From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.groups.io with SMTP id smtpd.web10.9316.1610031182956982460 for ; Thu, 07 Jan 2021 06:53:03 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=K4x1KAuY; spf=pass (domain: redhat.com, ip: 63.128.21.124, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1610031182; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JHNTSlYZOs8KCq6UY2mDkhTKbuUEIS7cz139f12F9uo=; b=K4x1KAuYdeeQbMyBt9TXG8GzetmpN0we1s72tgkVfVRYqi0grzLMqWIjTAKk1TJ3YlKlZ2 v1etSXrXHtWiUcd8hvVdtWn27wl4BOi1Tiu6RALg3/JRvl7D7okinFZ3Wcta1yjHUlKlnb ZpgzcC0hdUao+lvJUUXfmiw/70+TP3M= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-500-gjQSUJ06NfW1Rtdhih-5yQ-1; Thu, 07 Jan 2021 09:53:00 -0500 X-MC-Unique: gjQSUJ06NfW1Rtdhih-5yQ-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 0E01E100C661; Thu, 7 Jan 2021 14:52:59 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-114-119.ams2.redhat.com [10.36.114.119]) by smtp.corp.redhat.com (Postfix) with ESMTP id 751F360861; Thu, 7 Jan 2021 14:52:57 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH v2 05/15] OvmfPkg/MemEncryptSevLib: Save the encryption mask at boot time To: devel@edk2.groups.io, thomas.lendacky@amd.com Cc: Brijesh Singh , James Bottomley , Jordan Justen , Ard Biesheuvel References: From: "Laszlo Ersek" Message-ID: <3d9b89f9-65b7-9ab3-9089-81496fb24bb8@redhat.com> Date: Thu, 7 Jan 2021 15:52:56 +0100 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 01/06/21 22:21, Lendacky, Thomas wrote: > From: Tom Lendacky > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 > > The early assembler code performs validation for some of the SEV-related > information, specifically the encryption bit position. To avoid having to > re-validate the encryption bit position as the system proceeds through its > boot phases, save the validated encryption bit position in the SEV-ES work > area for use by later phases. > > Cc: Jordan Justen > Cc: Laszlo Ersek > Cc: Ard Biesheuvel > Cc: Brijesh Singh > Signed-off-by: Tom Lendacky > --- > OvmfPkg/Include/Library/MemEncryptSevLib.h | 2 ++ > OvmfPkg/ResetVector/Ia32/PageTables64.asm | 10 +++++++++- > OvmfPkg/ResetVector/ResetVector.nasmb | 1 + > 3 files changed, 12 insertions(+), 1 deletion(-) I think if we replaced "MemEncryptSevLib" with "ResetVector" in the subject line, that would be more precise. If a v3 becomes necessary, please do that; otherwise I can do the update when I merge v2 (but even if I forget that, it's not a big deal). Reviewed-by: Laszlo Ersek Thanks, Laszlo > > diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/Library/MemEncryptSevLib.h > index dc09c61e58bb..a2c70aa550fe 100644 > --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h > +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h > @@ -29,6 +29,8 @@ typedef struct _SEC_SEV_ES_WORK_AREA { > UINT8 Reserved1[7]; > > UINT64 RandomData; > + > + UINT64 EncryptionMask; > } SEC_SEV_ES_WORK_AREA; > > /** > diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm > index a1771dfdec23..5fae8986d9da 100644 > --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm > +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm > @@ -145,7 +145,7 @@ GetSevEncBit: > > ; The encryption bit position is always above 31 > sub ebx, 32 > - jns SevExit > + jns SevSaveMask > > ; Encryption bit was reported as 31 or below, enter a HLT loop > SevEncBitLowHlt: > @@ -153,6 +153,14 @@ SevEncBitLowHlt: > hlt > jmp SevEncBitLowHlt > > +SevSaveMask: > + xor edx, edx > + bts edx, ebx > + > + mov dword[SEV_ES_WORK_AREA_ENC_MASK], 0 > + mov dword[SEV_ES_WORK_AREA_ENC_MASK + 4], edx > + jmp SevExit > + > NoSev: > ; > ; Perform an SEV-ES sanity check by seeing if a #VC exception occurred. > diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb > index d3aa87982959..5fbacaed5f9d 100644 > --- a/OvmfPkg/ResetVector/ResetVector.nasmb > +++ b/OvmfPkg/ResetVector/ResetVector.nasmb > @@ -74,6 +74,7 @@ > %define GHCB_SIZE (FixedPcdGet32 (PcdOvmfSecGhcbSize)) > %define SEV_ES_WORK_AREA (FixedPcdGet32 (PcdSevEsWorkAreaBase)) > %define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 8) > + %define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 16) > %define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase) + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize)) > %include "Ia32/Flat32ToFlat64.asm" > %include "Ia32/PageTables64.asm" >