* [edk2-devel] [PATCH ovmf v4 1/5] MdePkg/Register/Amd: Define all bits from MSR_SEV_STATUS_REGISTER
2024-06-05 2:09 [edk2-devel] [PATCH ovmf v4 0/5] Enable AMD SEV-ES DebugVirtualization Alexey Kardashevskiy via groups.io
@ 2024-06-05 2:09 ` Alexey Kardashevskiy via groups.io
2024-06-05 18:33 ` Lendacky, Thomas via groups.io
2024-06-05 2:09 ` [edk2-devel] [PATCH ovmf v4 2/5] MdePkg: Add AMD SEV features to PcdConfidentialComputingGuestAttr Alexey Kardashevskiy via groups.io
` (3 subsequent siblings)
4 siblings, 1 reply; 11+ messages in thread
From: Alexey Kardashevskiy via groups.io @ 2024-06-05 2:09 UTC (permalink / raw)
To: devel
Cc: Tom Lendacky, Liming Gao, Michael D Kinney, Zhiguang Liu,
Ard Biesheuvel, Erdem Aktas, Gerd Hoffmann, Jiewen Yao,
Michael Roth, Min Xu, Alexey Kardashevskiy
For now we need DebugSwap but others are likely to be needed too.
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
---
Changes:
v4:
* added more from April/2024 APM
---
MdePkg/Include/Register/Amd/Fam17Msr.h | 95 +++++++++++++++++++-
1 file changed, 91 insertions(+), 4 deletions(-)
diff --git a/MdePkg/Include/Register/Amd/Fam17Msr.h b/MdePkg/Include/Register/Amd/Fam17Msr.h
index f2d5ccb39dc7..286b337f70fa 100644
--- a/MdePkg/Include/Register/Amd/Fam17Msr.h
+++ b/MdePkg/Include/Register/Amd/Fam17Msr.h
@@ -126,19 +126,106 @@ typedef union {
///
/// [Bit 0] Secure Encrypted Virtualization (Sev) is enabled
///
- UINT32 SevBit : 1;
+ UINT32 SevBit : 1;
///
/// [Bit 1] Secure Encrypted Virtualization Encrypted State (SevEs) is enabled
///
- UINT32 SevEsBit : 1;
+ UINT32 SevEsBit : 1;
///
/// [Bit 2] Secure Nested Paging (SevSnp) is enabled
///
- UINT32 SevSnpBit : 1;
+ UINT32 SevSnpBit : 1;
- UINT32 Reserved2 : 29;
+ ///
+ /// [Bit 3] Virtual TOM feature is enabled in SEV_FEATURES[1]
+ ///
+ UINT32 vTOM : 1;
+
+ ///
+ /// [Bit 4] ReflectVC feature is enabled in SEV_FEATURES[2]
+ ///
+ UINT32 ReflectVC : 1;
+
+ ///
+ /// [Bit 5] Restricted Injection feature is enabled in SEV_FEATURES[3]
+ ///
+ UINT32 RestrictedInjection : 1;
+
+ ///
+ /// [Bit 6] Alternate Injection feature is enabled in SEV_FEATURES[4]
+ ///
+ UINT32 AlternateInjection : 1;
+
+ ///
+ /// [Bit 7] Debug Virtualization feature is enabled in SEV_FEATURES[5]
+ ///
+ UINT32 DebugVirtualization : 1;
+
+ ///
+ /// [Bit 8] PreventHostIBS feature is enabled in SEV_FEATURES[6]
+ ///
+ UINT32 PreventHostIBS : 1;
+
+ ///
+ /// [Bit 9] BTB isolation feature is enabled in SEV_FEATURES[7]
+ ///
+ UINT32 SNPBTBIsolation : 1;
+
+ ///
+ /// [Bit 10] VMPL SSS feature is enabled in SEV_FEATURES[8]
+ ///
+ UINT32 VmplSSS : 1;
+
+ ///
+ /// [Bit 11] Secure TSC feature is enabled in SEV_FEATURES[9]
+ ///
+ UINT32 SecureTsc : 1;
+
+ ///
+ /// [Bit 12] VMGEXIT Parameter feature is enabled in SEV_FEATURES[10]
+ ///
+ UINT32 VmgexitParameter : 1;
+
+ ///
+ /// [Bit 13] PMC Virtualization feature is enabled in SEV_FEATURES[11]
+ ///
+ UINT32 PmcVirtualization : 1;
+
+ ///
+ /// [Bit 14] IBS Virtualization feature is enabled in SEV_FEATURES[12]
+ ///
+ UINT32 IbsVirtualization : 1;
+
+ ///
+ /// [Bit 15]
+ ///
+ UINT32 Reserved1 : 1;
+
+ ///
+ /// [Bit 16] VMSA Register Protection feature is enabled in SEV_FEATURES[14]
+ ///
+ UINT32 VmsaRegProt : 1;
+
+ ///
+ /// [Bit 17] SMT Protection feature is enabled in SEV_FEATURES[15]
+ ///
+ UINT32 SmtProtection : 1;
+ ///
+ ///
+ /// [Bit 18] Secure AVIC feature is enabled in SEV_FEATURES[16]
+ ///
+ UINT32 SecureAVIC : 1;
+
+ UINT32 Reserved2 : 4;
+
+ ///
+ /// [Bit 23] IBPB on Entry feature is enabled in SEV_FEATURES[21]
+ ///
+ UINT32 IbpbOnEntry : 1;
+
+ UINT32 Reserved3 : 8;
} Bits;
///
/// All bit fields as a 32-bit value
--
2.44.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119459): https://edk2.groups.io/g/devel/message/119459
Mute This Topic: https://groups.io/mt/106496074/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [edk2-devel] [PATCH ovmf v4 1/5] MdePkg/Register/Amd: Define all bits from MSR_SEV_STATUS_REGISTER
2024-06-05 2:09 ` [edk2-devel] [PATCH ovmf v4 1/5] MdePkg/Register/Amd: Define all bits from MSR_SEV_STATUS_REGISTER Alexey Kardashevskiy via groups.io
@ 2024-06-05 18:33 ` Lendacky, Thomas via groups.io
0 siblings, 0 replies; 11+ messages in thread
From: Lendacky, Thomas via groups.io @ 2024-06-05 18:33 UTC (permalink / raw)
To: Alexey Kardashevskiy, devel
Cc: Liming Gao, Michael D Kinney, Zhiguang Liu, Ard Biesheuvel,
Erdem Aktas, Gerd Hoffmann, Jiewen Yao, Michael Roth, Min Xu
On 6/4/24 21:09, Alexey Kardashevskiy wrote:
> For now we need DebugSwap but others are likely to be needed too.
>
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Zhiguang Liu <zhiguang.liu@intel.com>
> Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
> ---
> Changes:
> v4:
> * added more from April/2024 APM
> ---
> MdePkg/Include/Register/Amd/Fam17Msr.h | 95 +++++++++++++++++++-
> 1 file changed, 91 insertions(+), 4 deletions(-)
>
> diff --git a/MdePkg/Include/Register/Amd/Fam17Msr.h b/MdePkg/Include/Register/Amd/Fam17Msr.h
> index f2d5ccb39dc7..286b337f70fa 100644
> --- a/MdePkg/Include/Register/Amd/Fam17Msr.h
> +++ b/MdePkg/Include/Register/Amd/Fam17Msr.h
> @@ -126,19 +126,106 @@ typedef union {
> ///
> /// [Bit 0] Secure Encrypted Virtualization (Sev) is enabled
> ///
> - UINT32 SevBit : 1;
> + UINT32 SevBit : 1;
>
> ///
> /// [Bit 1] Secure Encrypted Virtualization Encrypted State (SevEs) is enabled
> ///
> - UINT32 SevEsBit : 1;
> + UINT32 SevEsBit : 1;
>
> ///
> /// [Bit 2] Secure Nested Paging (SevSnp) is enabled
> ///
> - UINT32 SevSnpBit : 1;
> + UINT32 SevSnpBit : 1;
>
> - UINT32 Reserved2 : 29;
> + ///
> + /// [Bit 3] Virtual TOM feature is enabled in SEV_FEATURES[1]
> + ///
> + UINT32 vTOM : 1;
> +
> + ///
> + /// [Bit 4] ReflectVC feature is enabled in SEV_FEATURES[2]
> + ///
> + UINT32 ReflectVC : 1;
> +
> + ///
> + /// [Bit 5] Restricted Injection feature is enabled in SEV_FEATURES[3]
> + ///
> + UINT32 RestrictedInjection : 1;
> +
> + ///
> + /// [Bit 6] Alternate Injection feature is enabled in SEV_FEATURES[4]
> + ///
> + UINT32 AlternateInjection : 1;
> +
> + ///
> + /// [Bit 7] Debug Virtualization feature is enabled in SEV_FEATURES[5]
> + ///
> + UINT32 DebugVirtualization : 1;
> +
> + ///
> + /// [Bit 8] PreventHostIBS feature is enabled in SEV_FEATURES[6]
> + ///
> + UINT32 PreventHostIBS : 1;
> +
> + ///
> + /// [Bit 9] BTB isolation feature is enabled in SEV_FEATURES[7]
> + ///
> + UINT32 SNPBTBIsolation : 1;
> +
> + ///
> + /// [Bit 10] VMPL SSS feature is enabled in SEV_FEATURES[8]
> + ///
> + UINT32 VmplSSS : 1;
> +
> + ///
> + /// [Bit 11] Secure TSC feature is enabled in SEV_FEATURES[9]
> + ///
> + UINT32 SecureTsc : 1;
> +
> + ///
> + /// [Bit 12] VMGEXIT Parameter feature is enabled in SEV_FEATURES[10]
> + ///
> + UINT32 VmgexitParameter : 1;
> +
> + ///
> + /// [Bit 13] PMC Virtualization feature is enabled in SEV_FEATURES[11]
> + ///
> + UINT32 PmcVirtualization : 1;
> +
> + ///
> + /// [Bit 14] IBS Virtualization feature is enabled in SEV_FEATURES[12]
> + ///
> + UINT32 IbsVirtualization : 1;
> +
> + ///
> + /// [Bit 15]
> + ///
> + UINT32 Reserved1 : 1;
> +
> + ///
> + /// [Bit 16] VMSA Register Protection feature is enabled in SEV_FEATURES[14]
> + ///
> + UINT32 VmsaRegProt : 1;
> +
> + ///
> + /// [Bit 17] SMT Protection feature is enabled in SEV_FEATURES[15]
> + ///
> + UINT32 SmtProtection : 1;
> + ///
> + ///
> + /// [Bit 18] Secure AVIC feature is enabled in SEV_FEATURES[16]
> + ///
> + UINT32 SecureAVIC : 1;
> +
> + UINT32 Reserved2 : 4;
> +
> + ///
> + /// [Bit 23] IBPB on Entry feature is enabled in SEV_FEATURES[21]
> + ///
> + UINT32 IbpbOnEntry : 1;
> +
> + UINT32 Reserved3 : 8;
> } Bits;
> ///
> /// All bit fields as a 32-bit value
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119481): https://edk2.groups.io/g/devel/message/119481
Mute This Topic: https://groups.io/mt/106496074/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 11+ messages in thread
* [edk2-devel] [PATCH ovmf v4 2/5] MdePkg: Add AMD SEV features to PcdConfidentialComputingGuestAttr
2024-06-05 2:09 [edk2-devel] [PATCH ovmf v4 0/5] Enable AMD SEV-ES DebugVirtualization Alexey Kardashevskiy via groups.io
2024-06-05 2:09 ` [edk2-devel] [PATCH ovmf v4 1/5] MdePkg/Register/Amd: Define all bits from MSR_SEV_STATUS_REGISTER Alexey Kardashevskiy via groups.io
@ 2024-06-05 2:09 ` Alexey Kardashevskiy via groups.io
2024-06-05 2:09 ` [edk2-devel] [PATCH ovmf v4 3/5] OvmfPkg: Add AMD SEV-ES DebugVirtualization feature support Alexey Kardashevskiy via groups.io
` (2 subsequent siblings)
4 siblings, 0 replies; 11+ messages in thread
From: Alexey Kardashevskiy via groups.io @ 2024-06-05 2:09 UTC (permalink / raw)
To: devel
Cc: Tom Lendacky, Liming Gao, Michael D Kinney, Zhiguang Liu,
Ard Biesheuvel, Erdem Aktas, Gerd Hoffmann, Jiewen Yao,
Michael Roth, Min Xu, Alexey Kardashevskiy
PcdConfidentialComputingGuestAttr so far only contained an SEV mode bit
but there are more other features which do not translate to levels
such as DebugVirtualization or SecureTsc.
Add the feature mask and the DebugVirtualization feature bit to the PCD.
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
---
Changes:
v4:
* s/CCAttrFeatureAmdSevDebugSwap/CCAttrFeatureAmdSevEsDebugVirtualization/
v2:
* expanded features mask
* added type mask
---
MdePkg/Include/ConfidentialComputingGuestAttr.h | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/MdePkg/Include/ConfidentialComputingGuestAttr.h b/MdePkg/Include/ConfidentialComputingGuestAttr.h
index 44e6df800207..f62158f77e03 100644
--- a/MdePkg/Include/ConfidentialComputingGuestAttr.h
+++ b/MdePkg/Include/ConfidentialComputingGuestAttr.h
@@ -29,9 +29,20 @@ typedef enum {
/* The guest is running with Intel TDX memory encryption enabled. */
CCAttrIntelTdx = 0x200,
+
+ CCAttrTypeMask = 0x000000000000ffff,
+
+ /* Features */
+
+ /* The AMD SEV-ES DebugVirtualization feature is enabled in SEV_STATUS */
+ CCAttrFeatureAmdSevEsDebugVirtualization = 0x0000000000010000,
+
+ CCAttrFeatureMask = 0xffffffffffff0000,
} CONFIDENTIAL_COMPUTING_GUEST_ATTR;
-#define CC_GUEST_IS_TDX(x) ((x) == CCAttrIntelTdx)
-#define CC_GUEST_IS_SEV(x) ((x) == CCAttrAmdSev || (x) == CCAttrAmdSevEs || (x) == CCAttrAmdSevSnp)
+#define _CC_GUEST_IS_TDX(x) ((x) == CCAttrIntelTdx)
+#define CC_GUEST_IS_TDX(x) _CC_GUEST_IS_TDX((x) & CCAttrTypeMask)
+#define _CC_GUEST_IS_SEV(x) ((x) == CCAttrAmdSev || (x) == CCAttrAmdSevEs || (x) == CCAttrAmdSevSnp)
+#define CC_GUEST_IS_SEV(x) _CC_GUEST_IS_SEV((x) & CCAttrTypeMask)
#endif
--
2.44.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119460): https://edk2.groups.io/g/devel/message/119460
Mute This Topic: https://groups.io/mt/106496083/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [edk2-devel] [PATCH ovmf v4 3/5] OvmfPkg: Add AMD SEV-ES DebugVirtualization feature support
2024-06-05 2:09 [edk2-devel] [PATCH ovmf v4 0/5] Enable AMD SEV-ES DebugVirtualization Alexey Kardashevskiy via groups.io
2024-06-05 2:09 ` [edk2-devel] [PATCH ovmf v4 1/5] MdePkg/Register/Amd: Define all bits from MSR_SEV_STATUS_REGISTER Alexey Kardashevskiy via groups.io
2024-06-05 2:09 ` [edk2-devel] [PATCH ovmf v4 2/5] MdePkg: Add AMD SEV features to PcdConfidentialComputingGuestAttr Alexey Kardashevskiy via groups.io
@ 2024-06-05 2:09 ` Alexey Kardashevskiy via groups.io
2024-06-05 18:47 ` Lendacky, Thomas via groups.io
2024-06-05 2:09 ` [edk2-devel] [PATCH ovmf v4 4/5] UefiCpuPkg: Add AMD SEV-ES features support Alexey Kardashevskiy via groups.io
2024-06-05 2:09 ` [edk2-devel] [PATCH ovmf v4 5/5] OvmfPkf: Enable AMD SEV-ES DebugVirtualization Alexey Kardashevskiy via groups.io
4 siblings, 1 reply; 11+ messages in thread
From: Alexey Kardashevskiy via groups.io @ 2024-06-05 2:09 UTC (permalink / raw)
To: devel
Cc: Tom Lendacky, Liming Gao, Michael D Kinney, Zhiguang Liu,
Ard Biesheuvel, Erdem Aktas, Gerd Hoffmann, Jiewen Yao,
Michael Roth, Min Xu, Alexey Kardashevskiy
The SEV-ES DebugVirtualization feature enables type B swapping of
debug registers on #VMEXIT and makes #DB and DR7 intercepts
unnecessary and unwanted.
When DebugVirtualization is enabled, this stops booting if
#VC for #DB or DB7 read/write occurs as this signals unwanted
interaction from the HV.
Add new API to PEI, SEC, DXE.
This does not change the existing behaviour yet.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Michael Roth <michael.roth@amd.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
---
Changes:
v4:
* s/DebugSwap/DebugVirtualization/
---
OvmfPkg/Include/Library/MemEncryptSevLib.h | 12 +++++++++
OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c | 27 +++++++++++++++++---
OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c | 15 +++++++++++
OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c | 15 +++++++++++
OvmfPkg/Library/CcExitLib/CcExitVcHandler.c | 8 ++++++
5 files changed, 74 insertions(+), 3 deletions(-)
diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/Library/MemEncryptSevLib.h
index 4fa9c0d70083..c5653539d8d8 100644
--- a/OvmfPkg/Include/Library/MemEncryptSevLib.h
+++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h
@@ -166,6 +166,18 @@ MemEncryptSevGetEncryptionMask (
VOID
);
+/**
+ Returns a boolean to indicate whether DebugVirtualization is enabled.
+
+ @retval TRUE DebugVirtualization is enabled
+ @retval FALSE DebugVirtualization is not enabled
+**/
+BOOLEAN
+EFIAPI
+MemEncryptSevEsDebugVirtualizationIsEnabled (
+ VOID
+ );
+
/**
Returns the encryption state of the specified virtual address range.
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
index 4aba0075b9e2..9947d663deae 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
@@ -40,19 +40,25 @@ AmdMemEncryptionAttrCheck (
IN CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr
)
{
+ UINT64 CurrentLevel;
+
+ CurrentLevel = CurrentAttr & CCAttrTypeMask;
+
switch (Attr) {
case CCAttrAmdSev:
//
// SEV is automatically enabled if SEV-ES or SEV-SNP is active.
//
- return CurrentAttr >= CCAttrAmdSev;
+ return CurrentLevel >= CCAttrAmdSev;
case CCAttrAmdSevEs:
//
// SEV-ES is automatically enabled if SEV-SNP is active.
//
- return CurrentAttr >= CCAttrAmdSevEs;
+ return CurrentLevel >= CCAttrAmdSevEs;
case CCAttrAmdSevSnp:
- return CurrentAttr == CCAttrAmdSevSnp;
+ return CurrentLevel == CCAttrAmdSevSnp;
+ case CCAttrFeatureAmdSevEsDebugVirtualization:
+ return !!(CurrentAttr & CCAttrFeatureAmdSevEsDebugVirtualization);
default:
return FALSE;
}
@@ -159,3 +165,18 @@ MemEncryptSevGetEncryptionMask (
return mSevEncryptionMask;
}
+
+/**
+ Returns a boolean to indicate whether DebugVirtualization is enabled.
+
+ @retval TRUE DebugVirtualization is enabled
+ @retval FALSE DebugVirtualization is not enabled
+**/
+BOOLEAN
+EFIAPI
+MemEncryptSevEsDebugVirtualizationIsEnabled (
+ VOID
+ )
+{
+ return ConfidentialComputingGuestHas (CCAttrFeatureAmdSevEsDebugVirtualization);
+}
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
index 41d1246a5b31..7d823ad639f4 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
@@ -141,3 +141,18 @@ MemEncryptSevGetEncryptionMask (
return SevEsWorkArea->EncryptionMask;
}
+
+/**
+ Returns a boolean to indicate whether DebugVirtualization is enabled.
+
+ @retval TRUE DebugVirtualization is enabled
+ @retval FALSE DebugVirtualization is not enabled
+**/
+BOOLEAN
+EFIAPI
+MemEncryptSevEsDebugVirtualizationIsEnabled (
+ VOID
+ )
+{
+ return FALSE;
+}
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
index 27148c7e337a..33a326ac1571 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
@@ -142,6 +142,21 @@ MemEncryptSevGetEncryptionMask (
return SevEsWorkArea->EncryptionMask;
}
+/**
+ Returns a boolean to indicate whether DebugVirtualization is enabled.
+
+ @retval TRUE DebugVirtualization is enabled
+ @retval FALSE DebugVirtualization is not enabled
+**/
+BOOLEAN
+EFIAPI
+MemEncryptSevEsDebugVirtualizationIsEnabled (
+ VOID
+ )
+{
+ return FALSE;
+}
+
/**
Locate the page range that covers the initial (pre-SMBASE-relocation) SMRAM
Save State Map.
diff --git a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c b/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
index da8f1e5db9fa..2031fa9e22e6 100644
--- a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
+++ b/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
@@ -1609,6 +1609,10 @@ Dr7WriteExit (
UINT64 *Register;
UINT64 Status;
+ if (MemEncryptSevEsDebugVirtualizationIsEnabled ()) {
+ return UnsupportedExit (Ghcb, Regs, InstructionData);
+ }
+
Ext = &InstructionData->Ext;
SevEsData = (SEV_ES_PER_CPU_DATA *)(Ghcb + 1);
@@ -1659,6 +1663,10 @@ Dr7ReadExit (
SEV_ES_PER_CPU_DATA *SevEsData;
UINT64 *Register;
+ if (MemEncryptSevEsDebugVirtualizationIsEnabled ()) {
+ return UnsupportedExit (Ghcb, Regs, InstructionData);
+ }
+
Ext = &InstructionData->Ext;
SevEsData = (SEV_ES_PER_CPU_DATA *)(Ghcb + 1);
--
2.44.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119461): https://edk2.groups.io/g/devel/message/119461
Mute This Topic: https://groups.io/mt/106496085/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [edk2-devel] [PATCH ovmf v4 3/5] OvmfPkg: Add AMD SEV-ES DebugVirtualization feature support
2024-06-05 2:09 ` [edk2-devel] [PATCH ovmf v4 3/5] OvmfPkg: Add AMD SEV-ES DebugVirtualization feature support Alexey Kardashevskiy via groups.io
@ 2024-06-05 18:47 ` Lendacky, Thomas via groups.io
0 siblings, 0 replies; 11+ messages in thread
From: Lendacky, Thomas via groups.io @ 2024-06-05 18:47 UTC (permalink / raw)
To: Alexey Kardashevskiy, devel
Cc: Liming Gao, Michael D Kinney, Zhiguang Liu, Ard Biesheuvel,
Erdem Aktas, Gerd Hoffmann, Jiewen Yao, Michael Roth, Min Xu
On 6/4/24 21:09, Alexey Kardashevskiy wrote:
> The SEV-ES DebugVirtualization feature enables type B swapping of
> debug registers on #VMEXIT and makes #DB and DR7 intercepts
> unnecessary and unwanted.
>
> When DebugVirtualization is enabled, this stops booting if
> #VC for #DB or DB7 read/write occurs as this signals unwanted
> interaction from the HV.
>
> Add new API to PEI, SEC, DXE.
>
> This does not change the existing behaviour yet.
>
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Erdem Aktas <erdemaktas@google.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Michael Roth <michael.roth@amd.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
> Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
> ---
> Changes:
> v4:
> * s/DebugSwap/DebugVirtualization/
> ---
> OvmfPkg/Include/Library/MemEncryptSevLib.h | 12 +++++++++
> OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c | 27 +++++++++++++++++---
> OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c | 15 +++++++++++
> OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c | 15 +++++++++++
> OvmfPkg/Library/CcExitLib/CcExitVcHandler.c | 8 ++++++
> 5 files changed, 74 insertions(+), 3 deletions(-)
>
> diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/Library/MemEncryptSevLib.h
> index 4fa9c0d70083..c5653539d8d8 100644
> --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h
> +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h
> @@ -166,6 +166,18 @@ MemEncryptSevGetEncryptionMask (
> VOID
> );
>
> +/**
> + Returns a boolean to indicate whether DebugVirtualization is enabled.
> +
> + @retval TRUE DebugVirtualization is enabled
> + @retval FALSE DebugVirtualization is not enabled
> +**/
> +BOOLEAN
> +EFIAPI
> +MemEncryptSevEsDebugVirtualizationIsEnabled (
> + VOID
> + );
> +
> /**
> Returns the encryption state of the specified virtual address range.
>
> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
> index 4aba0075b9e2..9947d663deae 100644
> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
> @@ -40,19 +40,25 @@ AmdMemEncryptionAttrCheck (
> IN CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr
> )
> {
> + UINT64 CurrentLevel;
> +
> + CurrentLevel = CurrentAttr & CCAttrTypeMask;
> +
> switch (Attr) {
> case CCAttrAmdSev:
> //
> // SEV is automatically enabled if SEV-ES or SEV-SNP is active.
> //
> - return CurrentAttr >= CCAttrAmdSev;
> + return CurrentLevel >= CCAttrAmdSev;
> case CCAttrAmdSevEs:
> //
> // SEV-ES is automatically enabled if SEV-SNP is active.
> //
> - return CurrentAttr >= CCAttrAmdSevEs;
> + return CurrentLevel >= CCAttrAmdSevEs;
> case CCAttrAmdSevSnp:
> - return CurrentAttr == CCAttrAmdSevSnp;
> + return CurrentLevel == CCAttrAmdSevSnp;
> + case CCAttrFeatureAmdSevEsDebugVirtualization:
> + return !!(CurrentAttr & CCAttrFeatureAmdSevEsDebugVirtualization);
> default:
> return FALSE;
> }
> @@ -159,3 +165,18 @@ MemEncryptSevGetEncryptionMask (
>
> return mSevEncryptionMask;
> }
> +
> +/**
> + Returns a boolean to indicate whether DebugVirtualization is enabled.
> +
> + @retval TRUE DebugVirtualization is enabled
> + @retval FALSE DebugVirtualization is not enabled
> +**/
> +BOOLEAN
> +EFIAPI
> +MemEncryptSevEsDebugVirtualizationIsEnabled (
> + VOID
> + )
> +{
> + return ConfidentialComputingGuestHas (CCAttrFeatureAmdSevEsDebugVirtualization);
> +}
> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
> index 41d1246a5b31..7d823ad639f4 100644
> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
> @@ -141,3 +141,18 @@ MemEncryptSevGetEncryptionMask (
>
> return SevEsWorkArea->EncryptionMask;
> }
> +
> +/**
> + Returns a boolean to indicate whether DebugVirtualization is enabled.
> +
> + @retval TRUE DebugVirtualization is enabled
> + @retval FALSE DebugVirtualization is not enabled
> +**/
> +BOOLEAN
> +EFIAPI
> +MemEncryptSevEsDebugVirtualizationIsEnabled (
> + VOID
> + )
> +{
> + return FALSE;
> +}
> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
> index 27148c7e337a..33a326ac1571 100644
> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
> @@ -142,6 +142,21 @@ MemEncryptSevGetEncryptionMask (
> return SevEsWorkArea->EncryptionMask;
> }
>
> +/**
> + Returns a boolean to indicate whether DebugVirtualization is enabled.
> +
> + @retval TRUE DebugVirtualization is enabled
> + @retval FALSE DebugVirtualization is not enabled
> +**/
> +BOOLEAN
> +EFIAPI
> +MemEncryptSevEsDebugVirtualizationIsEnabled (
> + VOID
> + )
> +{
> + return FALSE;
> +}
> +
> /**
> Locate the page range that covers the initial (pre-SMBASE-relocation) SMRAM
> Save State Map.
> diff --git a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c b/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
> index da8f1e5db9fa..2031fa9e22e6 100644
> --- a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
> +++ b/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
> @@ -1609,6 +1609,10 @@ Dr7WriteExit (
> UINT64 *Register;
> UINT64 Status;
>
> + if (MemEncryptSevEsDebugVirtualizationIsEnabled ()) {
> + return UnsupportedExit (Ghcb, Regs, InstructionData);
> + }
> +
> Ext = &InstructionData->Ext;
> SevEsData = (SEV_ES_PER_CPU_DATA *)(Ghcb + 1);
>
> @@ -1659,6 +1663,10 @@ Dr7ReadExit (
> SEV_ES_PER_CPU_DATA *SevEsData;
> UINT64 *Register;
>
> + if (MemEncryptSevEsDebugVirtualizationIsEnabled ()) {
> + return UnsupportedExit (Ghcb, Regs, InstructionData);
> + }
> +
> Ext = &InstructionData->Ext;
> SevEsData = (SEV_ES_PER_CPU_DATA *)(Ghcb + 1);
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119482): https://edk2.groups.io/g/devel/message/119482
Mute This Topic: https://groups.io/mt/106496085/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 11+ messages in thread
* [edk2-devel] [PATCH ovmf v4 4/5] UefiCpuPkg: Add AMD SEV-ES features support
2024-06-05 2:09 [edk2-devel] [PATCH ovmf v4 0/5] Enable AMD SEV-ES DebugVirtualization Alexey Kardashevskiy via groups.io
` (2 preceding siblings ...)
2024-06-05 2:09 ` [edk2-devel] [PATCH ovmf v4 3/5] OvmfPkg: Add AMD SEV-ES DebugVirtualization feature support Alexey Kardashevskiy via groups.io
@ 2024-06-05 2:09 ` Alexey Kardashevskiy via groups.io
2024-06-05 18:51 ` Lendacky, Thomas via groups.io
2024-06-05 2:09 ` [edk2-devel] [PATCH ovmf v4 5/5] OvmfPkf: Enable AMD SEV-ES DebugVirtualization Alexey Kardashevskiy via groups.io
4 siblings, 1 reply; 11+ messages in thread
From: Alexey Kardashevskiy via groups.io @ 2024-06-05 2:09 UTC (permalink / raw)
To: devel
Cc: Tom Lendacky, Liming Gao, Michael D Kinney, Zhiguang Liu,
Ard Biesheuvel, Erdem Aktas, Gerd Hoffmann, Jiewen Yao,
Michael Roth, Min Xu, Alexey Kardashevskiy, Jiaxin Wu,
Rahul Kumar, Ray Ni
CONFIDENTIAL_COMPUTING_GUEST_ATTR is not a simple SEV level anymore
and includes a feature mask since the previous commit.
Fix AmdMemEncryptionAttrCheck to check the level and feature
correctly and add DebugVirtualization support.
Since the actual feature flag is not set yet, this should cause
no behavioural change.
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
---
UefiCpuPkg/Library/MpInitLib/MpLib.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c b/UefiCpuPkg/Library/MpInitLib/MpLib.c
index f97298887f96..444df2abdc1d 100644
--- a/UefiCpuPkg/Library/MpInitLib/MpLib.c
+++ b/UefiCpuPkg/Library/MpInitLib/MpLib.c
@@ -3196,19 +3196,25 @@ AmdMemEncryptionAttrCheck (
IN CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr
)
{
+ UINT64 CurrentLevel;
+
+ CurrentLevel = CurrentAttr & CCAttrTypeMask;
+
switch (Attr) {
case CCAttrAmdSev:
//
// SEV is automatically enabled if SEV-ES or SEV-SNP is active.
//
- return CurrentAttr >= CCAttrAmdSev;
+ return CurrentLevel >= CCAttrAmdSev;
case CCAttrAmdSevEs:
//
// SEV-ES is automatically enabled if SEV-SNP is active.
//
- return CurrentAttr >= CCAttrAmdSevEs;
+ return CurrentLevel >= CCAttrAmdSevEs;
case CCAttrAmdSevSnp:
- return CurrentAttr == CCAttrAmdSevSnp;
+ return CurrentLevel == CCAttrAmdSevSnp;
+ case CCAttrFeatureAmdSevEsDebugVirtualization:
+ return !!(CurrentAttr & CCAttrFeatureAmdSevEsDebugVirtualization);
default:
return FALSE;
}
--
2.44.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119462): https://edk2.groups.io/g/devel/message/119462
Mute This Topic: https://groups.io/mt/106496089/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [edk2-devel] [PATCH ovmf v4 4/5] UefiCpuPkg: Add AMD SEV-ES features support
2024-06-05 2:09 ` [edk2-devel] [PATCH ovmf v4 4/5] UefiCpuPkg: Add AMD SEV-ES features support Alexey Kardashevskiy via groups.io
@ 2024-06-05 18:51 ` Lendacky, Thomas via groups.io
0 siblings, 0 replies; 11+ messages in thread
From: Lendacky, Thomas via groups.io @ 2024-06-05 18:51 UTC (permalink / raw)
To: Alexey Kardashevskiy, devel
Cc: Liming Gao, Michael D Kinney, Zhiguang Liu, Ard Biesheuvel,
Erdem Aktas, Gerd Hoffmann, Jiewen Yao, Michael Roth, Min Xu,
Jiaxin Wu, Rahul Kumar, Ray Ni
On 6/4/24 21:09, Alexey Kardashevskiy wrote:
> CONFIDENTIAL_COMPUTING_GUEST_ATTR is not a simple SEV level anymore
> and includes a feature mask since the previous commit.
>
> Fix AmdMemEncryptionAttrCheck to check the level and feature
> correctly and add DebugVirtualization support.
>
> Since the actual feature flag is not set yet, this should cause
> no behavioural change.
>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> Cc: Rahul Kumar <rahul1.kumar@intel.com>
> Cc: Ray Ni <ray.ni@intel.com>
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
> Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
> ---
> UefiCpuPkg/Library/MpInitLib/MpLib.c | 12 +++++++++---
> 1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c b/UefiCpuPkg/Library/MpInitLib/MpLib.c
> index f97298887f96..444df2abdc1d 100644
> --- a/UefiCpuPkg/Library/MpInitLib/MpLib.c
> +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.c
> @@ -3196,19 +3196,25 @@ AmdMemEncryptionAttrCheck (
> IN CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr
> )
> {
> + UINT64 CurrentLevel;
> +
> + CurrentLevel = CurrentAttr & CCAttrTypeMask;
> +
> switch (Attr) {
> case CCAttrAmdSev:
> //
> // SEV is automatically enabled if SEV-ES or SEV-SNP is active.
> //
> - return CurrentAttr >= CCAttrAmdSev;
> + return CurrentLevel >= CCAttrAmdSev;
> case CCAttrAmdSevEs:
> //
> // SEV-ES is automatically enabled if SEV-SNP is active.
> //
> - return CurrentAttr >= CCAttrAmdSevEs;
> + return CurrentLevel >= CCAttrAmdSevEs;
> case CCAttrAmdSevSnp:
> - return CurrentAttr == CCAttrAmdSevSnp;
> + return CurrentLevel == CCAttrAmdSevSnp;
> + case CCAttrFeatureAmdSevEsDebugVirtualization:
> + return !!(CurrentAttr & CCAttrFeatureAmdSevEsDebugVirtualization);
> default:
> return FALSE;
> }
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119483): https://edk2.groups.io/g/devel/message/119483
Mute This Topic: https://groups.io/mt/106496089/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 11+ messages in thread
* [edk2-devel] [PATCH ovmf v4 5/5] OvmfPkf: Enable AMD SEV-ES DebugVirtualization
2024-06-05 2:09 [edk2-devel] [PATCH ovmf v4 0/5] Enable AMD SEV-ES DebugVirtualization Alexey Kardashevskiy via groups.io
` (3 preceding siblings ...)
2024-06-05 2:09 ` [edk2-devel] [PATCH ovmf v4 4/5] UefiCpuPkg: Add AMD SEV-ES features support Alexey Kardashevskiy via groups.io
@ 2024-06-05 2:09 ` Alexey Kardashevskiy via groups.io
2024-06-05 18:54 ` Lendacky, Thomas via groups.io
4 siblings, 1 reply; 11+ messages in thread
From: Alexey Kardashevskiy via groups.io @ 2024-06-05 2:09 UTC (permalink / raw)
To: devel
Cc: Tom Lendacky, Liming Gao, Michael D Kinney, Zhiguang Liu,
Ard Biesheuvel, Erdem Aktas, Gerd Hoffmann, Jiewen Yao,
Michael Roth, Min Xu, Alexey Kardashevskiy
Write the feature bit into PcdConfidentialComputingGuestAttr
and enable DebugVirtualization in PEI, SEC, DXE.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Michael Roth <michael.roth@amd.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
---
Changes:
v4:
* s/DebugSwap/DebugVirtualization/g
* the feature is enabled here for all modes
---
OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c | 6 +++++-
OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c | 6 +++++-
OvmfPkg/PlatformPei/AmdSev.c | 13 ++++++++++---
3 files changed, 20 insertions(+), 5 deletions(-)
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
index 7d823ad639f4..f381b9255bb7 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
@@ -154,5 +154,9 @@ MemEncryptSevEsDebugVirtualizationIsEnabled (
VOID
)
{
- return FALSE;
+ MSR_SEV_STATUS_REGISTER Msr;
+
+ Msr.Uint32 = InternalMemEncryptSevStatus ();
+
+ return Msr.Bits.DebugVirtualization ? TRUE : FALSE;
}
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
index 33a326ac1571..946bed2ada13 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
@@ -154,7 +154,11 @@ MemEncryptSevEsDebugVirtualizationIsEnabled (
VOID
)
{
- return FALSE;
+ MSR_SEV_STATUS_REGISTER Msr;
+
+ Msr.Uint32 = InternalMemEncryptSevStatus ();
+
+ return Msr.Bits.DebugVirtualization ? TRUE : FALSE;
}
/**
diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
index 88ca14507f5e..8562787035db 100644
--- a/OvmfPkg/PlatformPei/AmdSev.c
+++ b/OvmfPkg/PlatformPei/AmdSev.c
@@ -434,6 +434,7 @@ AmdSevInitialize (
)
{
UINT64 EncryptionMask;
+ UINT64 CCGuestAttr;
RETURN_STATUS PcdStatus;
//
@@ -517,13 +518,19 @@ AmdSevInitialize (
// technology is active.
//
if (MemEncryptSevSnpIsEnabled ()) {
- PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSevSnp);
+ CCGuestAttr = CCAttrAmdSevSnp;
} else if (MemEncryptSevEsIsEnabled ()) {
- PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSevEs);
+ CCGuestAttr = CCAttrAmdSevEs;
} else {
- PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSev);
+ CCGuestAttr = CCAttrAmdSev;
}
+ if (MemEncryptSevEsDebugVirtualizationIsEnabled ()) {
+ CCGuestAttr |= CCAttrFeatureAmdSevEsDebugVirtualization;
+ }
+
+ PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCGuestAttr);
+
ASSERT_RETURN_ERROR (PcdStatus);
}
--
2.44.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119463): https://edk2.groups.io/g/devel/message/119463
Mute This Topic: https://groups.io/mt/106496092/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [edk2-devel] [PATCH ovmf v4 5/5] OvmfPkf: Enable AMD SEV-ES DebugVirtualization
2024-06-05 2:09 ` [edk2-devel] [PATCH ovmf v4 5/5] OvmfPkf: Enable AMD SEV-ES DebugVirtualization Alexey Kardashevskiy via groups.io
@ 2024-06-05 18:54 ` Lendacky, Thomas via groups.io
2024-06-12 1:24 ` Alexey Kardashevskiy via groups.io
0 siblings, 1 reply; 11+ messages in thread
From: Lendacky, Thomas via groups.io @ 2024-06-05 18:54 UTC (permalink / raw)
To: Alexey Kardashevskiy, devel
Cc: Liming Gao, Michael D Kinney, Zhiguang Liu, Ard Biesheuvel,
Erdem Aktas, Gerd Hoffmann, Jiewen Yao, Michael Roth, Min Xu
On 6/4/24 21:09, Alexey Kardashevskiy wrote:
> Write the feature bit into PcdConfidentialComputingGuestAttr
> and enable DebugVirtualization in PEI, SEC, DXE.
>
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Erdem Aktas <erdemaktas@google.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Michael Roth <michael.roth@amd.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
> Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
> ---
> Changes:
> v4:
> * s/DebugSwap/DebugVirtualization/g
> * the feature is enabled here for all modes
> ---
> OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c | 6 +++++-
> OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c | 6 +++++-
> OvmfPkg/PlatformPei/AmdSev.c | 13 ++++++++++---
> 3 files changed, 20 insertions(+), 5 deletions(-)
>
> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
> index 7d823ad639f4..f381b9255bb7 100644
> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
> @@ -154,5 +154,9 @@ MemEncryptSevEsDebugVirtualizationIsEnabled (
> VOID
> )
> {
> - return FALSE;
> + MSR_SEV_STATUS_REGISTER Msr;
> +
> + Msr.Uint32 = InternalMemEncryptSevStatus ();
> +
> + return Msr.Bits.DebugVirtualization ? TRUE : FALSE;
> }
> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
> index 33a326ac1571..946bed2ada13 100644
> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
> @@ -154,7 +154,11 @@ MemEncryptSevEsDebugVirtualizationIsEnabled (
> VOID
> )
> {
> - return FALSE;
> + MSR_SEV_STATUS_REGISTER Msr;
> +
> + Msr.Uint32 = InternalMemEncryptSevStatus ();
> +
> + return Msr.Bits.DebugVirtualization ? TRUE : FALSE;
> }
>
> /**
> diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
> index 88ca14507f5e..8562787035db 100644
> --- a/OvmfPkg/PlatformPei/AmdSev.c
> +++ b/OvmfPkg/PlatformPei/AmdSev.c
> @@ -434,6 +434,7 @@ AmdSevInitialize (
> )
> {
> UINT64 EncryptionMask;
> + UINT64 CCGuestAttr;
> RETURN_STATUS PcdStatus;
>
> //
> @@ -517,13 +518,19 @@ AmdSevInitialize (
> // technology is active.
> //
> if (MemEncryptSevSnpIsEnabled ()) {
> - PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSevSnp);
> + CCGuestAttr = CCAttrAmdSevSnp;
> } else if (MemEncryptSevEsIsEnabled ()) {
> - PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSevEs);
> + CCGuestAttr = CCAttrAmdSevEs;
> } else {
> - PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSev);
> + CCGuestAttr = CCAttrAmdSev;
> }
>
> + if (MemEncryptSevEsDebugVirtualizationIsEnabled ()) {
> + CCGuestAttr |= CCAttrFeatureAmdSevEsDebugVirtualization;
> + }
> +
> + PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCGuestAttr);
> +
> ASSERT_RETURN_ERROR (PcdStatus);
> }
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119484): https://edk2.groups.io/g/devel/message/119484
Mute This Topic: https://groups.io/mt/106496092/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [edk2-devel] [PATCH ovmf v4 5/5] OvmfPkf: Enable AMD SEV-ES DebugVirtualization
2024-06-05 18:54 ` Lendacky, Thomas via groups.io
@ 2024-06-12 1:24 ` Alexey Kardashevskiy via groups.io
0 siblings, 0 replies; 11+ messages in thread
From: Alexey Kardashevskiy via groups.io @ 2024-06-12 1:24 UTC (permalink / raw)
To: Tom Lendacky, devel
Cc: Liming Gao, Michael D Kinney, Zhiguang Liu, Ard Biesheuvel,
Erdem Aktas, Gerd Hoffmann, Jiewen Yao, Michael Roth, Min Xu
Thanks Tom!
Now, I've pushed it again to my github,
https://github.com/tianocore/edk2/pull/5594 re-ran the tasks but "Review
required" is still there so I assume re-posting patches won't help
getting them in as I need more reviews, right?
On 6/6/24 04:54, Tom Lendacky wrote:
> On 6/4/24 21:09, Alexey Kardashevskiy wrote:
>> Write the feature bit into PcdConfidentialComputingGuestAttr
>> and enable DebugVirtualization in PEI, SEC, DXE.
>>
>> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
>> Cc: Erdem Aktas <erdemaktas@google.com>
>> Cc: Gerd Hoffmann <kraxel@redhat.com>
>> Cc: Jiewen Yao <jiewen.yao@intel.com>
>> Cc: Michael Roth <michael.roth@amd.com>
>> Cc: Min Xu <min.m.xu@intel.com>
>> Cc: Tom Lendacky <thomas.lendacky@amd.com>
>> Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
>
> Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
>
>> ---
>> Changes:
>> v4:
>> * s/DebugSwap/DebugVirtualization/g
>> * the feature is enabled here for all modes
>> ---
>> OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
>> | 6 +++++-
>> OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
>> | 6 +++++-
>> OvmfPkg/PlatformPei/AmdSev.c |
>> 13 ++++++++++---
>> 3 files changed, 20 insertions(+), 5 deletions(-)
>>
>> diff --git
>> a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
>> b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
>> index 7d823ad639f4..f381b9255bb7 100644
>> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
>> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
>> @@ -154,5 +154,9 @@ MemEncryptSevEsDebugVirtualizationIsEnabled (
>> VOID
>> )
>> {
>> - return FALSE;
>> + MSR_SEV_STATUS_REGISTER Msr;
>> +
>> + Msr.Uint32 = InternalMemEncryptSevStatus ();
>> +
>> + return Msr.Bits.DebugVirtualization ? TRUE : FALSE;
>> }
>> diff --git
>> a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
>> b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
>> index 33a326ac1571..946bed2ada13 100644
>> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
>> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
>> @@ -154,7 +154,11 @@ MemEncryptSevEsDebugVirtualizationIsEnabled (
>> VOID
>> )
>> {
>> - return FALSE;
>> + MSR_SEV_STATUS_REGISTER Msr;
>> +
>> + Msr.Uint32 = InternalMemEncryptSevStatus ();
>> +
>> + return Msr.Bits.DebugVirtualization ? TRUE : FALSE;
>> }
>> /**
>> diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
>> index 88ca14507f5e..8562787035db 100644
>> --- a/OvmfPkg/PlatformPei/AmdSev.c
>> +++ b/OvmfPkg/PlatformPei/AmdSev.c
>> @@ -434,6 +434,7 @@ AmdSevInitialize (
>> )
>> {
>> UINT64 EncryptionMask;
>> + UINT64 CCGuestAttr;
>> RETURN_STATUS PcdStatus;
>> //
>> @@ -517,13 +518,19 @@ AmdSevInitialize (
>> // technology is active.
>> //
>> if (MemEncryptSevSnpIsEnabled ()) {
>> - PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr,
>> CCAttrAmdSevSnp);
>> + CCGuestAttr = CCAttrAmdSevSnp;
>> } else if (MemEncryptSevEsIsEnabled ()) {
>> - PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr,
>> CCAttrAmdSevEs);
>> + CCGuestAttr = CCAttrAmdSevEs;
>> } else {
>> - PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr,
>> CCAttrAmdSev);
>> + CCGuestAttr = CCAttrAmdSev;
>> }
>> + if (MemEncryptSevEsDebugVirtualizationIsEnabled ()) {
>> + CCGuestAttr |= CCAttrFeatureAmdSevEsDebugVirtualization;
>> + }
>> +
>> + PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr,
>> CCGuestAttr);
>> +
>> ASSERT_RETURN_ERROR (PcdStatus);
>> }
--
Alexey
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119555): https://edk2.groups.io/g/devel/message/119555
Mute This Topic: https://groups.io/mt/106496092/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 11+ messages in thread