From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (NAM11-BN8-obe.outbound.protection.outlook.com [40.107.236.63]) by mx.groups.io with SMTP id smtpd.web10.8275.1627047326042415839 for ; Fri, 23 Jul 2021 06:35:26 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=g2bQ9UIp; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.236.63, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=B3uHgw8KOf0kmiiUt0kRZmQ8e/C9bPbyQ3xk4f7wR1BNAWvVcRAoKR1e3727XRbj/fQBH6TA534oZDFboRY7ShDrlAQifxbkq28g6aVWQjbGjVzgvPdbGdr0BcDDoABuCQT+t36bTPMHnwVo7TRXyixCVKZRtOalKfP9sBNNN/6/pkuVSV8iuhdVnZ0CkDAqFDIe7FqiGLHY7y0NL1iduwpImUw7RFwff/0qce/V7pWmR6Zj3QEYVXm0LlGr46NFucgAMVONBZdzgIJr1+am56yzSM6/+RHbLTyzAW8YxRfSvVR53phBUZ4K00+cO3U2RgiuU5ziUp2wgOdNsgdktw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qjAsZAR821wdGfSioYYAzjYSeNzzKKS9X+iLlmtJ3VM=; b=hrKMBF+NOzI6k5/B5F978hsJwMYQ4XW8SAWeYINfxl6qCnyt3+tGSqIjNXLykDFmydBoKuTisjGV31bLsa576IUuTF1ZbVoowySkuqSne8gvgJ8MEFKdcV2sc1Xk5QI3Qk/uyp915rIHC7MReD2BqWR7JljUjx8O/KYtwrQ2rOSmhbau+JzEhbnIi/4gAE8tFcBzcyOCjOwmuDvHi/5aLpE/L4JvaLgDYbrKR++j0ciWl/ufuvzV7k5U/aPPdUK7Nu/5+xGwUv+S8HxZXC0rT8SpwerD/rYCgEuaTSiF/u4yo5TVrck64bo+Pe02rPGyVqZ/3dTp7AMbxWOASyoVHw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qjAsZAR821wdGfSioYYAzjYSeNzzKKS9X+iLlmtJ3VM=; b=g2bQ9UIprH0UhjeLp+h6u+Z1QbxGbhOFb121ZxIlR95HWMndoHVN9DDN67K0EwYR+7RVIUXTX9Gk+Ql0KJoObg4Fud2HDigvnXu9/j2XJzvdnT0ztZp0IaBd1mOx8pLKgyYlkWyIbqVmCEgQQ/sBoy35yRKhs47pAcbbR/htOEI= Authentication-Results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=amd.com; Received: from DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) by DM6PR12MB5533.namprd12.prod.outlook.com (2603:10b6:5:1bc::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.25; Fri, 23 Jul 2021 13:35:23 +0000 Received: from DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::73:2581:970b:3208]) by DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::73:2581:970b:3208%3]) with mapi id 15.20.4352.029; Fri, 23 Jul 2021 13:35:23 +0000 Subject: Re: [PATCH V2 4/4] OvmfPkg/ResetVector: Update ResetVector to support Tdx To: "Xu, Min M" , "devel@edk2.groups.io" Cc: Ard Biesheuvel , Brijesh Singh , Erdem Aktas , James Bottomley , "Yao, Jiewen" References: <0e28e0d01b2db776c5c00469bac5097a326c3ed9.1626931332.git.min.m.xu@intel.com> <9da89b5e-0092-d349-3f05-8329dfdf3917@amd.com> From: "Lendacky, Thomas" Message-ID: <3fe842c1-a720-82ab-0d63-c86acdaad817@amd.com> Date: Fri, 23 Jul 2021 08:35:21 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 In-Reply-To: X-ClientProxiedBy: SN6PR01CA0031.prod.exchangelabs.com (2603:10b6:805:b6::44) To DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from office-ryzen.texastahm.com (67.79.209.213) by SN6PR01CA0031.prod.exchangelabs.com (2603:10b6:805:b6::44) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.26 via Frontend Transport; Fri, 23 Jul 2021 13:35:22 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 0796fbca-a7e0-4dfb-fa61-08d94ddeb92d X-MS-TrafficTypeDiagnostic: DM6PR12MB5533: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:6430; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: nk+uoEDl2w+8D8daL+/GKpMAefT6ArQtLDSe+B6XZTPY3SDhaiY8aMdE6qmkvnQ/cW9zXztooNU8tEzY4CJcujfYn1HW1JKvaUZcIWfUkq/I+kqbzqSlwvPSm8MH19IjQJgnnUpty0L7QCobJzvqTq+J90jG6PG3I4dnCcDV7N0cX8M1wgmnWami4dnxeOQ6eY2iMRTpLDZ8cGWhRLcbX6neDOkPkQaKc2G4jgFxenlZV1Sh71percwOp2SyFHECoqOYKO4jyOdOb9DkNEfje/KMG/LRzu04004EIoP1iExH+MTyGDA8fsJtWN0QvEGS3EHUSqxHhyjH+VgRA7IIDrxwQSXvINX9r8Qxg7iaGOLPIna6Wh1tQdVGOl7P8cGisgv1QZk6VXUW8+qoQOAUM+MUIZ7KBWdb0HlDi2gzWaYDObxBdjdzhZ6hbyjYd0bbFtmvUWiniA64/49lSZzAdFIO4+V3EBtojcvWD3wAH//BkXFb9jzApp+zODKlruLY5fYrFQJMAWfs0SV/JoSySL2gvKeuj4twyys214Pw06q++gfo5V/am2eubPNEP+aUrtyGNWALYfqiJEmSaCQPGN2bTDYAVq/hAmziXCra8ebFTul2R5jeh7lyqFy6N8a7yski2b9+m4WTNTW57gAZ3vCEjMH+87Aive8/4TAdVfMDYx6xTZBHhLzg50EacSQ5ETDTgPigN+tqMSkZCQaJmiTqvoHz9zxqcvpnJyNpaWZ1K9Vs0FxcE72eYHQY/sQQHkSplbo/8NHKimWc27yQaJs39oNEj5j7N2e5c3PjyLc= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM4PR12MB5229.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(346002)(376002)(136003)(39860400002)(366004)(396003)(956004)(54906003)(66946007)(36756003)(110136005)(4326008)(2616005)(316002)(38100700002)(2906002)(66476007)(66556008)(8936002)(31686004)(6512007)(186003)(31696002)(26005)(83380400001)(6506007)(478600001)(966005)(8676002)(53546011)(19627235002)(5660300002)(6486002)(86362001)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?eTBiL1lOK2NkN3dac0l3VEhwL0FMd0xSdEptZ3lYUFJ1eHZwOTJNOTNzZ3oy?= =?utf-8?B?WGFrQXBPbkt1eVkyOGdZWXhZWEZWS2g2YUI4MHM0bjh4dlJZTlJZQ24zc3Nk?= =?utf-8?B?ZlpRQUt2cDFHejY4S29WZWJJY25GellydncxNDNEWVlld3k5dmRzZHAzdXdx?= =?utf-8?B?ZzlSZ2JtN0hBNHV2K0tzS3ZpWFNaQU85SU1jdENkQitHaDZ1aUU3bmpMaENN?= =?utf-8?B?UXR2U0E3L2tKSmM5VUY5ZGpWeFVKeTJFZHN2VXNZQzNPSnZGcHNmc0h0ZTNq?= =?utf-8?B?SVBBQ3VRVUFOUjRHUHN2U2ZPOURoOXpiejRxSTdNT1gxOVpWVFkvcVgvTVd6?= =?utf-8?B?RGdwdFZodC91NklPaXdWNHdJVHBJRzZiNGJSWkdpMGQrdnMyRXU2dTY1d201?= =?utf-8?B?dERRT1NRUmlkRlhRdkx1dmN6bzhkd093STA1ZitFWE4vZk1lUzRIRFU1SXEy?= =?utf-8?B?U0dnTnZMY1RtMTNjQ3pLM3RUQysyMW1PN2QzNWkwM0MvRnFaaFplWlpKL1Qx?= =?utf-8?B?TEl2MlY1SGFiMXhYL1M4UGhQM0RiS3d1RVI2cXJnYmFlT1lRRkZmMDd5bzdK?= =?utf-8?B?QXJ2Y0F5ZnFocUVoMmtCM3lOTzZITnZCd2xTbDJoTERNSWRSNENBNTByVHg3?= =?utf-8?B?b2kxa1FOOUNjZmwycmFQZjRTNEZRWXJpalRWVVI2eU9TZ3ZyNjVqSFlqZGlm?= =?utf-8?B?TXVBY3RVRGs1b1RmK3AyQU9VaTlxaUZmRzA4aTdUeHp4cFZ6dDlzcFZjSmZU?= =?utf-8?B?RXIyUkZyZlNzM2dRem5DcVhjcWRweWd3RW4zVE9FdmlYWlJLejRaNmlGYjdl?= =?utf-8?B?WHVrTmE3K3Bwa0p6WHdsS25ndkxLaitrL2dGajk5NG5GTlNhTktKS01sQ01m?= =?utf-8?B?c0cxSkFZVE5YdTkvVnBvY2ZrSHVOWitvc0ZzRitYRy84Q3BxdThvcUtOd05W?= =?utf-8?B?U3I1NXI4dTVJbDZheitnTlZqc00zcG1zY1BQRGduMjcvMDNXVTMxejVOcXVG?= =?utf-8?B?aDUvbENFbUFEeElveWJFRlNyWTF5eUk5QzBXS01SY04raVp5VUxCaGx2d240?= =?utf-8?B?N0Nvdno2dE5tRHlsbnVIbG96OHFrK00rUXpYZHcrbFFlOTJ3R0F0ZWpqMTNK?= =?utf-8?B?OEdRc1BzOVF5RXNBYWlkUHpxTWpnVVUzZitHVUtxWXVESzlHSDROeEUwdjBo?= =?utf-8?B?WUYvWGQvSllEdnJKcUZ4ZjN1R1MrUDdvaDZhNm0valpad25XZ3F1NHhlalV0?= =?utf-8?B?VFFWZVZxYVUweE9sM1RTRHpLUk44bXFrYVB2Zm01d0JYNnZaMHFjUnhVRVNx?= =?utf-8?B?UWNxTlZSWWVtbGVjSXVjNjZISzk4elordmh4UkNIWlVWdTZPa1JpbUUraDcr?= =?utf-8?B?aytONERiY3ZlOWtwTUVFeGcvYmNxRWYycEl1MEdSZFlZck90MFdKL2xCejlE?= =?utf-8?B?WDl3N1ovTzMrcmxpRlB4QTFTNTE2Qlh6T3Z3enR0bHlpMkFxdmpIdW14cEln?= =?utf-8?B?RzMwMzFPWVNDSzBhdWk4M3FKZHhSeXZoZ3AyS2JHejgrTVVvajN4b0ZiaUtD?= =?utf-8?B?ZndRM3NuRDgvU0ljSFFMdng3V1BkSUYxRC94cnhhelhEQUpPWUkwMks1bCtz?= =?utf-8?B?QmU4KzhnYzJFc042bHFxWHBGMGt5dk9Lc21MSGdhM3ZWL3cyc2x6NE1CbHhp?= =?utf-8?B?L0I1dURDM0FlSEEyNnRBTkVBMFBhR0pBQmhoQmJ3eGpURTJnUFNrRlJUcGhR?= =?utf-8?Q?O8pSFoVN1+iUMpp/QHNbGxkZydoMlfip6pApVMM?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0796fbca-a7e0-4dfb-fa61-08d94ddeb92d X-MS-Exchange-CrossTenant-AuthSource: DM4PR12MB5229.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Jul 2021 13:35:23.6832 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: R8h7iTzHKyVscN6wm+3fhAKlgOgqp/MPwAfK0+Ub7I72S3X/E7ZGFADgL1+HdFUoQoU9+Y+bQDDOP4TF1AUXTA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB5533 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 7/22/21 5:58 PM, Xu, Min M wrote: > On July 23, 2021 1:08 AM, Tom Lendacky wrote: >> On 7/22/21 12:52 AM, Min Xu wrote: >>> RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3429 >>> >>> diff --git a/OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm >>> b/OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm >>> index c6d0d898bcd1..2206ca719593 100644 >>> --- a/OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm >>> +++ b/OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm >>> @@ -17,6 +17,9 @@ Transition32FlatTo64Flat: >>> >>> OneTimeCall SetCr3ForPageTables64 >>> >>> + cmp dword[TDX_WORK_AREA], 0x47584454 ; 'TDXG' >>> + jz TdxTransition32FlatTo64Flat >>> + >> >> Is the memory area guaranteed to be zeroed for legacy guests? Hopefully, >> this won't trip up a non-TDX guest with a false match (highly unlikely, though). >> > TDX_WORK_AREA is piece of TdxMailbox which is located in the MEMFD started > from PcdOvmfSecGhcbBackupBase. In Td guest, this memory region is initialized > to all-0 by host VMM. In legacy guests, I am not sure what's the initialized value > it is. So 'TDXG' is checked to guarantee it is Td-guest or not. > Since Tdx re-use the memory region (PcdOvmfSecGhcbBackupBase) as the > TDX_WORK_AREA, and @Tom Lendacky you should be the original owner of > PcdOvmfSecGhcbBackupBase, can this area be cleared in the beginning of > ResetVector in legacy guests? Or I should better create a TDX specific work > area in MEMFD to guarantee the Td And Non-Td check? I believe PcdOvmfSecGhcbBackupBase can be cleared early. For SEV-ES, it isn't shared with the hypervisor, so clearing it before activating the pagetables can be done (it will be treated as encrypted before paging is enabled and mapped as encrypted after paging is enabled) and for a legacy guest the mapping doesn't matter. It isn't required to be cleared today, so if you do add something, be sure to put a comment in there about why it's being done. No need for a new area. The possibility of random data being there that matches 'TDXG' is extremely low. But better safe than sorry, I guess. Thanks, Tom >>