public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Lendacky, Thomas" <thomas.lendacky@amd.com>
To: "Xu, Min M" <min.m.xu@intel.com>,
	"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>,
	Brijesh Singh <brijesh.singh@amd.com>,
	Erdem Aktas <erdemaktas@google.com>,
	James Bottomley <jejb@linux.ibm.com>,
	"Yao, Jiewen" <jiewen.yao@intel.com>
Subject: Re: [PATCH V2 4/4] OvmfPkg/ResetVector: Update ResetVector to support Tdx
Date: Fri, 23 Jul 2021 08:35:21 -0500	[thread overview]
Message-ID: <3fe842c1-a720-82ab-0d63-c86acdaad817@amd.com> (raw)
In-Reply-To: <PH0PR11MB50644529147B632D829593FCC5E49@PH0PR11MB5064.namprd11.prod.outlook.com>

On 7/22/21 5:58 PM, Xu, Min M wrote:
> On July 23, 2021 1:08 AM, Tom Lendacky wrote:
>> On 7/22/21 12:52 AM, Min Xu wrote:
>>> RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3429
>>>
>>> diff --git a/OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm
>>> b/OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm
>>> index c6d0d898bcd1..2206ca719593 100644
>>> --- a/OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm
>>> +++ b/OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm
>>> @@ -17,6 +17,9 @@ Transition32FlatTo64Flat:
>>>
>>>      OneTimeCall SetCr3ForPageTables64
>>>
>>> +    cmp     dword[TDX_WORK_AREA], 0x47584454 ; 'TDXG'
>>> +    jz      TdxTransition32FlatTo64Flat
>>> +
>>
>> Is the memory area guaranteed to be zeroed for legacy guests? Hopefully,
>> this won't trip up a non-TDX guest with a false match (highly unlikely, though).
>>
> TDX_WORK_AREA is piece of TdxMailbox which is located in the MEMFD started
> from PcdOvmfSecGhcbBackupBase. In Td guest, this memory region is initialized
> to all-0 by host VMM. In legacy guests, I am not sure what's the initialized value
> it is. So 'TDXG' is checked to guarantee it is Td-guest or not. 
> Since Tdx re-use the memory region (PcdOvmfSecGhcbBackupBase) as the
> TDX_WORK_AREA, and @Tom Lendacky you should be the original owner of
> PcdOvmfSecGhcbBackupBase, can this area be cleared in the beginning of
> ResetVector in legacy guests? Or I should better create a TDX specific work
> area in MEMFD to guarantee the Td And Non-Td check?

I believe PcdOvmfSecGhcbBackupBase can be cleared early. For SEV-ES, it
isn't shared with the hypervisor, so clearing it before activating the
pagetables can be done (it will be treated as encrypted before paging is
enabled and mapped as encrypted after paging is enabled) and for a legacy
guest the mapping doesn't matter. It isn't required to be cleared today,
so if you do add something, be sure to put a comment in there about why
it's being done. No need for a new area.

The possibility of random data being there that matches 'TDXG' is
extremely low. But better safe than sorry, I guess.

Thanks,
Tom

>>

  reply	other threads:[~2021-07-23 13:35 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-22  5:52 [PATCH V2 0/4] Add Intel TDX support in OvmfPkg/ResetVector Min Xu
2021-07-22  5:52 ` [PATCH V2 1/4] OvmfPkg: Add Tdx BFV/CFV PCDs and PcdOvmfImageSizeInKb Min Xu
2021-07-22  5:52 ` [PATCH V2 2/4] OvmfPkg: Add Tdx metadata Min Xu
2021-07-22  5:52 ` [PATCH V2 3/4] UefiCpuPkg/ResetVector: Add Main32 entry point in Main.asm Min Xu
2021-07-23  2:33   ` Ni, Ray
2021-07-25  6:07   ` Yao, Jiewen
2021-07-25  7:41     ` Min Xu
2021-07-25  7:43       ` Yao, Jiewen
2021-07-25  7:46         ` Min Xu
2021-07-22  5:52 ` [PATCH V2 4/4] OvmfPkg/ResetVector: Update ResetVector to support Tdx Min Xu
2021-07-22 17:07   ` Lendacky, Thomas
2021-07-22 22:58     ` Min Xu
2021-07-23 13:35       ` Lendacky, Thomas [this message]
2021-07-24  1:54         ` [edk2-devel] " Min Xu
2021-07-25  6:00   ` Yao, Jiewen
2021-07-25  7:50     ` Min Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3fe842c1-a720-82ab-0d63-c86acdaad817@amd.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox