From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (NAM11-BN8-obe.outbound.protection.outlook.com [40.107.236.89]) by mx.groups.io with SMTP id smtpd.web12.214.1589305475452626788 for ; Tue, 12 May 2020 10:44:35 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amdcloud.onmicrosoft.com header.s=selector2-amdcloud-onmicrosoft-com header.b=tA0Crj1K; spf=none, err=SPF record not found (domain: amd.com, ip: 40.107.236.89, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=f8uOJzV+aHu/UhN3XdQ9453LVvC3x4tqvQ3rj2ctlR3XRLlEnSylQwjeIgCNrmuglN2MCoqdD/CglRNI6lKu84785DJrBi2Lbk8rN2veCpUMfdFs09PhlqtRA2cbeHw5FIy6ZqqBkLLx6AGbfzxAVm9lt6FDTSN5uufinXFyh0YW1bpVCe3PV9zYeUx2j2+OF+im1vuF7SsZAB/NASe5W33SfNVGFkoVGW8V1RWI00sg4uwOTBVB07kiYoJwEju57dOQqwjGQjXJH1fDJGpXZ9sdtMQklAiMp8HySbhE0aKpYLXUrXjZ3aNsesFiXvtetLIswSEGN7M5pWDEpjL/NA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7PWnUmfHgTf6tNnJcgDh+Up1fYxmaNlS1xlXcYXe+Bw=; b=hQthWlxH7Z2I2OqrJw3Q1FkVo9WWi6AgsCTSqFbHIDsGRuE/MSdev9pfMVkfl4/38fp63OhwQE5Ti4TRHcWDOLKys7Y8+d6awsQSRJWpUmUTgdpMtltmTb4YWx9dF412fLXsuZTL6V4IOq5W0NHZ79g7ms+69GtCZF1QU/apVEk23+pdF2pguypsnryDZGGkzDl1eUp+esMIujQ9u5EpClEat8z6CwcALaeR3zUdpFyMet3sfP/MBho2ilhKSk/PJY0CSciymDVp7rBWDGVod/aorgUDjpuvHJQvXi+jhS27F0Jhn4DZcBkhIJ7DQvBXoy4YZ3HyaFaty+li8l00ZQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector2-amdcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7PWnUmfHgTf6tNnJcgDh+Up1fYxmaNlS1xlXcYXe+Bw=; b=tA0Crj1KZl32ToH3lJdJpBUdeTC6RRfyYItWo0pvrMTcC/7wItJCNAstIexNfbw8SPGuLHo3cfDkHMNjA0+aiwyn8ZYpwOhMXRFrId6eM3kwoOC/v+3grXrMAq2HuKyT53tW16KNZWjQbLFT0nLUbzh7mjCbFoCvKohiD25EDSc= Authentication-Results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=amd.com; Received: from DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) by DM5PR12MB1452.namprd12.prod.outlook.com (2603:10b6:4:a::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2979.29; Tue, 12 May 2020 17:44:32 +0000 Received: from DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::4ce1:9947:9681:c8b1]) by DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::4ce1:9947:9681:c8b1%10]) with mapi id 15.20.2979.033; Tue, 12 May 2020 17:44:32 +0000 Subject: Re: [edk2-devel] [PATCH v7 00/43] SEV-ES guest support From: "Lendacky, Thomas" To: Andrew Fish , devel@edk2.groups.io CC: "Ni, Ray" , Jordan Justen , Laszlo Ersek , Ard Biesheuvel , Mike Kinney , "Gao, Liming" , "Dong, Eric" , Brijesh Singh , "You, Benjamin" , "Bi, Dandan" , "Dong, Guo" , "Wu, Hao A" , "Wang, Jian J" , "Ma, Maurice" References: <4da69262-e6a8-1374-2853-dab2a8f193d3@amd.com> <734D49CCEBEEF84792F5B80ED585239D5C530D55@SHSMSX104.ccr.corp.intel.com> <0392c73c-dc2f-0117-1952-532e33c9948c@amd.com> Message-ID: <59567653-77fd-f9b2-e030-284eb5528b23@amd.com> Date: Tue, 12 May 2020 12:44:29 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 In-Reply-To: <0392c73c-dc2f-0117-1952-532e33c9948c@amd.com> X-ClientProxiedBy: SN4PR0501CA0116.namprd05.prod.outlook.com (2603:10b6:803:42::33) To DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from office-linux.texastahm.com (67.79.209.213) by SN4PR0501CA0116.namprd05.prod.outlook.com (2603:10b6:803:42::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3000.12 via Frontend Transport; Tue, 12 May 2020 17:44:30 +0000 X-Originating-IP: [67.79.209.213] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 37a90fc1-db81-4c30-3fb4-08d7f69c20ad X-MS-TrafficTypeDiagnostic: DM5PR12MB1452:|DM5PR12MB1452: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-Forefront-PRVS: 0401647B7F X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 3oDz4G56VVTPRHplwDIpUlP4yIiOPFjf/vjbFipi8MJo6VdSXvNq3tnbpHqM63PTQvj2xbLEYA+hTnyqbGivXdEv2GpW0ZX8HEeUOvCum5Sb7snvSFm0b7BMS66IKPTtD3A+47kpT74MGK/gTaFo1NGwpcXzytU9ShXPFw+NFDtQJpS5kMRYthnoj5XaVE4+4G9AgwnMTu68xAHWPEANzgDtUWdmxJTJuPsLwicLwXOsWRwR5KdG6ZnPLqtgBdX07+/0I497x29kMJGsH2Tu/4tvRYlec8Yi1DyK7d/1j24k7Ie0wKrat/VBkqhlMtNpTRNp9tlZNPbQnA0uwwHsXr64zAkEENU0U2QrbFQ/TmnUlDa6StGU/Z7ResuRVQn5JH3jIDQFSchDo5hPJHee9+fbX+CSkC91D6xbB0BsYEaULR0kTmFfu4x9/XAsDoJsYL8R3AL4oPizkxdG5gNBlHuqpdjAuIoIY277y2jQx9eC426b+PonFlHwaHC6uXinzpIfu5QL9pCV2aafv1F8T5W/0cHWyUPRLPNuGn0Z0ICnrDP2/NZN7RbzvVI/IeBBTRWTsmWnGRfZiT3dD/IDki7RkVqHGqXOOmrTnuIbU+pSewjIZtCJ+uqCojfH5cbzn51LKwcyg9lDnuaDmMeOZQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR12MB1355.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(4636009)(346002)(396003)(376002)(39860400002)(366004)(136003)(33430700001)(45080400002)(186003)(956004)(31696002)(66946007)(966005)(26005)(316002)(36756003)(2906002)(54906003)(6512007)(86362001)(16526019)(7416002)(2616005)(8676002)(33440700001)(6486002)(31686004)(66476007)(478600001)(52116002)(66556008)(5660300002)(4326008)(53546011)(8936002)(19627235002)(6506007)(30864003)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: DtaUkfdsiN8wQYsiDi7jZoWzWB02LPpa5VUoLQriiUg8HnGzt3D8G2XYKcbK3YNvpAef+GKx2V/JiEREIA3FNmw59/BhDGa6A9rw8a+3JVply13B2mOjpzUrJHcoXor3mg2gVf8mBWyvdzPqxxMKYcrO0tfTG0YZoSTIbUiw4FiCsiP5GTM+lEBt728DgZIuW2IASuefYTrmwTwIkvdxcx2SDckZJcAgIBRVIsObfyvfh5qBKjKWgp++dLJrh3sGc2hGs8Qhi/NXwGt1EXBeCDocrgqOHDAKa75SsOqrUsrcq0IdAgfBauXn3rMEI3S18o3AiEHxVdwvn6IT3zeyU3afIwHlG8Y4KvfoJ7t66eEHi0v6+vnNHqyofEqmllnxSIVOObaeUFssx2MCZBNkYMwPQO6/KZjTT2Tv1VxligxWwfYZKdVcEjPdG1O5jkGI6fdPrmCzFCCAH1AmyNKkyQ0EVOVbTGIxVqJaOXHFmBU= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 37a90fc1-db81-4c30-3fb4-08d7f69c20ad X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 May 2020 17:44:32.2739 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 7nWfDjehYZwxJUq5z7Mxr4BoekfvaK/0K3v03C5cRcGUdWkkfi3KU5OLBxGvxZW/mZv7sOSTum2oxjis7jcJIQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR12MB1452 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 5/12/20 11:49 AM, Tom Lendacky wrote: > On 5/9/20 2:09 PM, Andrew Fish wrote: >> >> >>> On May 9, 2020, at 7:34 AM, Lendacky, Thomas >> > wrote: >>> >>> On 5/9/20 1:44 AM, Ni, Ray wrote: >>>> Tom, >>> >>> Hi Ray, >>> >>>> I have a bit concern on your change that directly modifies=20 >>>> CpuExceptionHandlerLib to handle >>>> exception #29. Today's CpuExceptionHandlerLib simplify dumps the=20 >>>> exception context for >>>> every exception. Any component which wants to do specific handling of= = =20 >>>> certain exceptions >>>> should call RegisterCpuInterruptHandler(). Such as code in CpuDxe dri= ver: >>>> =A0=A0if (HEAP_GUARD_NONSTOP_MODE || NULL_DETECTION_NONSTOP_MODE) { >>>> =A0=A0=A0=A0RegisterCpuInterruptHandler (EXCEPT_IA32_DEBUG,=20 >>>> DebugExceptionHandler); >>>> =A0=A0=A0=A0RegisterCpuInterruptHandler (EXCEPT_IA32_PAGE_FAULT,=20 >>>> PageFaultExceptionHandler); >>>> =A0=A0} >>>> Is it possible for your feature to follow the same pattern? >>> >>> There are two problems: >>> >>> The first is that RegisterCpuInterruptHandler() is not implemented for= = =20 >>> both the SEC and PEI phases, so it is not currently possible to=20 >>> register a handler that early. >>> >>> The second is that I need to be able to propagate an exception request= = =20 >>> from the hypervisor. With the current implementation there doesn't=20 >>> appear to be an easy way to perform this propagation. >>> >>> If there's a way to accomplish both of the above I wouldn't be opposed= = =20 >>> to using RegisterCpuInterruptHandler() as long as there are no #VCs=20 >>> that can occur between initializing exception handling and and=20 >>> registering the #VC handler. >>> >> >> Thomas, >> >> As you point out it is tricky dealing with XIP code. You can't have=20 >> globals that you can write and generally you use a PEI service to look= =20 >> tings up, the most common thing being using a HOB. But SEC has no=20 >> services and I'm not sure you really want to be calling into the PEI=20 >> Core on a random =A0exception. >> >> Here are the best options that popped into my head after reading your e= mail >> 1) IDT in RAM >> If your code populates the IDT the IDTR gives you access to the address= = =20 >> of the IDTR via an instruction. The PI Spec reserves IDT - sizeof=20 >> (UNITN) for a cached copy of the PEI Services Table, but otther than=20 >> that you are good to go. It should be possible to have a global so you= =20 >> can have the table required to implement RegisterCpuInterruptHandler().= = =20 >> There might be some usage =A0of IDT - ( 2* sizeof(UINTN)), I know I'm= =20 >> guilty, so storing data after the IDT would be a good option. In genera= l=20 >> if your code allocates the memory for the IDT then you can treat the ID= T=20 >> as part of your private context data structure and that gives you acces= s >> >> 2) IDT in ROM. >> For this it seems like you need a library to link in to=20 >> the=A0CpuExceptionHandlerLib that allows you to override the handler. I= f=20 >> CpuInterruptHandlerOverride() returns NULL you do the current behavior= =20 >> if not NULL then you call the returned handler. >> >> EFI_CPU_INTERRUPT_HANDLER >> EFIAPI >> OverrideCpuInterruptHandler ( >> =A0=A0=A0IN EFI_EXCEPTION_TYPE =A0 =A0 =A0 =A0 =A0 =A0InterruptType >> =A0=A0 ); >=20 > I like the override idea in general, if that works for everyone. There= =20 > could be a NULL instance that never overrides the exception. Then it can= = =20 > be implemented by those packages that need it. In this case a library ca= n=20 > be created in OvmfPkg that provides an override for #VC and the override= = =20 > return code can determine if further processing is performed. Hmm... so the problem is that EFI_CPU_INTERRUPT_HANDLER does not return a= =20 value. So maybe just create an override type specific to the override=20 library? I don't think that would present any issues. typedef EFI_STATUS (EFIAPI *CPU_INTERRUPT_OVERRRIDE) ( IN EFI_EXCEPTION_TYPE ExceptionType, IN EFI_SYSTEM_CONTEXT SystemContext ); CPU_INTERRUPT_OVERRIDE EFIAPI OverrideCpuInterruptHandler ( IN EFI_EXCEPTION_TYPE ExceptionType, IN EFI_SYSTEM_CONTEXT SystemContext ); Thanks, Tom >=20 > Thanks, > Tom >=20 >> >> Thanks, >> >> Andrew Fish >> >> PS Off topic, but it would also be useful to have a library that=20 >> overrides the state dump display. For example using Xcode you can alway= s=20 >> display a stack frame from the exception handler. >> >> >>> Thanks, >>> Tom >>> >>>> Thanks, >>>> Ray >>>>> -----Original Message----- >>>>> From: Tom Lendacky >>>> > >>>>> Sent: Saturday, May 9, 2020 3:16 AM >>>>> To: devel@edk2.groups.io >>>>> Cc: Justen, Jordan L >>>> >; Laszlo Ersek >>>> >; Ard Biesheuvel >>>>> >;=20 >>>>> Kinney, Michael D >>>> >; Gao, Liming=20 >>>>> >; Dong, >>>>> Eric >; Ni, Ray=20 >>>>> >; Brijesh Singh=20 >>>>> >; You, Benjami= n >>>>> >; Bi, Dandan= = =20 >>>>> >; Dong, Guo=20 >>>>> >; Wu, Hao A >>>>> >; Wang, Jian J=20 >>>>> >; Ma, Maurice= =20 >>>>> > >>>>> Subject: Re: [PATCH v7 00/43] SEV-ES guest support >>>>> >>>>> I was able to use the pull request method that Laszlo documented and= = =20 >>>>> fixed >>>>> up all of the issues identified by the VS compiler. >>>>> >>>>> An additional change I'm planning to make for the next version (v8)= =20 >>>>> of the >>>>> patches is to create a NULL library instance of the VmgExitLib that = will >>>>> also include the #VC handler function. This will reduce the amount o= f=20 >>>>> code >>>>> associated with this feature for platforms that don't use/support=20 >>>>> SEV-ES. >>>>> >>>>> Laszlo, this will mean that I will introduce a version of the VmgExi= tLib >>>>> under OvmfPkg that will provide the majority of the functionality=20 >>>>> that is >>>>> present today in UefiCpuPkg. In essence, the functionality in v7=20 >>>>> patches 8 >>>>> and 11 - 25 will now live under OvmfPkg instead of UefiCpuPkg. I thi= nk >>>>> this is the better way to do this. Let me know if you have any conce= rns. >>>>> >>>>> Thanks, >>>>> Tom >>>>> >>>>> On 4/22/20 12:41 PM, Tom Lendacky wrote: >>>>>> This patch series provides support for running EDK2/OVMF under SEV-= ES. >>>>>> >>>>>> Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands= =20 >>>>>> on the >>>>>> SEV support to protect the guest register state from the hypervisor= .=20 >>>>>> See >>>>>> "AMD64 Architecture Programmer's Manual Volume 2: System Programmin= g", >>>>>> section "15.35 Encrypted State (SEV-ES)" [1]. >>>>>> >>>>>> In order to allow a hypervisor to perform functions on behalf of a= =20 >>>>>> guest, >>>>>> there is architectural support for notifying a guest's operating sy= stem >>>>>> when certain types of VMEXITs are about to occur. This allows the= =20 >>>>>> guest to >>>>>> selectively share information with the hypervisor to satisfy the=20 >>>>>> requested >>>>>> function. The notification is performed using a new exception, the = VMM >>>>>> Communication exception (#VC). The information is shared through th= e >>>>>> Guest-Hypervisor Communication Block (GHCB) using the VMGEXIT=20 >>>>>> instruction. >>>>>> The GHCB format and the protocol for using it is documented in "SEV= -ES >>>>>> Guest-Hypervisor Communication Block Standardization" [2]. >>>>>> >>>>>> The main areas of the EDK2 code that are updated to support SEV-ES = are >>>>>> around the exception handling support and the AP boot support. >>>>>> >>>>>> Exception support is required starting in Sec, continuing through P= ei >>>>>> and into Dxe in order to handle #VC exceptions that are generated.= =20 >>>>>> =A0Each >>>>>> AP requires it's own GHCB page as well as a page to hold values=20 >>>>>> specific >>>>>> to that AP. >>>>>> >>>>>> AP booting poses some interesting challenges. The INIT-SIPI-SIPI=20 >>>>>> sequence >>>>>> is typically used to boot the APs. However, the hypervisor is not= =20 >>>>>> allowed >>>>>> to update the guest registers. The GHCB document [2] talks about ho= w=20 >>>>>> SMP >>>>>> booting under SEV-ES is performed. >>>>>> >>>>>> Since the GHCB page must be a shared (unencrypted) page, the proces= sor >>>>>> must be running in long mode in order for the guest and hypervisor = to >>>>>> communicate with each other. As a result, SEV-ES is only supported= =20 >>>>>> under >>>>>> the X64 architecture. >>>>>> >>>>>> [1]https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2= F%2Fwww.amd.com%2Fsystem%2Ffiles%2FTechDocs%2F24593.pdf&data=3D02%7C01%= 7Cthomas.lendacky%40amd.com%7Cf5d7875dfcf54e45c42208d7f3e4676b%7C3dd8961fe4= 884e608e11a82d994e183d%7C0%7C0%7C637246036118033165&sdata=3DH74fQl1n2sX= zCMSoGm1tGOKc5epMtVkGJFCidwLMl5c%3D&reserved=3D0=20 >>>>>> =20 >>>>>> >>>>>> [2]https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2= F%2Fdeveloper.amd.com%2Fwp-content%2Fresources%2F56421.pdf&data=3D02%7C= 01%7Cthomas.lendacky%40amd.com%7Cf5d7875dfcf54e45c42208d7f3e4676b%7C3dd8961= fe4884e608e11a82d994e183d%7C0%7C0%7C637246036118033165&sdata=3DEwW9575n= JMaWxizo2XrLHjrbUMJIB0WFTDLjwy%2BM%2F4k%3D&reserved=3D0=20 >>>>>> =20 >>>>>> >>>>>> >>>>>> --- >>>>>> >>>>>> These patches are based on commit: >>>>>> be7295b36405 (".python/SpellCheck: Increase SpellCheck plugin max= =20 >>>>>> failures") >>>>>> >>>>>> Proper execution of SEV-ES relies on Bugzilla 2340 being fixed. >>>>>> >>>>>> A version of the tree (with an extra patch to workaround Bugzilla= =20 >>>>>> 2340) can >>>>>> be found at: >>>>>> https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2= Fgithub.com%2FAMDESE%2Fovmf%2Ftree%2Fsev-es-v14&data=3D02%7C01%7Cthomas= .lendacky%40amd.com%7Cf5d7875dfcf54e45c42208d7f3e4676b%7C3dd8961fe4884e608e= 11a82d994e183d%7C0%7C0%7C637246036118033165&sdata=3DU8fIzb%2F4A8WBaiVbS= cxUuGDw22kyxxnRP5olSyTedvE%3D&reserved=3D0=20 >>>>>> =20 >>>>>> >>>>>> >>>>>> Cc: Ard Biesheuvel >>>>> > >>>>>> Cc: Benjamin You >>>>> > >>>>>> Cc: Dandan Bi > >>>>>> Cc: Eric Dong > >>>>>> Cc: Guo Dong > >>>>>> Cc: Hao A Wu > >>>>>> Cc: Jian J Wang > >>>>>> Cc: Jordan Justen >>>>> > >>>>>> Cc: Laszlo Ersek > >>>>>> Cc: Liming Gao > >>>>>> Cc: Maurice Ma > >>>>>> Cc: Michael D Kinney >>>>> > >>>>>> Cc: Ray Ni > >>>>>> >>>>>> Changes since v6: >>>>>> - Add function comments to all functions, including local functions >>>>>> - Add function parameter direction to all functions (in/out) >>>>>> - Add support for MMIO MOVZX/MOVSX instructions >>>>>> - Ensure the per-CPU variable page remains encrypted >>>>>> - Coding-style fixes as identified by Ecc >>>>>> >>>>>> Changes since v5: >>>>>> - Remove extraneous VmgExitLib usage >>>>>> - Miscellaneous changes to address feedback (coding style, etc.) >>>>>> >>>>>> Changes since v4: >>>>>> - Move the SEV-ES protocol negotiation out of the SEC exception han= dler >>>>>> =A0=A0=A0and into the SecMain.c file. As a result: >>>>>> =A0=A0=A0- Move the SecGhcb related PCDs out of UefiCpuPkg and into= OvmfPkg >>>>>> =A0=A0=A0- Combine SecAMDSevVcHandler.c and PeiDxeAMDSevVcHandler.c= into a >>>>>> =A0=A0=A0=A0=A0single AMDSevVcHandler.c >>>>>> - Consolidate VmgExitLib usage into common LibraryClasses sections >>>>>> - Add documentation comments to the VmgExitLib functions >>>>>> >>>>>> Changes since v3: >>>>>> - Remove the need for the MP library finalization routine. The AP >>>>>> =A0=A0=A0jump table address will be held by the hypervisor rather t= han >>>>>> =A0=A0=A0communicated via the GHCB MSR. This removes some fragility= around >>>>>> =A0=A0=A0the UEFI to OS transition. >>>>>> - Rename the SEV-ES RIP reset area to SEV-ES workarea and use it to >>>>>> =A0=A0=A0communicate the SEV-ES status, so that SEC CPU exception h= andling is >>>>>> =A0=A0=A0only established for an SEV-ES guest. >>>>>> - Fix SMM build breakageAdd around QemuFlashPtrWrite(). >>>>>> - Fix SMM build breakage by adding VC exception support the SMM CPU >>>>>> =A0=A0=A0exception handling. >>>>>> - Add memory fencing around the invocation of AsmVmgExit(). >>>>>> - Clarify comments around the SEV-ES AP reset RIP values and usage. >>>>>> - Move some PCD definitions from MdeModulePkg to UefiCpuPkg. >>>>>> - Remove the 16-bit code selector definition from MdeModulePkg >>>>>> >>>>>> Changes since v2: >>>>>> - Added a way to locate the SEV-ES fixed AP RIP address for startin= g >>>>>> =A0=A0=A0AP's to avoid updating the actual flash image (build time = location >>>>>> =A0=A0=A0that is identified with a GUID value). >>>>>> - Create a VmgExit library to replace static inline functions. >>>>>> - Move some PCDs to the appropriate packages >>>>>> - Add support for writing to QEMU flash under SEV-ES >>>>>> - Add additional MMIO opcode support >>>>>> - Cleaned up the GHCB MSR CPUID protocol support >>>>>> >>>>>> Changes since v1: >>>>>> - Patches reworked to be more specific to the component/area being= =20 >>>>>> updated >>>>>> =A0=A0=A0and order of definition/usage >>>>>> - Created a library for VMGEXIT-related functions to replace use of= = =20 >>>>>> inline >>>>>> =A0=A0=A0functions >>>>>> - Allocation method for GDT changed from AllocatePool to AllocatePa= ges >>>>>> - Early caching only enabled for SEV-ES guests >>>>>> - Ensure AP loop mode set to halt loop mode for SEV-ES guests >>>>>> - Reserved SEC GHCB-related memory areas when S3 is enabled >>>>>> >>>>>> Tom Lendacky (43): >>>>>> =A0=A0=A0MdeModulePkg: Create PCDs to be used in support of SEV-ES >>>>>> =A0=A0=A0UefiCpuPkg: Create PCD to be used in support of SEV-ES >>>>>> =A0=A0=A0MdePkg: Add the MSR definition for the GHCB register >>>>>> =A0=A0=A0MdePkg: Add a structure definition for the GHCB >>>>>> =A0=A0=A0MdeModulePkg/DxeIplPeim: Support GHCB pages when creating = page=20 >>>>>> tables >>>>>> =A0=A0=A0MdePkg/BaseLib: Add support for the XGETBV instruction >>>>>> =A0=A0=A0MdePkg/BaseLib: Add support for the VMGEXIT instruction >>>>>> =A0=A0=A0UefiCpuPkg: Implement library support for VMGEXIT >>>>>> =A0=A0=A0OvmfPkg: Prepare OvmfPkg to use the VmgExitLib library >>>>>> =A0=A0=A0UefiPayloadPkg: Prepare UefiPayloadPkg to use the VmgExitL= ib library >>>>>> =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add base support for the #= VC=20 >>>>>> exception >>>>>> =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support for IOIO_PROT = NAE events >>>>>> =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Support string IO for IOIO= _PROT NAE >>>>>> =A0=A0=A0=A0=A0events >>>>>> =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support for CPUID NAE = events >>>>>> =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support for MSR_PROT N= AE events >>>>>> =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support for NPF NAE ev= ents=20 >>>>>> (MMIO) >>>>>> =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support for WBINVD NAE= events >>>>>> =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support for RDTSC NAE = events >>>>>> =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support for RDPMC NAE = events >>>>>> =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support for INVD NAE e= vents >>>>>> =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support for VMMCALL NA= E events >>>>>> =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support for RDTSCP NAE= events >>>>>> =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support for MONITOR/MO= NITORX NAE >>>>>> =A0=A0=A0=A0=A0events >>>>>> =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support for MWAIT/MWAI= TX NAE >>>>>> =A0=A0=A0=A0=A0events >>>>>> =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support for DR7 Read/W= rite NAE >>>>>> =A0=A0=A0=A0=A0events >>>>>> =A0=A0=A0OvmfPkg/MemEncryptSevLib: Add an SEV-ES guest indicator fu= nction >>>>>> =A0=A0=A0OvmfPkg: Add support to perform SEV-ES initialization >>>>>> =A0=A0=A0OvmfPkg: Create a GHCB page for use during Sec phase >>>>>> =A0=A0=A0OvmfPkg/PlatformPei: Reserve GHCB-related areas if S3 is s= upported >>>>>> =A0=A0=A0OvmfPkg: Create GHCB pages for use during Pei and Dxe phas= e >>>>>> =A0=A0=A0OvmfPkg/PlatformPei: Move early GDT into ram when SEV-ES i= s enabled >>>>>> =A0=A0=A0UefiCpuPkg: Create an SEV-ES workarea PCD >>>>>> =A0=A0=A0OvmfPkg: Reserve a page in memory for the SEV-ES usage >>>>>> =A0=A0=A0OvmfPkg/ResetVector: Add support for a 32-bit SEV check >>>>>> =A0=A0=A0OvmfPkg/Sec: Add #VC exception handling for Sec phase >>>>>> =A0=A0=A0OvmfPkg/Sec: Enable cache early to speed up booting >>>>>> =A0=A0=A0OvmfPkg/QemuFlashFvbServicesRuntimeDxe: Bypass flash detec= tion with >>>>>> =A0=A0=A0=A0=A0SEV-ES is enabled >>>>>> =A0=A0=A0UefiCpuPkg: Add a 16-bit protected mode code segment descr= iptor >>>>>> =A0=A0=A0UefiCpuPkg/MpInitLib: Add CPU MP data flag to indicate if = SEV-ES is >>>>>> =A0=A0=A0=A0=A0enabled >>>>>> =A0=A0=A0UefiCpuPkg: Allow AP booting under SEV-ES >>>>>> =A0=A0=A0OvmfPkg: Use the SEV-ES work area for the SEV-ES AP reset = vector >>>>>> =A0=A0=A0OvmfPkg: Move the GHCB allocations into reserved memory >>>>>> =A0=A0=A0UefiCpuPkg/MpInitLib: Prepare SEV-ES guest APs for OS use >>>>>> >>>>>> =A0=A0MdeModulePkg/MdeModulePkg.dec =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0| =A0=A0=A09 + >>>>>> =A0=A0OvmfPkg/OvmfPkg.dec =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A09 + >>>>>> =A0=A0UefiCpuPkg/UefiCpuPkg.dec =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A017 + >>>>>> =A0=A0OvmfPkg/OvmfPkgIa32.dsc =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A06 + >>>>>> =A0=A0OvmfPkg/OvmfPkgIa32X64.dsc =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A06 + >>>>>> =A0=A0OvmfPkg/OvmfPkgX64.dsc =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A06 + >>>>>> =A0=A0OvmfPkg/OvmfXen.dsc =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A01 + >>>>>> =A0=A0UefiCpuPkg/UefiCpuPkg.dsc =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A02 + >>>>>> =A0=A0UefiPayloadPkg/UefiPayloadPkgIa32.dsc =A0=A0=A0=A0=A0=A0=A0= =A0| =A0=A0=A02 + >>>>>> =A0=A0UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc =A0=A0=A0=A0=A0| =A0= = =A0=A02 + >>>>>> =A0=A0OvmfPkg/OvmfPkgX64.fdf =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A09 + >>>>>> =A0=A0MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf =A0=A0=A0=A0=A0=A0| = =A0=A0=A02 + >>>>>> =A0=A0MdePkg/Library/BaseLib/BaseLib.inf =A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0| =A0=A0=A04 + >>>>>> =A0=A0OvmfPkg/PlatformPei/PlatformPei.inf =A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0| =A0=A0=A07 + >>>>>> =A0=A0.../FvbServicesRuntimeDxe.inf =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0| =A0=A0=A02 + >>>>>> =A0=A0OvmfPkg/ResetVector/ResetVector.inf =A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0| =A0=A0=A08 + >>>>>> =A0=A0OvmfPkg/Sec/SecMain.inf =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A04 + >>>>>> =A0=A0.../DxeCpuExceptionHandlerLib.inf =A0=A0=A0=A0=A0=A0=A0=A0=A0= = =A0=A0=A0| =A0=A0=A05 + >>>>>> =A0=A0.../PeiCpuExceptionHandlerLib.inf =A0=A0=A0=A0=A0=A0=A0=A0=A0= = =A0=A0=A0| =A0=A0=A05 + >>>>>> =A0=A0.../SecPeiCpuExceptionHandlerLib.inf =A0=A0=A0=A0=A0=A0=A0=A0= = =A0| =A0=A0=A05 + >>>>>> =A0=A0.../SmmCpuExceptionHandlerLib.inf =A0=A0=A0=A0=A0=A0=A0=A0=A0= = =A0=A0=A0| =A0=A0=A05 + >>>>>> =A0=A0UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | =A0=A0=A04 + >>>>>> =A0=A0UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | =A0=A0=A04 + >>>>>> =A0=A0UefiCpuPkg/Library/VmgExitLib/VmgExitLib.inf =A0| =A0=A033 + >>>>>> =A0=A0.../Core/DxeIplPeim/X64/VirtualMemory.h =A0=A0=A0=A0=A0=A0| = =A0=A012 +- >>>>>> =A0=A0MdePkg/Include/Library/BaseLib.h =A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0| =A0=A031 + >>>>>> =A0=A0MdePkg/Include/Register/Amd/Fam17Msr.h =A0=A0=A0=A0=A0=A0=A0|= =A0=A042 + >>>>>> =A0=A0MdePkg/Include/Register/Amd/Ghcb.h =A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0| =A0136 ++ >>>>>> =A0=A0OvmfPkg/Include/Library/MemEncryptSevLib.h =A0=A0=A0| =A0=A01= 2 + >>>>>> =A0=A0.../QemuFlash.h =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= = =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A013 + >>>>>> =A0=A0UefiCpuPkg/CpuDxe/CpuGdt.h =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A04 +- >>>>>> =A0=A0UefiCpuPkg/Include/Library/VmgExitLib.h =A0=A0=A0=A0=A0=A0| = =A0117 ++ >>>>>> =A0=A0.../CpuExceptionHandlerLib/AMDSevVcCommon.h =A0=A0| =A0=A049 = + >>>>>> =A0=A0.../CpuExceptionCommon.h =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= = =A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A02 + >>>>>> =A0=A0UefiCpuPkg/Library/MpInitLib/MpLib.h =A0=A0=A0=A0=A0=A0=A0=A0= = =A0| =A0=A068 +- >>>>>> =A0=A0.../Core/DxeIplPeim/Ia32/DxeLoadFunc.c =A0=A0=A0=A0=A0=A0=A0|= =A0=A0=A04 +- >>>>>> =A0=A0.../Core/DxeIplPeim/X64/DxeLoadFunc.c =A0=A0=A0=A0=A0=A0=A0= =A0| =A0=A011 +- >>>>>> =A0=A0.../Core/DxeIplPeim/X64/VirtualMemory.c =A0=A0=A0=A0=A0=A0| = =A0=A057 +- >>>>>> =A0=A0MdePkg/Library/BaseLib/Ia32/GccInline.c =A0=A0=A0=A0=A0=A0| = =A0=A045 + >>>>>> =A0=A0MdePkg/Library/BaseLib/X64/GccInline.c =A0=A0=A0=A0=A0=A0=A0|= =A0=A047 + >>>>>> =A0=A0.../MemEncryptSevLibInternal.c =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= = =A0=A0=A0=A0=A0| =A0=A075 +- >>>>>> =A0=A0OvmfPkg/PlatformPei/AmdSev.c =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0| =A0=A089 + >>>>>> =A0=A0OvmfPkg/PlatformPei/MemDetect.c =A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0| =A0=A023 + >>>>>> =A0=A0.../QemuFlash.c =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= = =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A023 +- >>>>>> =A0=A0.../QemuFlashDxe.c =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= = =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A022 + >>>>>> =A0=A0.../QemuFlashSmm.c =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= = =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A016 + >>>>>> =A0=A0OvmfPkg/Sec/SecMain.c =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= = =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0188 +- >>>>>> =A0=A0UefiCpuPkg/CpuDxe/CpuGdt.c =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A08 +- >>>>>> =A0=A0.../CpuExceptionHandlerLib/AMDSevVcHandler.c =A0| =A0=A040 + >>>>>> =A0=A0.../CpuExceptionCommon.c =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= = =A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A02 +- >>>>>> =A0=A0.../Ia32/ArchAMDSevVcHandler.c =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= = =A0=A0=A0=A0=A0| =A0=A038 + >>>>>> =A0=A0.../PeiDxeSmmCpuException.c =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= = =A0=A0=A0=A0=A0=A0=A0| =A0=A016 + >>>>>> =A0=A0.../SecPeiCpuException.c =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= = =A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A016 + >>>>>> =A0=A0.../X64/ArchAMDSevVcHandler.c =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0| 1699=20 >>>>>> +++++++++++++++++ >>>>>> =A0=A0UefiCpuPkg/Library/MpInitLib/DxeMpLib.c =A0=A0=A0=A0=A0=A0| = =A0113 +- >>>>>> =A0=A0UefiCpuPkg/Library/MpInitLib/MpLib.c =A0=A0=A0=A0=A0=A0=A0=A0= = =A0| =A0265 ++- >>>>>> =A0=A0UefiCpuPkg/Library/MpInitLib/PeiMpLib.c =A0=A0=A0=A0=A0=A0| = =A0=A019 + >>>>>> =A0=A0UefiCpuPkg/Library/VmgExitLib/VmgExitLib.c =A0=A0=A0| =A0293 = +++ >>>>>> =A0=A0UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c =A0| =A0=A0=A02 = +- >>>>>> =A0=A0MdeModulePkg/MdeModulePkg.uni =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0| =A0=A0=A08 + >>>>>> =A0=A0MdePkg/Library/BaseLib/Ia32/VmgExit.nasm =A0=A0=A0=A0=A0| =A0= = =A037 + >>>>>> =A0=A0MdePkg/Library/BaseLib/Ia32/XGetBv.nasm =A0=A0=A0=A0=A0=A0| = =A0=A031 + >>>>>> =A0=A0MdePkg/Library/BaseLib/X64/VmgExit.nasm =A0=A0=A0=A0=A0=A0| = =A0=A032 + >>>>>> =A0=A0MdePkg/Library/BaseLib/X64/XGetBv.nasm =A0=A0=A0=A0=A0=A0=A0|= =A0=A034 + >>>>>> =A0=A0OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm =A0| =A0100 + >>>>>> =A0=A0OvmfPkg/ResetVector/Ia32/PageTables64.asm =A0=A0=A0=A0| =A035= 0 +++- >>>>>> =A0=A0OvmfPkg/ResetVector/ResetVector.nasmb =A0=A0=A0=A0=A0=A0=A0= =A0| =A0=A020 + >>>>>> =A0=A0.../X64/ExceptionHandlerAsm.nasm =A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0| =A0=A017 + >>>>>> =A0=A0UefiCpuPkg/Library/MpInitLib/Ia32/MpEqu.inc =A0=A0| =A0=A0=A0= 2 +- >>>>>> =A0=A0.../Library/MpInitLib/Ia32/MpFuncs.nasm =A0=A0=A0=A0=A0=A0| = =A0=A015 + >>>>>> =A0=A0UefiCpuPkg/Library/MpInitLib/X64/MpEqu.inc =A0=A0=A0| =A0=A0= =A04 +- >>>>>> =A0=A0UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm | =A0370 +++- >>>>>> =A0=A0UefiCpuPkg/Library/VmgExitLib/VmgExitLib.uni =A0| =A0=A015 + >>>>>> =A0=A0.../ResetVector/Vtf0/Ia16/Real16ToFlat32.asm =A0| =A0=A0=A09 = + >>>>>> =A0=A0UefiCpuPkg/UefiCpuPkg.uni =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A011 + >>>>>> =A0=A075 files changed, 4707 insertions(+), 102 deletions(-) >>>>>> =A0=A0create mode 100644 UefiCpuPkg/Library/VmgExitLib/VmgExitLib.i= nf >>>>>> =A0=A0create mode 100644 MdePkg/Include/Register/Amd/Ghcb.h >>>>>> =A0=A0create mode 100644 UefiCpuPkg/Include/Library/VmgExitLib.h >>>>>> =A0=A0create mode 100644=20 >>>>>> UefiCpuPkg/Library/CpuExceptionHandlerLib/AMDSevVcCommon.h >>>>>> =A0=A0create mode 100644=20 >>>>>> UefiCpuPkg/Library/CpuExceptionHandlerLib/AMDSevVcHandler.c >>>>>> =A0=A0create mode 100644=20 >>>>>> UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchAMDSevVcHandler.= c >>>>>> =A0=A0create mode 100644=20 >>>>>> UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ArchAMDSevVcHandler.c >>>>>> =A0=A0create mode 100644 UefiCpuPkg/Library/VmgExitLib/VmgExitLib.c >>>>>> =A0=A0create mode 100644 MdePkg/Library/BaseLib/Ia32/VmgExit.nasm >>>>>> =A0=A0create mode 100644 MdePkg/Library/BaseLib/Ia32/XGetBv.nasm >>>>>> =A0=A0create mode 100644 MdePkg/Library/BaseLib/X64/VmgExit.nasm >>>>>> =A0=A0create mode 100644 MdePkg/Library/BaseLib/X64/XGetBv.nasm >>>>>> =A0=A0create mode 100644 OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.a= sm >>>>>> =A0=A0create mode 100644 UefiCpuPkg/Library/VmgExitLib/VmgExitLib.u= ni >>>>>> >>> >>>=20 >>