From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (NAM11-CO1-obe.outbound.protection.outlook.com []) by mx.groups.io with SMTP id smtpd.web12.973.1589925151073622217 for ; Tue, 19 May 2020 14:52:33 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amdcloud.onmicrosoft.com header.s=selector2-amdcloud-onmicrosoft-com header.b=GQuj785v; spf=none, err=SPF record not found (domain: amd.com, ip: , mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hrHWmHQgnhK3YUkgllRldM+tSPxsJd6sVveio9vHG7/ypGEg0/hRh6zrNs5NpLt/owzSoyLeqdtoADvLv4wgOj4ZOYgNgehdxt25oy8ljXkr3uUM629S1r9fNbbf/4wvIQqoUUq4CvJK6cMYIGJBk+Z6/X772tgFXejdf3un3QovmOpWAkOInyE1U10zyTmahfAQrkQRDoyO/P2vGmgnIWLFbCm9aUXlO9RCfO7KCAmdHqmgaKzvEJ0qd2yQop1PBC20JZ3IEQHyGv08s0/qjD1Kzsf7LqP3H05Osr15VTItfPOQf7htRUL7eaTNkbwFf783ko+JlWEEHhjGU8MBtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RepnN4jAl+qcMYuMagJ366cTMOI8PD5sPTAurOYPvdI=; b=esAsDBMavZrEqVijf4eEj+8rZZXsyd5hdyjOpNOtl7EzYJXvTo9walFbwoh13R9mbGKo5yfBJsiAJoXva0j6wtY8+LWOy6GfbXUWKvoYYcbRTN5o1VJqTzMOqPeltsIApzx41AtW2w2yqPkiiFo3qNJ0M60JLsu8v62s1k4toTDusHo8QVPAlMEvai0W5DQUMzNRlNX4xYr6ETnxwmHIj6KKhIJdLjmQYZUNIX2TUPHDJvjHEcTn8O1ZrAYlkJ9NYDvA//iT69TQARqzsLv/6xpfkgo0Ma3OeL19TLFnXVZWVK6gNtHYYC4XPqE7Vy3zI0DfgIpN3KyILrn86qVeaQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector2-amdcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RepnN4jAl+qcMYuMagJ366cTMOI8PD5sPTAurOYPvdI=; b=GQuj785vU8vtE7CPIDTVv8qnz8kmFBu+IbqOagu0Mzb+fhwTdC0paISyBtptgflXUvt9nQRH9ikoqlXrXBKiQKdkWZmVsQnIvQ9aDRfdqy57V3CAc+ufHFmxDxeMrnhzEOZoNcqfChWrPlsB5vAqSTwI3+MhkOqQceBEVoCEZoM= Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com; Received: from DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) by DM5PR12MB2504.namprd12.prod.outlook.com (2603:10b6:4:b5::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3000.20; Tue, 19 May 2020 21:52:31 +0000 Received: from DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::4ce1:9947:9681:c8b1]) by DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::4ce1:9947:9681:c8b1%10]) with mapi id 15.20.3000.034; Tue, 19 May 2020 21:52:31 +0000 From: "Lendacky, Thomas" To: devel@edk2.groups.io Cc: Jordan Justen , Laszlo Ersek , Ard Biesheuvel , Michael D Kinney , Liming Gao , Eric Dong , Ray Ni , Brijesh Singh Subject: [PATCH v8 34/46] OvmfPkg: Reserve a page in memory for the SEV-ES usage Date: Tue, 19 May 2020 16:51:02 -0500 Message-Id: <5f3a4f30804261206adde675b983f42b777dd5d8.1589925074.git.thomas.lendacky@amd.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: References: X-ClientProxiedBy: DM6PR11CA0048.namprd11.prod.outlook.com (2603:10b6:5:14c::25) To DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from tlendack-t1.amd.com (165.204.77.1) by DM6PR11CA0048.namprd11.prod.outlook.com (2603:10b6:5:14c::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3000.25 via Frontend Transport; Tue, 19 May 2020 21:52:02 +0000 X-Mailer: git-send-email 2.17.1 X-Originating-IP: [165.204.77.1] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: d9510ab4-646a-46e2-8824-08d7fc3edd6c X-MS-TrafficTypeDiagnostic: DM5PR12MB2504: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-Forefront-PRVS: 040866B734 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: zvIL5bokm1AWzX0zb8AGzFdMwwsEBVN1nTx0Ql4mw6MhqDFaVU1IKXTzZJZ0jUrPfEFU6ZXPktRAJAmNLfDLMywqbzY2g4z3jbGcjxAwSJ/dcSZEPbnJKmwR98GzQ214D6pwU7x8b0k5y7nCzqR/cDByUR2QeRMTWTDb81z/BKxccKXYU/uO1YzYav5KMl8F4AQmNvgKLOdqDnk9v8gBFATLjrRHIrk21zJzzxpY5WgMZxxnG/m79f+8SaZwtyjlmLe2c6WikX34XM97kEhIg8Op/7vfJLu1IbWA3bIjpXTlhq2GRs3rGZ84OYWQxY1AfR4/dv1gKSnKA5VfOyJPuI39PZrLl7NC1SC14cLlu+8MEfb8cpG/sjBSPRrWURpOlhPiNXA3jgvoU/1kRAlxLUR2eZXFcGb5x+CvGgvyWWaAID5mTh79ImfAqs6kXQ4ulnLQRZSf+QYjNHrQQcGY5T3teYLqj1R81K/GZgw0XxAosoH8J9cJSjq6ZgXBZtMAYIkEzIKQbz/vtTLX4UD7qloeZLwG0T9cfciHZP7CVuzPzS7vDb9xxA7JEPvLz5hWstoU/BgnvDRYRWuO6CGr3A== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR12MB1355.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(4636009)(376002)(39860400002)(136003)(346002)(396003)(366004)(316002)(86362001)(2906002)(54906003)(7696005)(52116002)(2616005)(956004)(66946007)(66476007)(19627235002)(66556008)(36756003)(26005)(16526019)(186003)(4326008)(8676002)(5660300002)(966005)(6486002)(8936002)(6916009)(478600001)(136400200001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: 3k40kV+zkvNwnwEostykwe8+7zmhezMXlcf7DCtk1w9PLa6h9zYuQtswm3O12CwDFUF/TfZB8BZRZJDPoNQTJq77uSv7bdDLv6NGXKQ5CtNTo/C2682w2aiEI8Vk6hIREWJe9ewXqDYk6DDMlREFhG605FO/gRMtaTwqe5NptEyWPIKutjsr4EKhUpMjdmd2PVhClLRj1K6TrMYiBNOZL77pqcXtV4qftFYDeSynho1P7+/Cu6+IZAz5DUnXa2/D/09OABJeOTZsWglaaIZrxqF+YoDS2Q64C/3/18CXIlhbRWnjrGaIVRrRKoLVaaSbnzGJK1NuPlv5HkHju3gYeErTobfro0FALW3rQHhe4Uto+kfWP4mSPzOocrgCMvWnxMFmX4hgRfXTzdD+UGUNMH16NVWI0PO/iLj4WkUpzp1rTa/A9XKJG+ZVktrbt7qUIjaHHSq7X0dlaPuiLu5gW/SCUlfghdFFVuVCqQ87nYs= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: d9510ab4-646a-46e2-8824-08d7fc3edd6c X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 May 2020 21:52:03.1123 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: CM6tkhEqzceKsuHZ79F36CJg1X2zN8HpkK2bnmFAOTxwlMk1VNyAddr2wlFV9gYksaunqsEldkfHyB5A5iHavQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR12MB2504 Content-Type: text/plain BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198 Reserve a fixed area of memory for SEV-ES use and set a fixed PCD, PcdSevEsWorkAreaBase, to this value. This area will be used by SEV-ES support for two purposes: 1. Communicating the SEV-ES status during BSP boot to SEC: Using a byte of memory from the page, the BSP reset vector code can communicate the SEV-ES status to SEC for use before exception handling can be enabled in SEC. After SEC, this field is no longer valid and the standard way of determine if SEV-ES is active should be used. 2. Establishing an area of memory for AP boot support: A hypervisor is not allowed to update an SEV-ES guest's register state, so when booting an SEV-ES guest AP, the hypervisor is not allowed to set the RIP to the guest requested value. Instead an SEV-ES AP must be re-directed from within the guest to the actual requested staring location as specified in the INIT-SIPI-SIPI sequence. Use this memory for reset vector code that can be programmed to have the AP jump to the desired RIP location after starting the AP. This is required for only the very first AP reset. Cc: Jordan Justen Cc: Laszlo Ersek Cc: Ard Biesheuvel Reviewed-by: Laszlo Ersek Signed-off-by: Tom Lendacky --- OvmfPkg/OvmfPkgX64.fdf | 3 +++ OvmfPkg/ResetVector/ResetVector.inf | 1 + OvmfPkg/ResetVector/Ia32/PageTables64.asm | 11 +++++++++++ OvmfPkg/ResetVector/ResetVector.nasmb | 1 + 4 files changed, 16 insertions(+) diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index 88b1e880e603..8836b30a0cef 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -82,6 +82,9 @@ [FD.MEMFD] 0x009000|0x002000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize +0x00B000|0x001000 +gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize + 0x010000|0x010000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/ResetVector.inf index 483fd90fe785..e94e1bfcce7e 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -34,6 +34,7 @@ [BuildOptions] *_*_X64_NASMB_FLAGS = -I$(WORKSPACE)/UefiCpuPkg/ResetVector/Vtf0/ [Pcd] + gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbPageTableBase diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm index c3587a1b7814..73a4eaadb1b6 100644 --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm @@ -89,6 +89,10 @@ SevExit: ; If SEV-ES is disabled then EAX will be zero. ; CheckSevEsFeature: + ; Initialize the first byte of the workarea to zero to communicate to + ; the SEC phase that SEV-ES is not enabled. + mov byte[SEV_ES_WORK_AREA], 0 + xor eax, eax ; SEV-ES can't be enabled if SEV isn't, so first check the encryption @@ -108,6 +112,13 @@ CheckSevEsFeature: ; Restore encryption mask mov edx, ebx + test eax, eax + jz NoSevEs + + ; Set the first byte of the workarea to one to communicate to the SEC + ; phase that SEV-ES is enabled. + mov byte[SEV_ES_WORK_AREA], 1 + NoSevEs: OneTimeCallRet CheckSevEsFeature diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb index bfb77e439105..2967617bfaa0 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -72,6 +72,7 @@ %define GHCB_PT_ADDR (FixedPcdGet32 (PcdOvmfSecGhcbPageTableBase)) %define GHCB_BASE (FixedPcdGet32 (PcdOvmfSecGhcbBase)) %define GHCB_SIZE (FixedPcdGet32 (PcdOvmfSecGhcbSize)) + %define SEV_ES_WORK_AREA (FixedPcdGet32 (PcdSevEsWorkAreaBase)) %include "Ia32/PageTables64.asm" %endif -- 2.17.1