From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web10.7725.1614783365341964546 for ; Wed, 03 Mar 2021 06:56:05 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=H9EHDK18; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: tobin@linux.ibm.com) Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 123EjrHn069785; Wed, 3 Mar 2021 09:56:03 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=pp1; bh=cCBu0dOE3msh7zOz15mlpRCVd/KBP8hsdexpPbaJUto=; b=H9EHDK18+By4Wy4rX5NyNO8DSBZX7znpJ09CN8B4CvdEUzTFPFT/+ycoyXTkw4cKetm/ ItsPYYPvLmIgYBcBjBnatWK25V6YKLfnz5OactMFnkq+lz39axfPQQp7l5DPpQdG4u9r ApNgQbgIyjU9uu1SqslGKWy/+6RYe/zHWyJElhtPw52lpSxNx3w/gp9JwyBa+y0MaN1H w/tJ57Bb+wPXQ/djFxrK9U9riJZMoXSTAHRFF9O+e0jHFkBkf7023PVh9UkJT+skuGaL xO2glPwRIr34Bz/Szb6q8JKYjCs17Pd0JrVJje1T5B8D6vDYo+xoUgRRahwAwQAkAMNh ZA== Received: from ppma02wdc.us.ibm.com (aa.5b.37a9.ip4.static.sl-reverse.com [169.55.91.170]) by mx0a-001b2d01.pphosted.com with ESMTP id 372cge8by0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 03 Mar 2021 09:56:03 -0500 Received: from pps.filterd (ppma02wdc.us.ibm.com [127.0.0.1]) by ppma02wdc.us.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 123Es7ED019118; Wed, 3 Mar 2021 14:56:01 GMT Received: from b01cxnp23032.gho.pok.ibm.com (b01cxnp23032.gho.pok.ibm.com [9.57.198.27]) by ppma02wdc.us.ibm.com with ESMTP id 3711dx08j8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 03 Mar 2021 14:56:01 +0000 Received: from b01ledav001.gho.pok.ibm.com (b01ledav001.gho.pok.ibm.com [9.57.199.106]) by b01cxnp23032.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 123Eu0EQ16843192 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 3 Mar 2021 14:56:00 GMT Received: from b01ledav001.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C122328059; Wed, 3 Mar 2021 14:56:00 +0000 (GMT) Received: from b01ledav001.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A75322805C; Wed, 3 Mar 2021 14:56:00 +0000 (GMT) Received: from Tobins-MacBook-Pro-2.local (unknown [9.85.173.209]) by b01ledav001.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 3 Mar 2021 14:56:00 +0000 (GMT) Subject: Re: [edk2-devel] [RFC PATCH 02/14] OvmfPkg/PlatformPei: Mark SEC GHCB page in the page encrpytion bitmap. To: devel@edk2.groups.io, ashish.kalra@amd.com Cc: Dov Murik , Tobin Feldman-Fitzthum , James Bottomley , Hubertus Franke , Brijesh Singh , Jon Grimm , Tom Lendacky References: <20210302204839.82042-1-tobin@linux.ibm.com> <20210302204839.82042-3-tobin@linux.ibm.com> <20210303001601.GA30351@ashkalra_ubuntu_server> From: "Tobin Feldman-Fitzthum" Message-ID: <5950410f-4716-fc45-4b05-042b00e5fb44@linux.ibm.com> Date: Wed, 3 Mar 2021 09:56:00 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.7.0 MIME-Version: 1.0 In-Reply-To: <20210303001601.GA30351@ashkalra_ubuntu_server> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369,18.0.761 definitions=2021-03-03_04:2021-03-03,2021-03-03 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 phishscore=0 mlxlogscore=999 suspectscore=0 mlxscore=0 priorityscore=1501 spamscore=0 lowpriorityscore=0 malwarescore=0 clxscore=1015 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2103030112 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US > Hello Tobin, > > Just a high level question, why is this patch included in this > patch series, i don't think you are supporting SEV-ES platform > migration in this patch-set ? You are correct that we don't support migration for SEV-ES machines, although our approach can potentially be adapted for SEV-ES. I was on the fence about including this patch, because we don't strictly need it for migration. I'm not sure if the SEC GHCB would be significant even if we did support SEV-ES migration. Ultimately it seemed like a good idea because the SEV firmware build does otherwise support SEV-ES. Since I was introducing the hypercall in an environment where SEV-ES can be enabled, it seemed reasonable to include. Syncing page encryption status hypothetically has uses beyond migration. Note that I am not adding full support for the hypercall in OVMF, which might be a good idea at some point. -Tobin > Thanks, > Ashish > > On Tue, Mar 02, 2021 at 03:48:27PM -0500, Tobin Feldman-Fitzthum wrote: >> From: Ashish Kalra >> >> Mark the SEC GHCB page that is mapped as unencrypted in >> ResetVector code in the hypervisor page encryption bitmap. >> >> Cc: Jordan Justen >> Cc: Laszlo Ersek >> Cc: Ard Biesheuvel >> >> Signed-off-by: Ashish Kalra >> --- >> OvmfPkg/PlatformPei/AmdSev.c | 10 ++++++++++ >> 1 file changed, 10 insertions(+) >> >> diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c >> index dddffdebda..c72eeb37c5 100644 >> --- a/OvmfPkg/PlatformPei/AmdSev.c >> +++ b/OvmfPkg/PlatformPei/AmdSev.c >> @@ -15,6 +15,7 @@ >> #include >> #include >> #include >> +#include >> #include >> #include >> #include >> @@ -52,6 +53,15 @@ AmdSevEsInitialize ( >> PcdStatus = PcdSetBoolS (PcdSevEsIsEnabled, TRUE); >> ASSERT_RETURN_ERROR (PcdStatus); >> >> + // >> + // GHCB_BASE setup during reset-vector needs to be marked as >> + // decrypted in the hypervisor page encryption bitmap. >> + // >> + SetMemoryEncDecHypercall3 (FixedPcdGet32 (PcdOvmfSecGhcbBase), >> + EFI_SIZE_TO_PAGES(FixedPcdGet32 (PcdOvmfSecGhcbSize)), >> + FALSE >> + ); >> + >> // >> // Allocate GHCB and per-CPU variable pages. >> // Since the pages must survive across the UEFI to OS transition >> -- >> 2.20.1 >> > > > >