From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.groups.io with SMTP id smtpd.web11.3251.1609841625587886274 for ; Tue, 05 Jan 2021 02:13:46 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=TSAhS0Ez; spf=pass (domain: redhat.com, ip: 63.128.21.124, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1609841624; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iaWNOXqAP/khmBqYIFsqBwUvcGWklhZDMzkgbjVyid0=; b=TSAhS0EzFQcfz/HLbVo+fIpdwTXh4cCvV/qzUvABfkg88n8m9NcXESVVVlnVYVI/O/IPG9 vDGbx4anj965yOhPB8rtGQo1j7cjOR3wozFQ3xE+h1qYKJePOdcPm8R8XV99xasIVS7P+s yMl/GJh+PC4gnPPXuO0k9+kDPEBqgmc= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-492-z1G7Aj78NGeSmqTm7pN13w-1; Tue, 05 Jan 2021 05:13:40 -0500 X-MC-Unique: z1G7Aj78NGeSmqTm7pN13w-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B88A9190A7A5; Tue, 5 Jan 2021 10:13:38 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-112-233.ams2.redhat.com [10.36.112.233]) by smtp.corp.redhat.com (Postfix) with ESMTP id F1AB11349A; Tue, 5 Jan 2021 10:13:36 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH 11/12] OvmfPkg/PlatformPei: Reserve GHCB backup pages if S3 is supported To: devel@edk2.groups.io, thomas.lendacky@amd.com Cc: Brijesh Singh , James Bottomley , Jordan Justen , Ard Biesheuvel , Anthony Perard , Julien Grall References: From: "Laszlo Ersek" Message-ID: <6190a1ad-3475-8b0c-9391-3efdc6050213@redhat.com> Date: Tue, 5 Jan 2021 11:13:36 +0100 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 12/15/20 21:51, Lendacky, Thomas wrote: > From: Tom Lendacky > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 > > Protect the GHCB backup pages used by an SEV-ES guest when S3 is > supported. > > Regarding the lifecycle of the GHCB backup pages: > PcdOvmfSecGhcbBackupBase > > (a) when and how it is initialized after first boot of the VM > > If SEV-ES is enabled, the GHCB backup pages when a nested #VC is > received during the SEC phase > [OvmfPkg/Library/VmgExitLib/SecVmgExitVcHandler.c]. (1) This sentence appears to miss a verb. With that fixed: Reviewed-by: Laszlo Ersek Thanks Laszlo > > (b) how it is protected from memory allocations during DXE > > If S3 and SEV-ES are enabled, then InitializeRamRegions() > [OvmfPkg/PlatformPei/MemDetect.c] protects the ranges with an AcpiNVS > memory allocation HOB, in PEI. > > If S3 is disabled, then these ranges are not protected. PEI switches to > the GHCB backup pages in permanent PEI memory and DXE will use these > PEI GHCB backup pages, so we don't have to preserve > PcdOvmfSecGhcbBackupBase. > > (c) how it is protected from the OS > > If S3 is enabled, then (b) reserves it from the OS too. > > If S3 is disabled, then the range needs no protection. > > (d) how it is accessed on the S3 resume path > > It is rewritten same as in (a), which is fine because (b) reserved it. > > (e) how it is accessed on the warm reset path > > It is rewritten same as in (a). > > Cc: Jordan Justen > Cc: Laszlo Ersek > Cc: Ard Biesheuvel > Cc: Anthony Perard > Cc: Julien Grall > Cc: Brijesh Singh > Signed-off-by: Tom Lendacky > --- > OvmfPkg/PlatformPei/PlatformPei.inf | 2 ++ > OvmfPkg/PlatformPei/MemDetect.c | 5 +++++ > 2 files changed, 7 insertions(+) > > diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf > index c53be2f4925c..6ef77ba7bb21 100644 > --- a/OvmfPkg/PlatformPei/PlatformPei.inf > +++ b/OvmfPkg/PlatformPei/PlatformPei.inf > @@ -118,6 +118,8 @@ [FixedPcd] > gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiReservedMemoryType > gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiRuntimeServicesCode > gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiRuntimeServicesData > + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase > + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize > gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase > gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize > > diff --git a/OvmfPkg/PlatformPei/MemDetect.c b/OvmfPkg/PlatformPei/MemDetect.c > index ffbbef891a11..c08aa2e45a53 100644 > --- a/OvmfPkg/PlatformPei/MemDetect.c > +++ b/OvmfPkg/PlatformPei/MemDetect.c > @@ -888,6 +888,11 @@ InitializeRamRegions ( > (UINT64)(UINTN) PcdGet32 (PcdOvmfSecGhcbSize), > EfiACPIMemoryNVS > ); > + BuildMemoryAllocationHob ( > + (EFI_PHYSICAL_ADDRESS)(UINTN) PcdGet32 (PcdOvmfSecGhcbBackupBase), > + (UINT64)(UINTN) PcdGet32 (PcdOvmfSecGhcbBackupSize), > + EfiACPIMemoryNVS > + ); > } > #endif > } >