From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (NAM12-DM6-obe.outbound.protection.outlook.com [40.107.243.81]) by mx.groups.io with SMTP id smtpd.web08.125.1624391889893154032 for ; Tue, 22 Jun 2021 12:58:10 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=1fQl7D0G; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.243.81, mailfrom: brijesh.singh@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=c3a2U+tYnoq5/t5mPMFLvaNzCHIty7IymXznSKLf7fd/y2EbfB9iyGXvjexN6+Fztdb/Q+CowCW3wfCVp/CXBqwqZMMYU2+LVQXEPUIOavn9j83ZlS9QjZsNfCGMRcj3ExZJG25cigR2SPn06fk34GdtmflyEM73yUA6JTD3tPr/4WH5FbnVpT4Ke6oSvnOAT4nos7M3cpOSd1uofkeFzC8SmBV/aD2ALYt59cgDH/atU9TpXm/onZnb29KC7SExqhOCzYMxRBSE7NqyicZSKY/c6MAFKVFSQfaU7LSVXmIcQJdv5SDmIM7OnFQDZ8FZE4/Bsw4w+Wlrx3b+W+pV7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OkOBlF2IpZz3Fb37UWe4Wvd3TKfJ6H0vawvpdiMYIAY=; b=ERItzrMRYrNXXEwz8tQN1yH9ujt4WKkOHATZ5g8SPUZjQGApxtC/3kEbcTR8OAsTBEdFY3WmrJ0s6CFrk7Ulsyds9vNoqrlJWWAfs8Ao+dK94RiTHUfK6InIVYkLE9beZ4ajylimSWqfjNO1xNpSy6ZuuiCjGa/zNvMv2QKPhudfKNq+L4Akh0YukldZr3ZdvZSWKQC5p5St3+WJJN8j/V0A2LAG+iGs8cNFwvdm0rmZuJPAGThEBvbBeAiyvksKmg4wzCRr3pjxT0BRsSRcQ4/nP6KX5gFeczVQx5VQGrOrtReTEwgWIAJ1IYcYX52CxV3pyWNMwz3HVREiQAVbbw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OkOBlF2IpZz3Fb37UWe4Wvd3TKfJ6H0vawvpdiMYIAY=; b=1fQl7D0Gr51pOEblZF7jWqG6FssWR64veMQJQS8ntao07y+y9IqT8Lym0IxgED4JL2IIR097CYkab5Hvj+Au8IVkqF/7mg1UUr285HbSPNjm+8chFnjF6h9kkWcoeesNsqjcdHqbwvJd96m2BYYNnaYzXozWnerR4xO+HIXJGdo= Authentication-Results: arm.com; dkim=none (message not signed) header.d=none;arm.com; dmarc=none action=none header.from=amd.com; Received: from BYAPR12MB2711.namprd12.prod.outlook.com (2603:10b6:a03:63::10) by BYAPR12MB3589.namprd12.prod.outlook.com (2603:10b6:a03:df::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.18; Tue, 22 Jun 2021 19:58:07 +0000 Received: from BYAPR12MB2711.namprd12.prod.outlook.com ([fe80::40e3:aade:9549:4bed]) by BYAPR12MB2711.namprd12.prod.outlook.com ([fe80::40e3:aade:9549:4bed%7]) with mapi id 15.20.4242.023; Tue, 22 Jun 2021 19:58:07 +0000 Cc: brijesh.singh@amd.com, Thomas.Lendacky@amd.com, jejb@linux.ibm.com, erdemaktas@google.com, jiewen.yao@intel.com, min.m.xu@intel.com, lersek@redhat.com, jordan.l.justen@intel.com, ard.biesheuvel@arm.com Subject: Re: [PATCH v4 1/4] OvmfPkg/MemEncryptHypercallLib: add library to support SEV hypercalls. To: Ashish Kalra , devel@edk2.groups.io References: <7d0a30a022a7d3d3e056af8f79b87ed9991d2f52.1624281247.git.ashish.kalra@amd.com> <742885b1-b880-fd09-d76a-be495b294332@amd.com> From: "Brijesh Singh" Message-ID: <51ecf413-9faa-1e9d-8bdb-f1454dea0aa1@amd.com> Date: Tue, 22 Jun 2021 14:58:04 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 In-Reply-To: <742885b1-b880-fd09-d76a-be495b294332@amd.com> X-Originating-IP: [165.204.77.11] X-ClientProxiedBy: SN1PR12CA0112.namprd12.prod.outlook.com (2603:10b6:802:21::47) To BYAPR12MB2711.namprd12.prod.outlook.com (2603:10b6:a03:63::10) Return-Path: brijesh.singh@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from [172.31.11.236] (165.204.77.11) by SN1PR12CA0112.namprd12.prod.outlook.com (2603:10b6:802:21::47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.18 via Frontend Transport; Tue, 22 Jun 2021 19:58:05 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: be409ac6-7ac4-4a75-8a72-08d935b80dbb X-MS-TrafficTypeDiagnostic: BYAPR12MB3589: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5797; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: IjCLaTrI085xkqpjqe5cX+R3UExWzR1ul0maPOEVQcgtEzGoX0mJVvZc8QafwErn23sYKOx6jnzlGTUbx0ftUCoe1p3kiRfeDw5Pvex6xqGB9eTsUkxg7N6HHx0dMZsNmf3rzWaaouuj16fYBcC4Fa9lK9d/19l4di8Y4rgwVlz+AAMV1mMn3wZu/SZ9lPnl9NE3kTt2Fbe+sdQK470FeemVdG17cnG0XgoeH6pSe8wwGB3fm4LJDQw16D8S7x0oZeVXutTt9xBZT1CfbN+JcbbtfEYRF08vfGVKQpy8oK/1JtJ/LQSgfkgUVPk7fdQ90HwSTTUubUCRYSASMSl+Qi+Xqd/yXu1BMFCQrk2/YtDQPCiP8CCSMNF+vn+wcpSctkC4a7wl1g//WjFGoMqApgNSes924CsRK/UoTRZMhSfseVtdBXDLVqiALNzcB0ohKg/2c+7t9UBJ9G3ZpXzlZk911PTAmB+yojXxgIwYZpaDFARIm3UaZqB222nMDsFHi7tOfMCG1c5tcU7j1M9wVxswT6pnxtWs4bcZxi41pT3mSC2Rx9DnIR+239BMuW05s3IST+Fud1FLaV/YAZ+AW6FQrq8wPM9cAJXXBN13u+U+KNRlIvzIhsBzcaBAlWAE/Pghe9kLPhWp5SYd6xaIS4K43LI20qIPHI3wsVXzKmFmHlrbIfU0oVzTE3DqBIVTr90FQ0g6dZA2CuPamCSdVfKAy5KruazC8J8aIxmIDEfMEmSIWUv/6f/mWF6eiMcXc/bT7kDAjqkNNLJ2ufyGwQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BYAPR12MB2711.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(376002)(39860400002)(366004)(346002)(396003)(136003)(36756003)(66946007)(956004)(2616005)(66476007)(66556008)(44832011)(8936002)(2906002)(8676002)(316002)(16576012)(30864003)(19627235002)(5660300002)(31696002)(86362001)(6486002)(31686004)(186003)(16526019)(83380400001)(53546011)(26005)(52116002)(38350700002)(38100700002)(4326008)(478600001)(43740500002)(45980500001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?V3VsNjFZMGxRZHhHd3NjdzVRa2ZyRVgzeW5lV1lhcGFDZlBsTGpLK1owcDhE?= =?utf-8?B?QXdRZHdGVWZTV3JGWWd4UjNwQ1ltU3VaZ3JRbEFsdDU1blVCT3luMG1uM25X?= =?utf-8?B?dUZHWnJlOVJyTGU3aGFPNFBrbS9JUGJKUmhJVFJOQ092bmpVbTJPeGZDWTUr?= =?utf-8?B?ZjVMdGxIWHlEOEU5WnZ1eWYxS0owZWM0OHFZUkZGbGM5ZTd0S1RBc2lBZmRz?= =?utf-8?B?YkZLSVVzTXk5L2hUd3dzU2ZQbC9OcFhTWHpQcGJBMVl3VGRCZy9GMVhJL2RL?= =?utf-8?B?RjYydDhUT0xkZUxlSGtrWHpuamt1aEoweGNmMVNJU0hGRXdnZmJjUTZmTlJy?= =?utf-8?B?OStPblQxa05wVVZwKytZTGg3NE9XUDVEekZqMWlSOStHYUlLcW5jM0RFeDU4?= =?utf-8?B?ZlAwQzUyMUNqWGJQSDJsb01xdFIwNmJma0xTRFFDaFY5YnJnbExCaXluN2lv?= =?utf-8?B?Q3RWWkxXbldZSnhhQXBVVnpWKzJHTEJNRWROcFdFb3BxWjROaXBnVzVFWU8z?= =?utf-8?B?Y244UmdHVW5LNW5iaHRUeERBQVo1MnFXUXJnQ1llZi9SaWhZdnhmVWNyQzg1?= =?utf-8?B?Wll3Z1RpelkwSks2bmo3RWFVL2JhRkVYZHNXbFRRWUNPL0FJRzVWUkhTNW9J?= =?utf-8?B?TVhTYTdkM0pCS1doS2tmMDIrOHdQbXBUNU9BaEhxcVovU2p3Qy9lSTRTc2pN?= =?utf-8?B?RXRKSkZabTlHbDZ2L1NYVVRzelovSnpGdzNHak1JQ1BpR1o4WUVjdnkrSGpQ?= =?utf-8?B?R0t0SFVSYldBMC9TVEJvbkZnTTYvM3BaUHFlb3AweXBoN3dwSnUwNVMwbEhN?= =?utf-8?B?WDFDRmJoc3hhYzFrQXVzZUFQaU56SUszT1ArckRWUjl0RlEwQXhkMlVQZW5x?= =?utf-8?B?UzdVR0pZTHRuRmlzRXgyT0g2R2owbDF2RjZ6S2V5cVFJa0s3eU1VOFA0Tkd6?= =?utf-8?B?U1lVWEs1TTY4VTlZMm9pY1Y2TlAyODhxSWlNQ0V6Yk1tV2FhY1FJSGZCNE4y?= =?utf-8?B?WGRleDlZbENrQ0pkV2tWREhTL3ZnNHRsRkMvQnhUc3AzaTAzUTkxdjN6eExn?= =?utf-8?B?YTY5YytBVEZLdGdjcjVWKzN3UGFDZThPQ0tQZForaG9rcm0zbnhKWURGQkxx?= =?utf-8?B?eHZlRU0rSFU4bDA5STNoTnpRbDJSMU5IdGhpSkw4YUJ3ZnZqNDZFUWdJQ0U0?= =?utf-8?B?MkNDenQvWVNDNldUaUp0eFFXdDFuQWE1RWVXU1YzK0ZvR3UzMTc1SkNzZVpZ?= =?utf-8?B?ZUczcjh2VDlEczgwajluWnNoa040c1k2ZEE3TG9NRlRRY3lJcHdXc1JOR1dC?= =?utf-8?B?UHBCeWxTS2dBdWNYY1B4elkyclROZllkUTlxcUl1bklFU3QvQ3pzUW1sUkZr?= =?utf-8?B?RE5Sb3VoVlM3OHdHRVN0dGdnRGVQRjdvalZPaGcyQ0JESk5YNVcwK3czZXVq?= =?utf-8?B?bUZiNGRJaTZCNGZ4aC9CSlkzdjhxZy9OL3NaRHkrbHZmdGdFWUkyM1A5cWdZ?= =?utf-8?B?UW8ySDdqaExobm16QitKZnNkTkU2cUpDbzJnQTVoQUNlTkNUMDF4RElIQmlT?= =?utf-8?B?K0dwYlM5cGp3Yy9SNTRJQ3lwelpLYlJQbXVSOFdDU25SOTljSFNMYlJMdzFq?= =?utf-8?B?OFdrdWpjNjhuL0JGbFJvRzdJWnVtekhvNSsrb05NaFdHMTU0YmhXdWNocUVM?= =?utf-8?B?L3ZockdDMmY4QzJWN1JVT0pHR1gwYmYreG8zMzUvQ0Z2S2ErRm1RUTFEcjlL?= =?utf-8?Q?FhrxiBIg53f4XrmbsOsidpckWC4b5/Pk/rcUmvG?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: be409ac6-7ac4-4a75-8a72-08d935b80dbb X-MS-Exchange-CrossTenant-AuthSource: BYAPR12MB2711.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jun 2021 19:58:07.2343 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: mEjUXByZ1aPrH3E2hipvlx4r05/asza9jKnHDIFtLqQBgD8r7c2lUXeg/xWiJ3h5dPrhJ8o6K/ivYELb2+Xs2w== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR12MB3589 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 6/22/2021 2:47 PM, Brijesh Singh wrote: > > > On 6/21/2021 8:56 AM, Ashish Kalra wrote: >> From: Ashish Kalra >> >> Add SEV and SEV-ES hypercall abstraction library to support SEV Page >> encryption/deceryption status hypercalls for SEV and SEV-ES guests. >> >> Cc: Jordan Justen >> Cc: Laszlo Ersek >> Cc: Ard Biesheuvel >> > Remove this newline. > >> Signed-off-by: Ashish Kalra >> --- >> Maintainers.txt | 2 + >> OvmfPkg/Include/Library/MemEncryptHypercallLib.h | 43 ++++++++ >> OvmfPkg/Library/MemEncryptHypercallLib/Ia32/MemEncryptHypercallLib.c | 37 +++++++ >> OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.inf | 42 ++++++++ >> OvmfPkg/Library/MemEncryptHypercallLib/X64/AsmHelperStub.nasm | 28 ++++++ >> OvmfPkg/Library/MemEncryptHypercallLib/X64/MemEncryptHypercallLib.c | 105 ++++++++++++++++++++ >> OvmfPkg/OvmfPkgIa32.dsc | 1 + >> OvmfPkg/OvmfPkgIa32X64.dsc | 1 + >> OvmfPkg/OvmfPkgX64.dsc | 1 + >> OvmfPkg/OvmfXen.dsc | 1 + >> 10 files changed, 261 insertions(+) >> >> diff --git a/Maintainers.txt b/Maintainers.txt >> index ea54e0b7e9..8ecc8464ba 100644 >> --- a/Maintainers.txt >> +++ b/Maintainers.txt >> @@ -449,8 +449,10 @@ F: OvmfPkg/AmdSev/ >> F: OvmfPkg/AmdSevDxe/ >> F: OvmfPkg/Include/Guid/ConfidentialComputingSecret.h >> F: OvmfPkg/Include/Library/MemEncryptSevLib.h >> +F: OvmfPkg/Include/Library/MemEncryptHypercallLib.h >> F: OvmfPkg/IoMmuDxe/AmdSevIoMmu.* >> F: OvmfPkg/Library/BaseMemEncryptSevLib/ >> +F: OvmfPkg/Library/MemEncryptHypercallLib/ >> F: OvmfPkg/Library/PlatformBootManagerLibGrub/ >> F: OvmfPkg/Library/VmgExitLib/ >> F: OvmfPkg/PlatformPei/AmdSev.c >> diff --git a/OvmfPkg/Include/Library/MemEncryptHypercallLib.h b/OvmfPkg/Include/Library/MemEncryptHypercallLib.h >> new file mode 100644 >> index 0000000000..b241a189b6 >> --- /dev/null >> +++ b/OvmfPkg/Include/Library/MemEncryptHypercallLib.h >> @@ -0,0 +1,43 @@ >> +/** @file >> + >> + Define Secure Encrypted Virtualization (SEV) hypercall library. >> + >> + Copyright (c) 2020, AMD Incorporated. All rights reserved.
> ^^^^ > 2021 > >> + >> + SPDX-License-Identifier: BSD-2-Clause-Patent >> + >> +**/ >> + >> +#ifndef _MEM_ENCRYPT_HYPERCALL_LIB_H_ >> +#define _MEM_ENCRYPT_HYPERCALL_LIB_H_ >> + >> +#include >> + >> +#define KVM_HC_MAP_GPA_RANGE 12 >> +#define KVM_MAP_GPA_RANGE_PAGE_SZ_4K 0 >> +#define KVM_MAP_GPA_RANGE_PAGE_SZ_2M (1 << 0) >> +#define KVM_MAP_GPA_RANGE_PAGE_SZ_1G (1 << 1) >> +#define KVM_MAP_GPA_RANGE_ENC_STAT(n) ((n) << 4) >> +#define KVM_MAP_GPA_RANGE_ENCRYPTED KVM_MAP_GPA_RANGE_ENC_STAT(1) >> +#define KVM_MAP_GPA_RANGE_DECRYPTED KVM_MAP_GPA_RANGE_ENC_STAT(0) >> + >> +/** >> + This hyercall is used to notify hypervisor when a page is marked as >> + 'decrypted' (i.e C-bit removed). >> + > Looking at the function signature it seems this routine is used for both set > and clear. Please update the comment accordingly. > > >> + @param[in] PhysicalAddress The physical address that is the start address >> + of a memory region. >> + @param[in] Length The length of memory region >> + @param[in] Mode SetCBit or ClearCBit >> + >> +**/ >> + >> +VOID >> +EFIAPI >> +SetMemoryEncDecHypercall3 ( >> + IN UINTN PhysicalAddress, >> + IN UINTN Length, >> + IN UINTN Mode >> + ); >> + >> +#endif >> diff --git a/OvmfPkg/Library/MemEncryptHypercallLib/Ia32/MemEncryptHypercallLib.c b/OvmfPkg/Library/MemEncryptHypercallLib/Ia32/MemEncryptHypercallLib.c >> new file mode 100644 >> index 0000000000..2e73d47ee6 >> --- /dev/null >> +++ b/OvmfPkg/Library/MemEncryptHypercallLib/Ia32/MemEncryptHypercallLib.c >> @@ -0,0 +1,37 @@ >> +/** @file >> + >> + Secure Encrypted Virtualization (SEV) hypercall helper library >> + >> + Copyright (c) 2020, AMD Incorporated. All rights reserved.
> ^^^^ > 2021 > >> + >> + SPDX-License-Identifier: BSD-2-Clause-Patent >> + >> +**/ >> + >> +#include >> +#include >> +#include >> + >> +/** >> + This hyercall is used to notify hypervisor when a page is marked as >> + 'decrypted' (i.e C-bit removed). >> + >> + @param[in] PhysicalAddress The physical address that is the start address >> + of a memory region. >> + @param[in] Length The length of memory region >> + @param[in] Mode SetCBit or ClearCBit >> + >> +**/ >> + >> +VOID >> +EFIAPI >> +SetMemoryEncDecHypercall3 ( >> + IN PHYSICAL_ADDRESS PhysicalAddress, >> + IN UINTN Pages, >> + IN UINTN Mode >> + ) >> +{ >> + // >> + // Memory encryption bit is not accessible in 32-bit mode >> + // >> +} >> diff --git a/OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.inf b/OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.inf >> new file mode 100644 >> index 0000000000..a77d58a7e6 >> --- /dev/null >> +++ b/OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.inf >> @@ -0,0 +1,42 @@ >> +## @file >> +# Library provides the hypervisor helper functions for SEV guest >> +# >> +# Copyright (c) 2020 Advanced Micro Devices. All rights reserved.
> ^^^^ > 2021 >> +# >> +# SPDX-License-Identifier: BSD-2-Clause-Patent >> +# >> +# >> +## >> + >> +[Defines] >> + INF_VERSION = 1.25 >> + BASE_NAME = MemEncryptHypercallLib >> + FILE_GUID = 86f2501e-f128-45f3-91c4-3cff31656ca8 >> + MODULE_TYPE = BASE >> + VERSION_STRING = 1.0 >> + LIBRARY_CLASS = MemEncryptHypercallLib >> + >> +# >> +# The following information is for reference only and not required by the build >> +# tools. >> +# >> +# VALID_ARCHITECTURES = IA32 X64 >> +# >> + >> +[Packages] >> + MdeModulePkg/MdeModulePkg.dec >> + MdePkg/MdePkg.dec >> + UefiCpuPkg/UefiCpuPkg.dec >> + OvmfPkg/OvmfPkg.dec >> + >> +[Sources.X64] >> + X64/MemEncryptHypercallLib.c >> + X64/AsmHelperStub.nasm >> + >> +[Sources.IA32] >> + Ia32/MemEncryptHypercallLib.c >> + >> +[LibraryClasses] >> + BaseLib >> + DebugLib >> + VmgExitLib >> diff --git a/OvmfPkg/Library/MemEncryptHypercallLib/X64/AsmHelperStub.nasm b/OvmfPkg/Library/MemEncryptHypercallLib/X64/AsmHelperStub.nasm >> new file mode 100644 >> index 0000000000..f29b96f9b0 >> --- /dev/null >> +++ b/OvmfPkg/Library/MemEncryptHypercallLib/X64/AsmHelperStub.nasm >> @@ -0,0 +1,28 @@ >> +DEFAULT REL >> +SECTION .text >> + >> +; VOID >> +; EFIAPI >> +; SetMemoryEncDecHypercall3AsmStub ( >> +; IN UINT HypercallNum, >> +; IN INTN Arg1, >> +; IN INTN Arg2, >> +; IN INTN Arg3 >> +; ); >> +global ASM_PFX(SetMemoryEncDecHypercall3AsmStub) >> +ASM_PFX(SetMemoryEncDecHypercall3AsmStub): >> + ; UEFI calling conventions require RBX to >> + ; be nonvolatile/callee-saved. >> + push rbx >> + ; Copy HypercallNumber to rax >> + mov rax, rcx >> + ; Copy Arg1 to the register expected by KVM >> + mov rbx, rdx >> + ; Copy Arg2 to register expected by KVM >> + mov rcx, r8 >> + ; Copy Arg2 to register expected by KVM >> + mov rdx, r9 >> + ; Call VMMCALL >> + vmmcall >> + pop rbx >> + ret >> diff --git a/OvmfPkg/Library/MemEncryptHypercallLib/X64/MemEncryptHypercallLib.c b/OvmfPkg/Library/MemEncryptHypercallLib/X64/MemEncryptHypercallLib.c >> new file mode 100644 >> index 0000000000..1c09ea012b >> --- /dev/null >> +++ b/OvmfPkg/Library/MemEncryptHypercallLib/X64/MemEncryptHypercallLib.c >> @@ -0,0 +1,105 @@ >> +/** @file >> + >> + Secure Encrypted Virtualization (SEV) hypercall helper library >> + >> + Copyright (c) 2020, AMD Incorporated. All rights reserved.
> ^^^^ > 2021 >> + >> + SPDX-License-Identifier: BSD-2-Clause-Patent >> + >> +**/ >> + >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> + >> +// >> +// Interface exposed by the ASM implementation of the core hypercall >> +// >> +// >> + >> +VOID >> +EFIAPI >> +SetMemoryEncDecHypercall3AsmStub ( >> + IN UINTN HypercallNum, >> + IN UINTN PhysicalAddress, >> + IN UINTN Length, >> + IN UINTN Mode >> + ); >> + > The function signature does not match with documented signature. Fix the > SetMemoryEncDecHypercall3AsmStub() documented in AsmHelperStub.nasm to use > UINTN. > > >> +STATIC >> +VOID >> +GhcbSetRegValid ( >> + IN OUT GHCB *Ghcb, >> + IN GHCB_REGISTER Reg >> + ) >> +{ >> + UINT32 RegIndex; >> + UINT32 RegBit; >> + >> + RegIndex = Reg / 8; >> + RegBit = Reg & 0x07; >> + >> + Ghcb->SaveArea.ValidBitmap[RegIndex] |= (1 << RegBit); >> +} >> + > > This looks similar to VmgSetOffsetValid(). > >> +/** >> + This hyercall is used to notify hypervisor when a page is marked as >> + 'decrypted' (i.e C-bit removed). >> +Please update the comment. > >> + @param[in] PhysicalAddress The physical address that is the start address >> + of a memory region. >> + @param[in] Length The length of memory region >> + @param[in] Mode SetCBit or ClearCBit >> + >> +**/ >> + >> +VOID >> +EFIAPI >> +SetMemoryEncDecHypercall3 ( >> + IN PHYSICAL_ADDRESS PhysicalAddress, >> + IN UINTN Pages, >> + IN UINTN Mode >> + ) >> +{ >> + if (MemEncryptSevEsIsEnabled ()) {> + MSR_SEV_ES_GHCB_REGISTER Msr; >> + GHCB *Ghcb; >> + BOOLEAN InterruptState; >> + UINT64 Status; >> + >> + Msr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB); >> + Ghcb = Msr.Ghcb; >> + >> + VmgInit (Ghcb, &InterruptState); >> + >> + Ghcb->SaveArea.Rax = KVM_HC_MAP_GPA_RANGE; >> + GhcbSetRegValid (Ghcb, GhcbRax); >> + Ghcb->SaveArea.Rbx = PhysicalAddress; >> + GhcbSetRegValid (Ghcb, GhcbRbx); >> + Ghcb->SaveArea.Rcx = Pages; >> + GhcbSetRegValid (Ghcb, GhcbRcx); >> + Ghcb->SaveArea.Rdx = Mode; >> + GhcbSetRegValid (Ghcb, GhcbRdx); >> + Ghcb->SaveArea.Cpl = AsmReadCs() & 0x3; >> + GhcbSetRegValid (Ghcb, GhcbCpl); >> + >> + Status = VmgExit (Ghcb, SVM_EXIT_VMMCALL, 0, 0); >> + if (Status) { >> + DEBUG ((DEBUG_ERROR, "SVM_EXIT_VMMCALL failed %lx\n", Status)); > > You need to issue an SEV-ES guest termination vmexit followed by a deadloop to ensure > that boot does not proceed. > > You probably also need to check for the RAX register for the return code. > > >> + } >> + VmgDone (Ghcb, InterruptState); >> + } else { >> + SetMemoryEncDecHypercall3AsmStub ( >> + KVM_HC_MAP_GPA_RANGE, >> + PhysicalAddress, >> + Pages, >> + Mode >> + ); > > How do you know whether the hyperviosr supports the Live migration ? In other > words, is it safe to call the HC without knowing if HV supports the feature ? > I see that in patch#4 you are adding a support to query the HV features flag to determine whether HV supports the Live migration. You probably need to pull that function into this library and and check the feature flag before invoking HC. This library can also export the function for others to use. You can cache the value on the first call (similar to how BaseMemEncryptSevLib does for the MemEncryptSevIsEnabled). > Also, what will happen if we pass a bogus GPA. Does the HC return an error ? > Same as SEV-ES block, you probably need to check the RAX register for the > return code. On failure, cause an assert() and terminate the boot. > > >> + } >> +} >> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc >> index f53efeae79..36f1d82ce7 100644 >> --- a/OvmfPkg/OvmfPkgIa32.dsc >> +++ b/OvmfPkg/OvmfPkgIa32.dsc >> @@ -176,6 +176,7 @@ >> VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf >> LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf >> MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf >> + MemEncryptHypercallLib|OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.inf >> !if $(SMM_REQUIRE) == FALSE >> LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf >> !endif >> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc >> index b3662e17f2..2a743688b4 100644 >> --- a/OvmfPkg/OvmfPkgIa32X64.dsc >> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc >> @@ -180,6 +180,7 @@ >> VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf >> LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf >> MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf >> + MemEncryptHypercallLib|OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.inf >> !if $(SMM_REQUIRE) == FALSE >> LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf >> !endif >> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc >> index 0a237a9058..eb9da51a15 100644 >> --- a/OvmfPkg/OvmfPkgX64.dsc >> +++ b/OvmfPkg/OvmfPkgX64.dsc >> @@ -180,6 +180,7 @@ >> VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf >> LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf >> MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf >> + MemEncryptHypercallLib|OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.inf >> !if $(SMM_REQUIRE) == FALSE >> LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf >> !endif >> diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc >> index 3c1ca6bfd4..de0c052832 100644 >> --- a/OvmfPkg/OvmfXen.dsc >> +++ b/OvmfPkg/OvmfXen.dsc >> @@ -167,6 +167,7 @@ >> QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgDxeLib.inf >> QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf >> MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf >> + MemEncryptHypercallLib|OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.inf >> LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf >> CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf >> FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf >> > Update the AmdSev.dsc to include this library. > > > -Brijesh >