From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.65]) by mx.groups.io with SMTP id smtpd.web10.49856.1674664371017203473 for ; Wed, 25 Jan 2023 08:32:51 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amd.com header.s=selector1 header.b=t7dJDj3z; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.94.65, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bW8/GXHkdhRO2YvMhEj2lcmIjhD4e02PQMIbzNY+LXa+hZAHRzU8ZWoEdJmxWSKepfMU1VbBDSSYtIxQlWmIKatmGnRkKxNMlQuh36CCI0Y2K4Y+Wo3xDuLjOSGOagpHqaAx8wemcNiPYm0hHvbADOKvAZFMFSOO4QKM5sd0l2vFvrNQbQp5nnbAtYFiK3Jgp0O0IjtCx7tV4oy4rKLsZw2Zo+QsYGsFX62fqV8DJRaztT1Gaufnt/occJVNHc2qvjRkRQbHaLRuS2HVGqAM2hKHCysNAVTI7CHQZc28ZE5acG/SHoGo2jnyPdeRX/WWPXBKqZ8flYnQnNKVKbt2TQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=QZXTsJtC6oUCtvTqJzTurBK0ZsOS7ExdMA8dlHWO2o8=; b=M+tqMxATrlngU1Mk4D6TM+G5tIU50tLNI5/H5GLMLDuabwVKCa/vvaS2WQ0b/mf1tukdzyKeFF9ZtMLWQfqs5sAP9jdGxdHvhgY3zHfYf73j9ykUTxgI3oXYukgH1gs82eZysg2NEijC8ldYaQ+S1kQY3QC0LPYPBH7Pw1tGJQ1FX7szI+NYqo/R0WHzIA0knDMO8W9gzulBQox34PXWaJ859X6uxBqGyF3KUqpKYpkjNYgKyzPFyh2ukuifg4RKd0417veh+sndTxn7AbeOjU7Zl55hlNnVAN5vmje5+6K4SXE4H/MaAjW2KzzmMYgVyFm2lz2AeQCHdXYn4B046g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QZXTsJtC6oUCtvTqJzTurBK0ZsOS7ExdMA8dlHWO2o8=; b=t7dJDj3zFVYzp9rTvwxxM/g7+2mT9SgC4kyt1ad6pqR1UWsDJkSpVjJPfSfBbvW8QdQSOIfM2wGlHpkj0Sw3JW72ijrERfiSIZhzMLmjsiK2+uzObjsElijGE8gi6rf54Y9/ThItqvpFrAMZ2R1TwDF6F+45+mPIsFSRienv6bU= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=amd.com; Received: from DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) by BL0PR12MB5012.namprd12.prod.outlook.com (2603:10b6:208:1ca::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.21; Wed, 25 Jan 2023 16:32:48 +0000 Received: from DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::8200:4042:8db4:63d7]) by DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::8200:4042:8db4:63d7%3]) with mapi id 15.20.6002.033; Wed, 25 Jan 2023 16:32:47 +0000 Message-ID: <539db51b-fa2e-6a0e-2786-1f5349be5e3b@amd.com> Date: Wed, 25 Jan 2023 10:32:45 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2 Subject: Re: [edk2-devel] [PATCH v4 3/5] OvmfPkg/PlatformInitLib: Add PlatformAddHobCB From: "Lendacky, Thomas" To: Gerd Hoffmann CC: devel@edk2.groups.io, Jiewen Yao , Oliver Steffen , =?UTF-8?B?TMOhc3psw7Mgw4lyc2Vr?= , Ard Biesheuvel , Pawel Polawski , Jordan Justen References: <20230117121629.2149112-1-kraxel@redhat.com> <20230117121629.2149112-4-kraxel@redhat.com> <20230125091101.rtxlviabpxg5uqq3@sirius.home.kraxel.org> In-Reply-To: X-ClientProxiedBy: CH2PR05CA0047.namprd05.prod.outlook.com (2603:10b6:610:38::24) To DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) Return-Path: Thomas.Lendacky@amd.com MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM4PR12MB5229:EE_|BL0PR12MB5012:EE_ X-MS-Office365-Filtering-Correlation-Id: aa2624a8-cb0d-44f1-d803-08dafef1cb17 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: afUiT2vcGznNePRlhsJCsqxZuzWtFrlTNiHIQTJ3fbS7SRiUQhvkNFQ6+Aif5QEOpErUDwMAFgA/kz40prtE3kGy/LmH/SmTPkwK7ALI1gIItYwP3DS8QBbmu3DMQbyojm/BwjloM1zcJKDgQKxEoaYoCJeEYC2AwKnZOpWGnBfLFFsF4PXO1ihN9NlMe8EHiwfF0YoulO7SEeM1rC5AXMX/acgRvu3qQKmQUp5mG8H2xCkc60InJuNgIA0Jiue73dViap48MT00DvXJ/oD6VSXJ3vq2Kzj2nkvu8Zzokur/+uIWiG3KR47vX/R0ZVHf4doVPKQ3Zr//5JoO8vQSh4mGhH8ngG9cALbQ6cE8RZVbcwp0k0uGXY6AaicIiUd6IkIuQrLrnBhRy54tkGpTAJ9gECGUhC8Lltbx5h1qrDpcfQpSgMPD/EsQL/ifNLWy5GK62d9D9GHltJDTQnicLDKct10TK1h7Ue2oHTjxMaFr6nb/1z/wV5Aqw5VzhepV3Vy6D0cE2c4W9CDxCZ2iPuLN0TskjCfeCf7xuWRG31HefHITFogEnRY2Zltcs7M0nGnWxfK4ZjyQyXal/nPD1diOLpzJxy8NEwGNKASmpKv+4WRFNsrZbh8FwVB5Hmh8EbgWmneUqfTBMaVSO/8CPCgEgMSDq5aI4X7wL53TACyN6Fu9a+03tSgUOyoeoiN6d+JetCh2LCUq/7j4ZSUrZz2wvwx+Pr7TOQOXvS+bc9TmYZ7C19y/QURnbqU20xdjk9slaaKQ0uKzadL7XGJvBA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM4PR12MB5229.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(4636009)(39860400002)(346002)(366004)(376002)(136003)(396003)(451199018)(5660300002)(186003)(2906002)(6916009)(66946007)(4326008)(66556008)(8936002)(8676002)(66476007)(31686004)(41300700001)(83380400001)(6486002)(478600001)(53546011)(6506007)(6512007)(26005)(316002)(2616005)(38100700002)(54906003)(36756003)(86362001)(31696002)(145603002)(45980500001)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?olMtCoNb9mLl4/NBRz3Q6/BTCU60MJO74xFoRZYy/1jU8KRdMEiNIa0efRmJ?= =?us-ascii?Q?hwUtM50+rHuU+j0H1xmik547/AvaAnZj99DUXsY1O474wKl1TPKgCFxWRYQF?= =?us-ascii?Q?XI9khS9EageLvnCDZK+1XPsuzWm9m4lXk5z33//dyjda1sYjxaMa12raQztO?= =?us-ascii?Q?Op4zMavVRlmDKfKNy3WBZ/TORS5ZQ9ivyiXzFxh9A0eRhL2Jnyi69pyOuh8e?= =?us-ascii?Q?gMlp8kM990upfz/EMLKBV+TOQe8ldeJVdmVlcoYNcYtBNmogqJynBjQ/5/nJ?= =?us-ascii?Q?zrhv6mNBHNVeTXDcPnjfuhB/qfYBsjmn7uRcx2nWY4K37U5UBkVMPwtde7pQ?= =?us-ascii?Q?TDsktYHw/7d7scIJBmpOXdDEhnccMN0UDEloE0rThr/ofPPTbqMUb2Z1NlsT?= =?us-ascii?Q?YDYWb/ArfEOuKQtGvY7jIsw7VvND49Ui41jfm6jiL2HpWok/H0yFtsFE/15P?= =?us-ascii?Q?5Cttc/l93o19HqwtcnbpmU3tHjp9OemWo6vdYE3caKt+Y1B4vrD6xaETPaam?= =?us-ascii?Q?DPZRfE/OTOWBr4E7HxdXkYsSgHwgSzL324Wdzq82d7Q2lpaxkKQcnCpyXrtc?= =?us-ascii?Q?/Dat/QKX+tW3MLggO9nMvFXBOmK3vv3wlHaw54Sa5uzu9I1fmdWw/UHhlqVa?= =?us-ascii?Q?ULHiXtXoJgsVhDwY5j3sSJhLzXXn2XopIY+C+7hCw4k5318DZ0csVKLFnV4U?= =?us-ascii?Q?m7MGew034qBpZs9XFffiCAR64JfbIrrPTA4W2krrysrotNgWtJxz+PlV7Ozq?= =?us-ascii?Q?6BA+XyA68Tz9g0N+loGmt5IV+aybDt9jdlNOge0Cq1kR9LV2U3UXkd80aOAJ?= =?us-ascii?Q?/aDIQIJxOe4F/bKNR9jntPmbzXBP5o6FvbEZoqkllsJsFgYjjR8UiuSv9G7p?= =?us-ascii?Q?PsE/i+G91JDKQ59SdqRcYwpF22a6YTT6m5TH1yCgqQH/RZm4apJ8yQ14xUr0?= =?us-ascii?Q?glVxqH0AVtFNJqwZHhvyeWBsMdsQc3DIkqWou0HinR48vCFZdDnwQJgAC+7k?= =?us-ascii?Q?aDzcQTjbx2CKNfqyPxauQTuRGm037vNdoLEv6/hqBRjMwgnqnaqdg5y9ebJu?= =?us-ascii?Q?DKzfbbPRSCACwPKKe4tCwLJnqP/BswIgLFJnbOG7HXSCT+NSwm4qcNDziNpD?= =?us-ascii?Q?kjRpJfImqqTSpLQifFIDz0xVIfhiD8HXBC2SWs6848L/YXAlkVq4TV0xNpxv?= =?us-ascii?Q?NbLiOi28AOc8mBIZW3RuHuHFY3f2z2upNOAY2fJUlXSlzFoiDoylUTxbdc38?= =?us-ascii?Q?6jQIJ9EDwWKjo+GJnCcP3rneTzBLBtpIVBX7uzKOHJ9dsAudnuz1mPnRoC6H?= =?us-ascii?Q?Kxyzwe0uoFzQ3ebAPqH7M9/Q7r9sfn0WILCRgZFHS+FhiH/hiPIh4yrTSrl2?= =?us-ascii?Q?hV2RB2lBtP7JRrrd/GSTsW/qYfR2Lok+p0oN9X6UhnikdRyNkERwFw43BGgK?= =?us-ascii?Q?ifo7bfOiaHo6OZKxSfT8ZBgGOYTLJL8D1BsV1jPj5u8rNjJQpvSgFXuVZgYR?= =?us-ascii?Q?UK8OVchfN6cbSZJXHmg/3d4XJTQC3aAYJ8UMTCoFmxpPxjhD/H/OlMCPNtnl?= =?us-ascii?Q?0+6HP5L5XwMXv23BjQequkzHjni0tod0Vb0VccqV?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: aa2624a8-cb0d-44f1-d803-08dafef1cb17 X-MS-Exchange-CrossTenant-AuthSource: DM4PR12MB5229.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Jan 2023 16:32:47.6132 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: KguvI3dNfnbWqen9E9bxS0sbpJAIxa1pcli0XNRkUWAu6IkXtumef+bglhiy9rykpotkRItKi0rUAPFgpoE3aQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR12MB5012 Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable On 1/25/23 09:35, Tom Lendacky wrote: > On 1/25/23 03:11, Gerd Hoffmann wrote: >> On Tue, Jan 24, 2023 at 04:33:48PM -0600, Tom Lendacky wrote: >>> On 1/17/23 06:16, Gerd Hoffmann via groups.io wrote: >>>> Add PlatformAddHobCB() callback function for use with >>>> PlatformScanE820().=C2=A0 It adds HOBs for high memory and reservation= s (low >>>> memory is handled elsewhere because there are some special cases to >>>> consider).=C2=A0 This replaces calls to PlatformScanOrAdd64BitE820Ram(= ) with >>>> AddHighHobs =3D TRUE. >>>> >>>> Write any actions done (adding HOBs, skip unknown types) to the firmwa= re >>>> log with INFO loglevel. >>>> >>>> Also remove PlatformScanOrAdd64BitE820Ram() which is not used any more= . >>> >>> Hi Gerd, >>> >>> A problem was reported to me for an SEV-ES guest that I bisected to thi= s >>> patch. It only occurs when using the OVMF_CODE.fd file without specifyi= ng >>> the OVMF_VARS.fd file (i.e. only the one pflash device on the qemu comm= and >>> line, but not using the OVMF.fd file). I don't ever boot without an >>> OVMF_VARS.fd file, so I didn't catch this. >>> >>> With this patch, SEV-ES terminates now because it detects doing MMIO to >>> encrypted memory area at 0xFFC00000 (where the OVMF_VARS.fd file would >>> normally be mapped). Prior to this commit, an SEV-ES guest booted witho= ut >>> issue in this configuration. >>> >>> First, is not specifying an OVMF_VARS.fd a valid configuration for boot= ing >>> given the CODE/VARS split build? >> >> No. >=20 > Ok, good to know. >=20 >> >>> If it is valid, is the lack of the OVMF_VARS.fd resulting in the=20 >>> 0xFFC00000 >>> address range getting marked reserved now (and thus mapped encrypted)? >> >> I have no clue offhand.=C2=A0 The patch is not supposed to change OVMF >> behavior.=C2=A0 Adding the HOBs was done by the (increasingly messy) >> PlatformScanOrAdd64BitE820Ram() function before, with this patch in >> place PlatformScanE820() + PlatformAddHobCB() handle it instead.=C2=A0 T= he >> end result should be identical though. >> >> OVMF does MMIO access @ 0xFFC00000, to check whenever it finds flash >> there or not (to handle the -bios OVMF.fd case).=C2=A0 That happens at a >> completely different place though (see >> OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c). >> >>> Let me know if you need me to provide any output or testing if you can'= t >>> boot an SEV-ES guest. >> >> Yes, the firmware log hopefully gives clues what is going on here. >=20 > So here are the differences (with some debug message that I added) betwee= n > booting at: >=20 > 124b76505133 ("OvmfPkg/PlatformInitLib: Add PlatformGetLowMemoryCB") >=20 > =C2=A0 PlatformScanOrAdd64BitE820Ram: Reserved: Base=3D0xFEFFC000 Length= =3D0x4000 > =C2=A0 ... > =C2=A0 *** DEBUG: AmdSevDxeEntryPoint:120 - Clearing encryption bit for= =20 > FF000000 to FFFFFFFF - MMIO=3D0 > =C2=A0 *** DEBUG: AmdSevDxeEntryPoint:120 - Clearing encryption bit for= =20 > 180000000 to 7FFFFFFFFFFF - MMIO=3D0 > =C2=A0 ... > =C2=A0 QEMU Flash: Failed to find probe location > =C2=A0 QEMU flash was not detected. Writable FVB is not being installed. >=20 > and >=20 > 328076cfdf45 ("OvmfPkg/PlatformInitLib: Add PlatformAddHobCB") >=20 > =C2=A0 PlatformAddHobCB: Reserved [0xFEFFC000, 0xFF000000) > =C2=A0 PlatformAddHobCB: HighMemory [0x100000000, 0x180000000) > =C2=A0 ... > =C2=A0 *** DEBUG: AmdSevDxeEntryPoint:120 - Clearing encryption bit for= =20 > 1FDFFC000 to 7FFFFFFFFFFF - MMIO=3D0 > =C2=A0 ... > =C2=A0 MMIO using encrypted memory: FFC00000 > =C2=A0 !!!! X64 Exception Type - 0D(#GP - General Protection)=C2=A0 CPU = Apic ID -=20 > 00000000 !!!! >=20 >=20 > So before the patch in question, we see that AmdSevDxeEntryPoint() in > OvmfPkg/AmdSevDxe/AmdSevDxe.c found an entry in the GCD map for 0xFF00000= 0 > to 0xFFFFFFFF that was marked as EfiGcdMemoryTypeNonExistent and so the > mapping was changed to unencrypted. But after that patch, that entry is > not present and so the 0xFFC00000 address is mapped encrypted and results > in the failure. This issue also causes use of the OVMF.fd file usage to fail for both SEV and SEV-ES. With this patch using the combined file gives: Firmware Volume for Variable Store is corrupted ASSERT_EFI_ERROR (Status =3D Volume Corrupt) ASSERT [VariableRuntimeDxe] /root/kernels/ovmf-build-X64/MdeModulePkg/Un= iversal/Variable/RuntimeDxe/VariableDxe.c(546): !(((INTN)(RETURN_STATUS)(St= atus)) < 0) I believe for the same reason, that the mapping is encrypted, which causes the signature and GUID checks to fail. Thanks, Tom >=20 > Thanks, > Tom >=20 >> >> thanks, >> =C2=A0=C2=A0 Gerd >>