Ik7h6YMVMWH78ztkt4/afm7OOHEfoha3ISEUENDz1DcTS8N/f+416LnKJV2onnUDs/P022Sd3meOTEvjr8kV6EbO+0B8u2Bk9biUNYjfVg3I+ThR4VCGBP4d1lN7cWmSXBxppPp7iMV3MrOioGBTuI3TS5JnOVGJA6xj0xQRRw6W5o92dCwKLqGJOHBFcGDG9vnAZnpedPESQRsyH8qpcgBELEsg+ijcAbHfKTwWDkS1yfjfvFvVWk0KwrTXK4AQC3DsE4OYMNB2kFRMeL2iS7DzdylvxodOaYs8pjUr4/EVicL0q1VSdmSxHrqEuQQtfQGV6xzBgd6Bt+y+4qbyrMCgTVyCiF2mZfQD0xSETpFhPJEsBuGe9jdkKcTquU4BQb53hc9Eb/EJIy9R8LlZDv/MbQ/IAosguG/eVwmoWv5JFZ2JfN8CvlXyuw65jnIaqR486NA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB2718.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(376002)(346002)(366004)(396003)(136003)(39860400002)(2906002)(7416002)(316002)(38100700002)(19627235002)(38350700002)(26005)(478600001)(8676002)(45080400002)(2616005)(956004)(8936002)(186003)(54906003)(110136005)(966005)(16576012)(31686004)(4326008)(31696002)(5660300002)(30864003)(53546011)(86362001)(44832011)(83380400001)(66476007)(52116002)(6486002)(66556008)(36756003)(66946007)(43740500002)(45980500001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?QjJMZHFJQ1ZmVUR3aTN6VUt2b3NkK09KS1JOQ0I0blQ2SWJSYXE3L3ZyVlg5?= =?utf-8?B?NkpnRXFxTE0zWTNUbG8rMzRZYjllcHdOa0F6b2R5WmdrcHZaMWhXTFVQaHZ0?= =?utf-8?B?aXM3Z016MlpGTEJBOUJBV0g5cWx5c1o0bkRxU2xiTlhaYThpT1gveS9XRHNs?= =?utf-8?B?eTkxcWEyUGpTM0xTMmFGdzd0YjI1RTViYzdUOHVwbUdZZ3A0NFR0M3B0RFcy?= =?utf-8?B?N2FKVzhvNW9vajdpaEJLOGtVSTZxbzkySWV5dCsxSmhnUjlZWUZVNGZuUzVJ?= =?utf-8?B?bDhuMjRQRUN5eUozaE1PQ1JXRjQvR1hjZDlzYmxONzBtVUE1ekJNanpMaFRk?= =?utf-8?B?TUVKRCticXh0SFFSUHpGMCtsTGpzOHg0UllqalBEVG5uNkZ5T0pISGJUSk5j?= =?utf-8?B?amdqaG0rcnFQZXhXSHovSVFTM1JvTDh3L09KTWtSRWNySkxJdG1YWE54bTc2?= =?utf-8?B?c3kzb01lZzliZUNQN2I3OHNobURBTE1yd1NqeTNtKzQ4bDdxSmptL1AyTDdI?= =?utf-8?B?bVNMTFhmc0dKZklkZTU5blZkcXplRFZjM0dGUm5tZWJYOWVJL1BEUTB2RkRs?= =?utf-8?B?MnZUei9MU0VIaktUb1J3NzZYOUFkbTlmekc2S1lJT2Z6bFBiR2ltemdzUXFx?= =?utf-8?B?RVpCaGZ1dnVqV1RSRHpDWUpOTlE4emNQVmF3RThNdGlqVkJmWEhuVTVVc1Vz?= =?utf-8?B?SHMxZ1J1THdPOHFFUWFkeXk5WkJLdDNXQmxZcS9nZlBaWEFxYTBTRk9zN3ll?= =?utf-8?B?cmkyaEhwRERtdWJZWW54NnU2QnU3dkhVam1yZTAxT3N0QTRZbWVweTZMelZR?= =?utf-8?B?QXBhdENvT0tlQjVKNnhsek81WDhJbnZkQU9QalQzTS9aRldkU1lXbXlxNDUv?= =?utf-8?B?UmFwc0pPRmVDK1RzUlBtZ0ZpSlBNTFVtUll4TUVxTHdxWkZZeFpKUTRaZ1Jh?= =?utf-8?B?a0NReXNNQ3ZiZkZNS1hhVS8zZXd2a213dHR1aHg4cHNpMlNCZkJJVkc3b2ox?= =?utf-8?B?cWpmWkdYY0hUalRrM1RneEdFcHdSZVlGMktzYlRCcUpjWGwwbUF0RU14NUNG?= =?utf-8?B?TzNPcUZOVmszU1VOQk5hWVBlUGlLYWdoQUxLTTBBREFQZmVVdWYwSDk4UnZQ?= =?utf-8?B?b0NDc2hwdHM1SGpuNzRHY0R3U0x5MFU3VnczWWg5U3Nyc0VUU2U5Ti9OZklV?= =?utf-8?B?d0NWaVFOK2J1bk5ZNTJBeGErWlQ5SEpMWWMvNU03VkFubEV5K3FRN0lyQ1Zo?= =?utf-8?B?WW9UR2FOTWdQcWxzY2NCWGxkVnpWOHVhSjdHUXdXbHJlZ0R3YUF1bTZYcGw5?= =?utf-8?B?eHIxZWw3R1k4VUtNdWNVNi9rQnFRUnFuNmt3bUxxcng5TEt6M0JIcUhYd0FF?= =?utf-8?B?SkU2VkRvRk9xSzRMeUs3b1hqZm9QYXpPTC8zc0RtSndwcXd4U3pSUUVySlR0?= =?utf-8?B?V2FUNWoxU0Qwc0dpams3aTVPWHhyY3dGWmNNcVJ1QkQ3TzNMOWNLc29ydnh5?= =?utf-8?B?YkFMeWlqWjhNOWRPZTN1Z3E3ZHk4YVhtREhnWkMxbENKNWc0dVZnd0lUdVg0?= =?utf-8?B?dGEwOHRzZFB0VEZZY2ViUkJ2dUpKKzNUK0FpVTNJV2pPMnBzbHpMT2NYTEk2?= =?utf-8?B?d2FZdzVySzRFSFhHTDQzcE9uSjl2UFVXNGZvQnhvZHkxdzZxamw5b2o2QWhS?= =?utf-8?B?c1NZMG1aK2M4bWEvemdjbDh4bnZqVnRCd0NoNk1qL0NveHZsd1ZRS0ltY1Vu?= =?utf-8?Q?7lXW0VDOXvZYagRbR2pPXCaLFwM3O/ol5Cqfz/m?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3d19c6b9-85f7-4502-a1c3-08d951db7ecd X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Jul 2021 15:22:21.7768 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 165SdH1lLPe15fmPA5VOxQHTpVHlyr70lu0ptyIjolY9kgnREvcya2FobJkvQisFnkuuusaptsfDnwwQkfjMZw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4446 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Hi Yao Jiewen, On 7/28/21 3:16 AM, Yao, Jiewen wrote: > Hi Brijesh > I reviewed the patch set. I have some basic questions. > Please help me understand before I post my comment > > If a platform supports SEV-SNP, can we assume SEV-ES is supported? The SEV-SNP depends on SEV and SEV-ES support. The SEV-ES depends on the SEV support. > Or is it a valid case that SecSnp==YES, SevEs==NO? Nope. > > I am trying to understand how many cases we need support. > I think we want to support below: > +------------------------+ > | SEV | SEV_ES | SEV_SNP | > +------------------------+ > | 0 | 0 | 0 | > | 1 | 0 | 0 | > | 1 | 1 | 0 | > | 1 | 1 | 1 | > +------------------------+ > Yes, the above looks correct. > > Any other combination we need support? Such as below: The below cases are not applicable. > +------------------------+ > | SEV | SEV_ES | SEV_SNP | > +------------------------+ > | 0 | 1 | 0 | > | 0 | 0 | 1 | > | 0 | 1 | 1 | > | 1 | 0 | 1 | > +------------------------+ > > > Thank you > Yao Jiewen > >> -----Original Message----- >> From: Brijesh Singh >> Sent: Tuesday, June 29, 2021 1:42 AM >> To: devel@edk2.groups.io >> Cc: James Bottomley ; Xu, Min M ; >> Yao, Jiewen ; Tom Lendacky >> ; Justen, Jordan L ; >> Ard Biesheuvel ; Laszlo Ersek >> ; Erdem Aktas ; Dong, Eric >> ; Ni, Ray ; Kumar, Rahul1 >> ; Kinney, Michael D ; >> Liming Gao ; Liu, Zhiguang >> ; Michael Roth ; Brijesh >> Singh >> Subject: [RFC PATCH v4 00/27] Add AMD Secure Nested Paging (SEV-SNP) >> support >> >> BZ: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D3275&data=04%7C01%7Cbrijesh.singh%40amd.com%7C6bbdbdbb0ac8400b53a808d951a00e10%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637630571069893367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BqKBPTm4RQFXsekHTH2ktc2YmZMwazn9bZy8G8%2BWSTA%3D&reserved=0 >> >> SEV-SNP builds upon existing SEV and SEV-ES functionality while adding >> new hardware-based memory protections. SEV-SNP adds strong memory >> integrity >> protection to help prevent malicious hypervisor-based attacks like data >> replay, memory re-mapping and more in order to create an isolated memory >> encryption environment. >> >> This series provides the basic building blocks to support booting the SEV-SNP >> VMs, it does not cover all the security enhancement introduced by the SEV-SNP >> such as interrupt protection. >> >> Many of the integrity guarantees of SEV-SNP are enforced through a new >> structure called the Reverse Map Table (RMP). Adding a new page to SEV-SNP >> VM requires a 2-step process. First, the hypervisor assigns a page to the >> guest using the new RMPUPDATE instruction. This transitions the page to >> guest-invalid. Second, the guest validates the page using the new PVALIDATE >> instruction. The SEV-SNP VMs can use the new "Page State Change Request >> NAE" >> defined in the GHCB specification to ask hypervisor to add or remove page >> from the RMP table. >> >> Each page assigned to the SEV-SNP VM can either be validated or unvalidated, >> as indicated by the Validated flag in the page's RMP entry. There are two >> approaches that can be taken for the page validation: Pre-validation and >> Lazy Validation. >> >> Under pre-validation, the pages are validated prior to first use. And under >> lazy validation, pages are validated when first accessed. An access to a >> unvalidated page results in a #VC exception, at which time the exception >> handler may validate the page. Lazy validation requires careful tracking of >> the validated pages to avoid validating the same GPA more than once. The >> recently introduced "Unaccepted" memory type can be used to communicate >> the >> unvalidated memory ranges to the Guest OS. >> >> At this time we only support the pre-validation. OVMF detects all the available >> system RAM in the PEI phase. When SEV-SNP is enabled, the memory is validated >> before it is made available to the EDK2 core. >> >> This series does not implements the following SEV-SNP features yet: >> >> * CPUID filtering >> * Lazy validation >> * Interrupt security >> >> Additional resources >> --------------------- >> SEV-SNP whitepaper >> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.amd.com%2Fsystem%2Ffiles%2FTechDocs%2FSEV-SNP-strengthening-vm-&data=04%7C01%7Cbrijesh.singh%40amd.com%7C6bbdbdbb0ac8400b53a808d951a00e10%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637630571069893367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7p5Ap%2FHMiSXgxxMI35SYWcZaUcx5VjNt1wnpV9kbT6c%3D&reserved=0 >> isolation-with-integrity-protection-and-more.pdf >> >> APM 2: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.amd.com%2Fsystem%2Ffiles%2FTechDocs%2F24593.pdf&data=04%7C01%7Cbrijesh.singh%40amd.com%7C6bbdbdbb0ac8400b53a808d951a00e10%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637630571069893367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=h5ZrpTSwjBVhw9Bdh%2FvcZVGK%2BaxgHre42B8evZuTkKQ%3D&reserved=0 (section 15.36) >> >> The complete source is available at >> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAMDESE%2Fovmf%2Ftree%2Fsev-snp-rfc-4&data=04%7C01%7Cbrijesh.singh%40amd.com%7C6bbdbdbb0ac8400b53a808d951a00e10%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637630571069893367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=MwXzgykRRjT0QCp%2B77zJG1nH44478OzH4HtCQJbpHLc%3D&reserved=0 >> >> GHCB spec: >> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeveloper.amd.com%2Fwp-content%2Fresources%2F56421.pdf&data=04%7C01%7Cbrijesh.singh%40amd.com%7C6bbdbdbb0ac8400b53a808d951a00e10%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637630571069893367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=jU2LPonK9rQUjKQsRijBNU6uk1eN%2B7uuqYiXKvz7r4w%3D&reserved=0 >> >> SEV-SNP firmware specification: >> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.amd.com%2Fsystem%2Ffiles%2FTechDocs%2F56860.pdf&data=04%7C01%7Cbrijesh.singh%40amd.com%7C6bbdbdbb0ac8400b53a808d951a00e10%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637630571069893367%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6xiPHnAMKyJy6b%2B9trUlukxKYApH%2FncYM8Qg0r9%2BWlA%3D&reserved=0 >> >> Brijesh Singh (26): >> OvmfPkg/ResetVector: move SEV specific code in a separate file >> OvmfPkg/ResetVector: add the macro to invoke MSR protocol based >> VMGEXIT >> OvmfPkg/ResetVector: add the macro to request guest termination >> OvmfPkg: reserve SNP secrets page >> OvmfPkg: reserve CPUID page for SEV-SNP >> OvmfPkg/ResetVector: introduce SEV-SNP boot block GUID >> OvmfPkg/ResetVector: pre-validate the data pages used in SEC phase >> OvmfPkg/ResetVector: invalidate the GHCB page >> UefiCpuPkg: Define the SEV-SNP specific dynamic PCDs >> OvmfPkg/MemEncryptSevLib: add MemEncryptSevSnpEnabled() >> OvmfPkg/SecMain: register GHCB gpa for the SEV-SNP guest >> OvmfPkg/PlatformPei: register GHCB gpa for the SEV-SNP guest >> OvmfPkg/AmdSevDxe: do not use extended PCI config space >> OvmfPkg/MemEncryptSevLib: add support to validate system RAM >> OvmfPkg/BaseMemEncryptSevLib: skip the pre-validated system RAM >> OvmfPkg/MemEncryptSevLib: add support to validate > 4GB memory in PEI >> phase >> OvmfPkg/SecMain: pre-validate the memory used for decompressing Fv >> OvmfPkg/PlatformPei: validate the system RAM when SNP is active >> OvmfPkg/PlatformPei: set the SEV-SNP enabled PCD >> OvmfPkg/PlatformPei: set the Hypervisor Features PCD >> MdePkg/GHCB: increase the GHCB protocol max version >> UefiCpuPkg/MpLib: add support to register GHCB GPA when SEV-SNP is >> enabled >> OvmfPkg/MemEncryptSevLib: change the page state in the RMP table >> OvmfPkg/MemEncryptSevLib: skip page state change for Mmio address >> OvmfPkg/PlatformPei: mark cpuid and secrets memory reserved in EFI map >> OvmfPkg/AmdSev: expose the SNP reserved pages through configuration >> table >> >> Tom Lendacky (1): >> UefiCpuPkg/MpInitLib: Use SEV-SNP AP Creation NAE event to launch APs >> >> OvmfPkg/OvmfPkg.dec | 24 + >> UefiCpuPkg/UefiCpuPkg.dec | 11 + >> OvmfPkg/AmdSev/AmdSevX64.dsc | 5 +- >> OvmfPkg/Bhyve/BhyveX64.dsc | 5 +- >> OvmfPkg/OvmfPkgIa32.dsc | 1 + >> OvmfPkg/OvmfPkgIa32X64.dsc | 6 +- >> OvmfPkg/OvmfPkgX64.dsc | 5 +- >> OvmfPkg/OvmfXen.dsc | 5 +- >> OvmfPkg/OvmfPkgX64.fdf | 14 +- >> OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 7 + >> .../DxeMemEncryptSevLib.inf | 3 + >> .../PeiMemEncryptSevLib.inf | 7 + >> .../SecMemEncryptSevLib.inf | 3 + >> OvmfPkg/PlatformPei/PlatformPei.inf | 8 + >> OvmfPkg/ResetVector/ResetVector.inf | 6 + >> OvmfPkg/Sec/SecMain.inf | 3 + >> UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 4 + >> UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 4 + >> MdePkg/Include/Register/Amd/Ghcb.h | 2 +- >> .../Guid/ConfidentialComputingSecret.h | 18 + >> OvmfPkg/Include/Library/MemEncryptSevLib.h | 26 ++ >> .../X64/SnpPageStateChange.h | 31 ++ >> .../BaseMemEncryptSevLib/X64/VirtualMemory.h | 19 + >> UefiCpuPkg/Library/MpInitLib/MpLib.h | 19 + >> OvmfPkg/AmdSevDxe/AmdSevDxe.c | 23 + >> .../DxeMemEncryptSevLibInternal.c | 27 ++ >> .../Ia32/MemEncryptSevLib.c | 17 + >> .../PeiMemEncryptSevLibInternal.c | 27 ++ >> .../SecMemEncryptSevLibInternal.c | 19 + >> .../X64/DxeSnpSystemRamValidate.c | 40 ++ >> .../X64/PeiDxeVirtualMemory.c | 167 ++++++- >> .../X64/PeiSnpSystemRamValidate.c | 126 ++++++ >> .../X64/SecSnpSystemRamValidate.c | 36 ++ >> .../X64/SnpPageStateChangeInternal.c | 295 +++++++++++++ >> OvmfPkg/PlatformPei/AmdSev.c | 192 ++++++++ >> OvmfPkg/PlatformPei/MemDetect.c | 21 + >> OvmfPkg/Sec/SecMain.c | 111 +++++ >> UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 11 +- >> .../MpInitLib/Ia32/SevSnpRmpAdjustInternal.c | 31 ++ >> UefiCpuPkg/Library/MpInitLib/MpLib.c | 275 +++++++++++- >> .../MpInitLib/X64/SevSnpRmpAdjustInternal.c | 44 ++ >> OvmfPkg/FvmainCompactScratchEnd.fdf.inc | 5 + >> OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 27 ++ >> .../Ia32/{PageTables64.asm => AmdSev.asm} | 415 +++++++++--------- >> OvmfPkg/ResetVector/Ia32/PageTables64.asm | 404 +---------------- >> OvmfPkg/ResetVector/ResetVector.nasmb | 7 + >> UefiCpuPkg/Library/MpInitLib/MpEqu.inc | 1 + >> UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm | 51 +++ >> 48 files changed, 1978 insertions(+), 630 deletions(-) >> create mode 100644 >> OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h >> create mode 100644 >> OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRamValidate.c >> create mode 100644 >> OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c >> create mode 100644 >> OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c >> create mode 100644 >> OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c >> create mode 100644 >> UefiCpuPkg/Library/MpInitLib/Ia32/SevSnpRmpAdjustInternal.c >> create mode 100644 >> UefiCpuPkg/Library/MpInitLib/X64/SevSnpRmpAdjustInternal.c >> copy OvmfPkg/ResetVector/Ia32/{PageTables64.asm => AmdSev.asm} (67%) >> >> -- >> 2.17.1 >