From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM04-DM6-obe.outbound.protection.outlook.com (NAM04-DM6-obe.outbound.protection.outlook.com [40.107.102.41]) by mx.groups.io with SMTP id smtpd.web12.318.1623188182377150658 for ; Tue, 08 Jun 2021 14:36:24 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=2oaOQ4WQ; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.102.41, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DxmnJZLwplHT6PmubwmzDUv0fxhsZyAWOAJhIvUE+zE24HQXLIeuSW/EVSC8BADjWouvhEty/WZSQtOQ2gzbLvmisDG02oIqzfadNVKmREV2OwC7Wli70JKCwotLiuy5Kce6Syzv3nqpmlfimKOz6j/o2ZqJvyUDETVaOyLR3qudGP8bXjX6/rHnDhzLc/D1DhWkOnVMHMpRTpR7s7jab4Xp78cGdKYx1X2g8WbaTsyTzVbo6zc0ZcryvjzxX2BxR9BYM7RLy2nXKT+E47K96oI3CUnV+veJVqpr8YjF2mKulnIb9uE6iiM2QkmtuCX+B3foEr2bzfBVRrHsYXP14Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ktZMxVW1cY1MiktdTK47WGRzbJAjOJpwDkAV3LJZbZI=; b=ltz2nOrmzj4TgzLiJANKys1rPwGarrJJV3IM/DQQJ2L99TrAktu0Vy52HT+Ol1X7wMcGDmwZYfqxDAHHHmuPqMibWn2q6J1/svOAyuJBq6VKN/LNJOW3Sg5HXeeKbrysneRjozV8JoHM2ffLu0tDiJqRw9QGQ9ZWBrBBVFTWs1XfuRPoVAJITXp7yyLyRAV04V7kYysAIhDr45voHs03wXQnshW5qkhODrWzdH/kCKyvRvpq5yklS32HyA/HIwWKL/lm/3qCgsrosbtthsbP3bv9r6fBLJr/oVfhDVjUu9qNTjNywomNeOV+1//MbSSvkEXn5elvu/9v3lSACmrPgg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ktZMxVW1cY1MiktdTK47WGRzbJAjOJpwDkAV3LJZbZI=; b=2oaOQ4WQMIINhwiaW+BoETD81tX+PQa1MrlfMQ4gSv6KSlCZrjGxSwaoAhcQ9i7FDqe+C2q4s8tL7/raUDpYNJCui5Jb6DcQJmZkJv5vichDV2JeQJ98u60hCfiiagsCxJt57Hx/K7jB1cSy784xLHGqhh2dEpTBRSn/7zqtCC8= Authentication-Results: kernel.org; dkim=none (message not signed) header.d=none;kernel.org; dmarc=none action=none header.from=amd.com; Received: from DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) by DM6PR12MB4942.namprd12.prod.outlook.com (2603:10b6:5:1be::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4195.24; Tue, 8 Jun 2021 21:36:21 +0000 Received: from DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::b914:4704:ad6f:aba9]) by DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::b914:4704:ad6f:aba9%12]) with mapi id 15.20.4195.030; Tue, 8 Jun 2021 21:36:21 +0000 Subject: Re: [edk2-devel] [PATCH RFC v3 04/22] OvmfPkg/MemEncryptSevLib: extend Es Workarea to include hv features To: Laszlo Ersek , Brijesh Singh Cc: devel@edk2.groups.io, James Bottomley , Min Xu , Jiewen Yao , Jordan Justen , Erdem Aktas , Eric Dong , Ray Ni , Rahul Kumar , Ard Biesheuvel References: <20210526231118.12946-1-brijesh.singh@amd.com> <20210526231118.12946-5-brijesh.singh@amd.com> <0744c84d-ca70-1fe6-a1c0-b97bb87affc5@redhat.com> From: "Lendacky, Thomas" Message-ID: <504f5362-c849-d6e7-5980-4410b84155d9@amd.com> Date: Tue, 8 Jun 2021 16:36:18 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 In-Reply-To: <0744c84d-ca70-1fe6-a1c0-b97bb87affc5@redhat.com> X-Originating-IP: [67.79.209.213] X-ClientProxiedBy: SN4PR0501CA0065.namprd05.prod.outlook.com (2603:10b6:803:41::42) To DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from office-linux.texastahm.com (67.79.209.213) by SN4PR0501CA0065.namprd05.prod.outlook.com (2603:10b6:803:41::42) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.10 via Frontend Transport; Tue, 8 Jun 2021 21:36:20 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 2fa08894-723a-466f-d929-08d92ac574f4 X-MS-TrafficTypeDiagnostic: DM6PR12MB4942: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 3dBunR6Id2HmRe2jE8R1iHBstkdXZnFrHL00aJnNve549AJTQzJ9wx6VfHnSR2eb/ZXXFtXlyClOfAvls771KZIWNXLcUUoaYgckF/MB123c2xDpQv+HwVM9Xsz/jIjA15SIpscWG9qLFOzubfTZT6JPxybWBjo+wo1kHkoPfJftZ01CO11chV0wp85flzjt62G/BJr6CDuexYFM2yKEw3Ew1oZ4HebZHkZ18btR7R6PbXnMuGlBlgQjRslM4RdrPhi1viB2J3b5YezkIcHxNyifbo2XD3nqyuT+2OXdRMtR5JLwgmwhXoYuSMPtoaaGQ2LXRNa/Xg7XP6yvDyOkEId0BsWX500LwRG9EqzokwjZHi/xNcRNdeLbAw1jF1MShW20Ie+5U+3A0yWLRhTko8YZFkP9YIk30Ic5qdZFgaI57ouVM7sPtCc69+uYZ0KhLvqDzF04WlIdjXdKARZz8IiSyOmT6KVewoVs330pv9MPqoBWwPrVC64dZBcbdXSpOifIqka3UB2QpWuEcJnPHu+s6TOhQKyQF2xGQC+itCz2EvU/MmhkHs9zafbQWj3ohXUlhC6QSyE1QeTLhje2W6Fz46HagTZTQdbSN023P+kfCJhBmxdMK/v1nfiXOMjDvCHuQ/oSeZ4mJe4SG9m9Birld14etRc+ketZRrvcARDEG6moFrpRY3TFsSWWLSxK X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR12MB1355.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(136003)(366004)(39850400004)(346002)(396003)(376002)(4326008)(54906003)(31686004)(316002)(6512007)(31696002)(8936002)(110136005)(7416002)(38100700002)(66476007)(66556008)(66946007)(6636002)(16526019)(53546011)(26005)(956004)(2616005)(5660300002)(2906002)(478600001)(6506007)(83380400001)(36756003)(8676002)(6486002)(186003)(86362001)(45980500001)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?OVpKZVF6enJ5eE1KRStRR1daS2V6YzM3MGd5WGdGbU50YWFEOW91bU5pWHFp?= =?utf-8?B?d25LeVVSVWRubFVqRWlReHQ5UnNtaWh1bE9QYWZQZGUvdVV3bXNxeDBBSkVW?= =?utf-8?B?MSszR2M3cCt2eUFEeG5BM3pXT1owdGg1RE1SanB0cWtTc2ZMbVBLS2hLNTE5?= =?utf-8?B?a2NuVW1YSFZGZnRqZjVkNkVDRWh3am5UV1N2U2FKVDJOY3Q5N1ZrUGZ6ZFEr?= =?utf-8?B?cjlGUnZmV1pwTnpieisvWDk4Tm1hdGhjUThpalFLcm9oZERTMVg5eGk1dHBt?= =?utf-8?B?UHZJbWlRRWxqSlNGVHl0UDNldStYR0tSRURMWE40RXRBQ1pGSlRXMG9WSFVP?= =?utf-8?B?elpHeml1ODFVQUIraFlSWnlkZHRQanYwNU5ZVGpnM0p0UHlIQTZ1ajR1NXpM?= =?utf-8?B?eTZDRWhuMHJLSDkyT05EUnlwckozRTQyZ1UzMlUwMW5xYVVnMitsdjIxSG1G?= =?utf-8?B?RzJHYVlwdU1HTUtIcXQ1WXUrWWllb0wyOTlSaDBjcnp2Wk1LeENOMkxkRkU4?= =?utf-8?B?UXV1U3MyWDgzZEptQ0pFamlQK09nNFZmbkNvWU11NVVOY2lhWlduTm9SeTdz?= =?utf-8?B?S2MraW5jTEdhZFNrRHdwOWw1akhDVHFwaGx0bE5iMHY4VGpRcXpsZThhSFdS?= =?utf-8?B?YWNMdkRYRklZUHc3WkdLUXVUWUY5VWRaODN6cFpRNWFITnZhZCtrT0NoMEp2?= =?utf-8?B?OVpEd0tQaTNQWDVXSDA0QlNhNS9EZVZHMnZNbzlPM2VjUVFYbTRFTTVwVGFv?= =?utf-8?B?NUVaUlF6TytQbWtPL1hDamVCemNNRWlnQVdDSFdlbkk4TmZuUG9aNmxsZmFh?= =?utf-8?B?U2ZjL3BBeTlXelFBUjZaYU9lUnJmQ0Z6UDI4ZG5WN3RuN3BpMXlqVjZVSTBu?= =?utf-8?B?U0k0Z0Jzblh1TitDcXhOMXRvalJWVURYYVl0OEdxU0hQaTh2QjhZeEFjQmdx?= =?utf-8?B?UGlFdXJWODhpNlhEWFlHNi8vU1dYZkUybjVjdWJnZkIwU3MzMUNUSzY1SGdi?= =?utf-8?B?VFFIVUkwTGlpc0JWUnl3SUVGQ29LQk56QlJ6YVMvaGtMLzNyUVhWeFRXclhB?= =?utf-8?B?RHhvUlBNVlZ1RXM3czRwMFkwQW9MR2ozRHlicVJJcWw5bDJCdGs5WHNzaGly?= =?utf-8?B?VWM1UkpUSnBwUEJta3NyWGx2Vk1sdURhQVM2LzlyVjR5a3l1L1Yyd1dxZU1n?= =?utf-8?B?dXdKKzR5OTNRa1VaMzNZS1JQd0ZCckRwWEtEbVZnREVyQXJCZU54cHN6aStD?= =?utf-8?B?ZGhsTUg0LzBuTFhIaHVwaUZ4SWV1YUVqOFlKby9NWGl3TWQ5YXgzWDNoUHY4?= =?utf-8?B?akNNcTdobzUxWTBvdCttSjBIMmNUc3lyY3F5NFZKK2F2UzQ1dERqZE1TZVJD?= =?utf-8?B?ZE5UTUhubmV4dmtOaEVhN3UrWHlKZVQyVlRNWGkwODNoRktBMWU0amQ0aGRC?= =?utf-8?B?K01wbjJXdmxYOEhMNkgzQVR3ODJ6L3NrTzYwN0k2b3RrdkxhM2xnRzVlaVMz?= =?utf-8?B?eExLTTFGRXkrazE2TzllRFRBeE1yRVRaS3lpQ0ZFdVlFQmxoc0ZzT1g3bGcy?= =?utf-8?B?RGFaZllQcmNSejRGeCtQSURPSzdmK2EyODdwTlF3WG5nNnd5aGwyUU44K0Nr?= =?utf-8?B?b3dRYS9SY2xZbTJLSUl6TmdmUjNieW0zQjhlbDNXbWtrQlFlc3ZzSlVPTVpC?= =?utf-8?B?TEJibXVCQVJhV1I2U0g3aU5jVG1tcEZ6WExlWis0WnpvYVZKYThCOHdqVGhr?= =?utf-8?Q?elP30ZtTB9ytBkhXD3uhQrgbvasq6uXceW0FNiK?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2fa08894-723a-466f-d929-08d92ac574f4 X-MS-Exchange-CrossTenant-AuthSource: DM5PR12MB1355.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Jun 2021 21:36:21.1282 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 5ZKjOtDlQvXwVBOcC+/Ok0a+/TTMByurlZIv4qmCJIbNs50BNJTzttAL2EsdKz+VB97SPnR1TLzQFPrrX5dPGw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB4942 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 6/8/21 3:49 AM, Laszlo Ersek wrote: > On 06/07/21 15:37, Brijesh Singh wrote: > > ... > ... But maybe I just need to accept that we have to repurpose > SEC_SEV_ES_WORK_AREA, considering it a super-early "HOB list" of sorts. > Same as the PEI phase is considered the "HOB producer phase", outputting > a bunch of disparate bits of info, we could consider the SEV-ES parts of > the Reset Vector such an "early info bits" producer phase. I think this > is a very big conceptual step away from the original purpose of > SEC_SEV_ES_WORK_AREA (note the *name* of the structure: "work area"! > HOBs are not "work areas", they are effectively read-only, once > produced). But perhaps this is what we need (and then with proper > documentation). > > NB however that HOBs have types, GUIDed HOBs have GUIDs, the HOB types > are specified in PI, and GUIDs are expressly declared to stand for > various purposes at least in edk2 DEC files. All that helps with > discerning the information flow. So... I'd still prefer keeping > SEC_SEV_ES_WORK_AREA as minimal as possible. > > Tom, any comments? The purpose of the work area was originally two-fold. It is used in the reset vector code to set the SevEsEnabled bit so that we could keep the original behavior in SecCoreStartupWithStack() - no initialization of the exception handlers or early enabling of processor cache. The second use is for initial AP startup, where we had a known memory address at build time that could be used to set the initial CS:IP of APs for the first boot. We expanded the use for the security mitigations, used by the reset vector code and again in SEC. At the start of PEI, PCDs are then set. So, yes, if the information can be obtained later, and in this case we're not talking about CPUID information which would need re-validation, then there's no need to keep it in the work area and we can keep the size and information stored in the work area to a minimum. Thanks, Tom > > Thank you Brijesh for raising great points! > Laszlo >