From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM04-BN8-obe.outbound.protection.outlook.com (NAM04-BN8-obe.outbound.protection.outlook.com [40.107.100.85]) by mx.groups.io with SMTP id smtpd.web12.1067.1610045342805755640 for ; Thu, 07 Jan 2021 10:49:03 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amdcloud.onmicrosoft.com header.s=selector2-amdcloud-onmicrosoft-com header.b=TEz8F+bc; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.100.85, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=H1wigj17ykPLBu8pUezlE1OoAGdHsdDxUGvGF2UJeDFkAWJ1KJ8DzIC84EAHXUO43cirqYQuT4dq90CDoEnnSofW31heCTRUfdx0o341BLzsZtJ//io/tWS3OUJiELjjj1blo4DT6p1vi0/CcGQwlaMfMBKxIsVlxcsq2Qzrac+ga+64C+hTXDyGhWrSD6BNi/9fXoX3aAVSAV2O4ikBWRmeG/0j1r/gQdz2NjRViVN8zQkaSjecJu327q06kzIedxjxKr+tY55AHoytoWqsO58RApkFpWn/XSu9wqVi//+kjLyCzH5AlvxOrhAzIC0Ud2n59hEg+hsGY91okI32og== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oO1K9D4ut2PUpPlrsE3RGduw7Jd3LKdGpZ8TKzmjinY=; b=LNau2xTzwFvKjz4QY3AQ66bPxfNdpPs/8pd5CTGecPwn9crd/9c2FUXb/b65g1OxLVRM7kVHBwqJvtySWjFYFtoI9DwetP8sj0dr4CgVgImWrIAsiVdUb45JqCyDSMsZcn70Ct24kuVX0WvsCBG09GGKqCzzaqMjZJ59uNGntyTZNKGFujgA5qCPYAapB+l3yGGoE/YwY9K6Fsh6tlAPuyr+pYkBSnsPfVRndph5xtD3vgUt/ucKsyo19Nokjw5pdKT3IhxMP3p70HyBYtU/x+ZFvKIRdpLiKPRVi2fEHShEwdLvDDHwAcQjGsUdPsTOmHm6xztkQWnBfegbyRH28g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector2-amdcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oO1K9D4ut2PUpPlrsE3RGduw7Jd3LKdGpZ8TKzmjinY=; b=TEz8F+bckZJQq7DF7k0+Z9PRwYTbKXQCGz+ChRmSJChtXAgKrptye+5q9ypsTEHDkLAVEdQy/RBFBGQI+mEnLwKG4sm84wGSu1YaHAFQ6ZZvvRDkjl5eS2/KbECIWEUnUxdm8zfDrW5hr2+UWds4to9IyR9vCjafnGH0ukwmr2c= Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com; Received: from DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) by DM5PR1201MB0121.namprd12.prod.outlook.com (2603:10b6:4:56::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3721.23; Thu, 7 Jan 2021 18:49:00 +0000 Received: from DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::d95e:b9d:1d6a:e845]) by DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::d95e:b9d:1d6a:e845%12]) with mapi id 15.20.3721.024; Thu, 7 Jan 2021 18:49:00 +0000 From: "Lendacky, Thomas" To: devel@edk2.groups.io CC: Brijesh Singh , James Bottomley , Jordan Justen , Laszlo Ersek , Ard Biesheuvel Subject: [PATCH v3 01/15] Ovmf/ResetVector: Simplify and consolidate the SEV features checks Date: Thu, 7 Jan 2021 12:48:11 -0600 Message-ID: <43a660624c32b5f6c2610bf42ee39101c21aff68.1610045305.git.thomas.lendacky@amd.com> X-Mailer: git-send-email 2.30.0 In-Reply-To: References: X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SN6PR16CA0048.namprd16.prod.outlook.com (2603:10b6:805:ca::25) To DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from tlendack-t1.amd.com (165.204.77.1) by SN6PR16CA0048.namprd16.prod.outlook.com (2603:10b6:805:ca::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3742.6 via Frontend Transport; Thu, 7 Jan 2021 18:48:59 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 1915a915-5337-4bff-c07d-08d8b33ce584 X-MS-TrafficTypeDiagnostic: DM5PR1201MB0121: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5236; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: TCf56SqreMijylbZlkp+IUmveuO4j1JKPUnKwL3PCLwrrpjgKsTbKSwAEw317Cfxftg7iHVYUV4qlYhSw69kDQK1kMpqv+6sfeDWMqoxFOnvevwZXAiYsyhDMW3ZH1iesUhY1Kc17Yqr9WQyXX69FWyMshHhfLXPgo05krSNEhzmEXi0YfGPjYKdCsd4WjQa/5SanjPX8lJfKVz7Mc2wh0aDVWGxA7GV3bjW6Ak67iennsY2KMKZkFqNOLm2WaxaYDz2cONr1a0BMB5wpVwXtMseoXg8WzdFo7qPf2jt6MyIuD7TBRTRonRWUOCnIEVXDAGYO6GJxM+pgE9LMpWi0WW2HtMpakYsORKfG+ivCdNs6fxucikHEcAW1x+tXZIEUyAMFKQZNxFGspivCfqPEyMInu49TIxIMswvmRouKaI+8W2KDw8/WHCgG9GfZLHByzdV1Bfc4BoecBpKVpVByg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR12MB1355.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(39860400002)(136003)(366004)(346002)(376002)(396003)(54906003)(36756003)(316002)(52116002)(16526019)(186003)(6666004)(7696005)(4326008)(83380400001)(66556008)(66946007)(6916009)(956004)(2906002)(8936002)(5660300002)(6486002)(66476007)(8676002)(86362001)(478600001)(966005)(2616005)(26005)(19627235002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?/+eyVQN5AMuEuClvO6ineCpFiTD/GRS+iKr3c0nQOFcOaYI8uFxMVsQba+ei?= =?us-ascii?Q?nY3G92ccZO6sYQyTlFeMMWcwjA88EPwbU05YKsHMIN8RoiSkKP7Gv7Vu7dOk?= =?us-ascii?Q?u21cWkFwx9mEqnf/kxOb9IeuJhuQcov8dAkvRJzo7xPbj8f/GP7/c5OTEbdL?= =?us-ascii?Q?sU8BFDNf7qMmQt50KQOdVlX4XRTY9Y8E32TnVOWXeq/XIZM7OaKQAOVHnjZ9?= =?us-ascii?Q?LhO9ZCKc6j/VLc7eHHOInMOPki8A0qaqBTVvwpcODzs2Rlx1KFQgRgRabSPR?= =?us-ascii?Q?GWKCnMXffG3aSa9h2bMMfa1qcf8V7g571kXkOyWIKqmZtuKuDtQrJFwo+NHb?= =?us-ascii?Q?izgjfJIXWPiwVgif/NCGqhKUw0rDtsmOUN7SbHT+KuLe22UKIueDJU/MaeZj?= =?us-ascii?Q?KyN7gfmthgJ5mDjeYGDwLqA5sVs39YTjM6IZ5Sx7SgtIFlem0DQOMh1chJEv?= =?us-ascii?Q?b3SFBghqTkemiGS3UE3YxAmdayIokg2U3zLR4LXGJi4uciCvWeEPkiEOeU9P?= =?us-ascii?Q?7Sj3sXki+nHb7wcL18vtBmzYW6OJZaIxXlEDI0p9SxqIg/GUxIdhL/sEVHGa?= =?us-ascii?Q?BMP5puk5BNUdFriZjQsRNFf7UtAA75ZAEYKoxyZ3ndhGpaQe2gceG2dqwpVW?= =?us-ascii?Q?L5ZKOUH2ToC+5CIYRpFsaPuL1HP6I8sBkN3UgK9rYVahhX0ojCNCS3Z1cfE8?= =?us-ascii?Q?N4wnheM0p5AX2VDeuvAi4B+mOzXHgYMdW2s87K7pHYR7bJZu3bsZpxzyCIxp?= =?us-ascii?Q?BOWNdtwynwryCTzpoZFWXj+gjUrGCD4rgfjX7QAZbMpz9s9HyIMEXt2vEeLE?= =?us-ascii?Q?T0ZjFvttxFCyexnkjPlOkJAjaIHeWwZdK7l8fX+9De7Tt68kO2NDiZZ/GDse?= =?us-ascii?Q?LZkgzQs5QtWD7ctWOEfQgdW9OZaw2wZh3120XfsgdpdIePEvS5Z/Eia0691/?= =?us-ascii?Q?wq0KqaOqr6Kb/qap2VVvo/RAPz1ZO797/ttoG9ktdC3frrJnAeBBhXsgn35V?= =?us-ascii?Q?vB6h?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-AuthSource: DM5PR12MB1355.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jan 2021 18:49:00.1647 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-Network-Message-Id: 1915a915-5337-4bff-c07d-08d8b33ce584 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Snw4n7mtUaRb66OqHejqZDyddLEsERFmmaHu9KGsxQ8Z4GxfIZFZqhSBmQQU3ZVbUIqLRpPBSVrrcdp8LpogqQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1201MB0121 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3108 Simplify and consolidate the SEV and SEV-ES checks into a single routine. This new routine will use CPUID to check for the appropriate CPUID leaves and the required values, as well as read the non-interceptable SEV status MSR (0xc0010131) to check SEV and SEV-ES enablement. Cc: Jordan Justen Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Brijesh Singh Reviewed-by: Laszlo Ersek Signed-off-by: Tom Lendacky --- OvmfPkg/ResetVector/Ia32/PageTables64.asm | 75 ++++++++++++-------- 1 file changed, 45 insertions(+), 30 deletions(-) diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVecto= r/Ia32/PageTables64.asm index 7c72128a84d6..4032719c3075 100644 --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm @@ -3,6 +3,7 @@ ; Sets the CR3 register for 64-bit paging ; ; Copyright (c) 2008 - 2013, Intel Corporation. All rights reserved.
+; Copyright (c) 2017 - 2020, Advanced Micro Devices, Inc. All rights reser= ved.
; SPDX-License-Identifier: BSD-2-Clause-Patent ; ;-------------------------------------------------------------------------= ----- @@ -62,18 +63,22 @@ BITS 32 %define CPUID_INSN_LEN 2 =20 =20 -; Check if Secure Encrypted Virtualization (SEV) feature is enabled +; Check if Secure Encrypted Virtualization (SEV) features are enabled. +; +; Register usage is tight in this routine, so multiple calls for the +; same CPUID and MSR data are performed to keep things simple. ; ; Modified: EAX, EBX, ECX, EDX, ESP ; ; If SEV is enabled then EAX will be at least 32. ; If SEV is disabled then EAX will be zero. ; -CheckSevFeature: +CheckSevFeatures: ; Set the first byte of the workarea to zero to communicate to the SEC ; phase that SEV-ES is not enabled. If SEV-ES is enabled, the CPUID ; instruction will trigger a #VC exception where the first byte of the - ; workarea will be set to one. + ; workarea will be set to one or, if CPUID is not being intercepted, + ; the MSR check below will set the first byte of the workarea to one. mov byte[SEV_ES_WORK_AREA], 0 =20 ; @@ -97,21 +102,41 @@ CheckSevFeature: cmp eax, 0x8000001f jl NoSev =20 - ; Check for memory encryption feature: + ; Check for SEV memory encryption feature: ; CPUID Fn8000_001F[EAX] - Bit 1 ; CPUID raises a #VC exception if running as an SEV-ES guest - mov eax, 0x8000001f + mov eax, 0x8000001f cpuid bt eax, 1 jnc NoSev =20 - ; Check if memory encryption is enabled + ; Check if SEV memory encryption is enabled ; MSR_0xC0010131 - Bit 0 (SEV enabled) mov ecx, 0xc0010131 rdmsr bt eax, 0 jnc NoSev =20 + ; Check for SEV-ES memory encryption feature: + ; CPUID Fn8000_001F[EAX] - Bit 3 + ; CPUID raises a #VC exception if running as an SEV-ES guest + mov eax, 0x8000001f + cpuid + bt eax, 3 + jnc GetSevEncBit + + ; Check if SEV-ES is enabled + ; MSR_0xC0010131 - Bit 1 (SEV-ES enabled) + mov ecx, 0xc0010131 + rdmsr + bt eax, 1 + jnc GetSevEncBit + + ; Set the first byte of the workarea to one to communicate to the SEC + ; phase that SEV-ES is enabled. + mov byte[SEV_ES_WORK_AREA], 1 + +GetSevEncBit: ; Get pte bit position to enable memory encryption ; CPUID Fn8000_001F[EBX] - Bits 5:0 ; @@ -132,45 +157,35 @@ SevExit: pop eax mov esp, 0 =20 - OneTimeCallRet CheckSevFeature + OneTimeCallRet CheckSevFeatures =20 ; Check if Secure Encrypted Virtualization - Encrypted State (SEV-ES) feat= ure ; is enabled. ; -; Modified: EAX, EBX, ECX +; Modified: EAX ; ; If SEV-ES is enabled then EAX will be non-zero. ; If SEV-ES is disabled then EAX will be zero. ; -CheckSevEsFeature: +IsSevEsEnabled: xor eax, eax =20 - ; SEV-ES can't be enabled if SEV isn't, so first check the encryption - ; mask. - test edx, edx - jz NoSevEs + ; During CheckSevFeatures, the SEV_ES_WORK_AREA was set to 1 if + ; SEV-ES is enabled. + cmp byte[SEV_ES_WORK_AREA], 1 + jne SevEsDisabled =20 - ; Save current value of encryption mask - mov ebx, edx + mov eax, 1 =20 - ; Check if SEV-ES is enabled - ; MSR_0xC0010131 - Bit 1 (SEV-ES enabled) - mov ecx, 0xc0010131 - rdmsr - and eax, 2 - - ; Restore encryption mask - mov edx, ebx - -NoSevEs: - OneTimeCallRet CheckSevEsFeature +SevEsDisabled: + OneTimeCallRet IsSevEsEnabled =20 ; ; Modified: EAX, EBX, ECX, EDX ; SetCr3ForPageTables64: =20 - OneTimeCall CheckSevFeature + OneTimeCall CheckSevFeatures xor edx, edx test eax, eax jz SevNotActive @@ -229,7 +244,7 @@ pageTableEntriesLoop: mov [(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], edx loop pageTableEntriesLoop =20 - OneTimeCall CheckSevEsFeature + OneTimeCall IsSevEsEnabled test eax, eax jz SetCr3 =20 @@ -336,8 +351,8 @@ SevEsIdtVmmComm: ; If we're here, then we are an SEV-ES guest and this ; was triggered by a CPUID instruction ; - ; Set the first byte of the workarea to one to communicate to the SEC - ; phase that SEV-ES is enabled. + ; Set the first byte of the workarea to one to communicate that + ; a #VC was taken. mov byte[SEV_ES_WORK_AREA], 1 =20 pop ecx ; Error code --=20 2.30.0