From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM02-BN1-obe.outbound.protection.outlook.com (NAM02-BN1-obe.outbound.protection.outlook.com [40.107.212.76]) by mx.groups.io with SMTP id smtpd.web11.8588.1652450171358791762 for ; Fri, 13 May 2022 06:56:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=O3DFUpiw; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.212.76, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=a/tBwHCGPOo3ourwBKwmOtduaoZa1nS3X1E/48SUsOrlFlv1rGcW74Ag9+okjeTY1zXuQ9L1vcG4ahfubYJ1L9jwVKME6/efIiFsTPyK+7IPM86ReKsV3QgMg0KYSL5JzojQTrzufilwj9X69Z4AK8C3L8CH+O71nZa1jPu3xE2WTAhphrZYupANqWdjeUTn7OQhne/zw2P4vVdH5ihu86QuwzTmmv3EUrZumHl6NXkti0HG/gOhvqEh/nB/XqUESjUm7WGeQuK0Z707gfx5hX0MqTZ3CHe7gdmEXJEdTP06G3EepGh73+b+AU3dDOAnlHpsvmehgyR3IhCAMHjckg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jfGilDYuLMsugQefCfXvDqsEjP4+g11sAhChQMJqTwQ=; b=gPV19O+NnQqHIJWpcH9OsndBm6Lf4ZY0tEKoX07V/fAF3EYNdneIQ22K2q+AM+CmoSOzUnRW6Pr8Vn8uTvLJEWADLUrOmeP1n5/kckl21l9Ue0DkotBjI5yDVqiYIcR1cTpXq8F8hYiJ1pY7Ag/2SUHbXgJeLZ5pmlc4NZDmXtaD/BsBe/r00OdQDeK6efyxvjncaKlI61yZAMcun9EPetyiBEYo13fHrJWk+ak+fnZoTYZi29Ak/4WL3yNnkVHcV8saDNLDJd6nLhtUxP32sNguQa+AzkfTS/V74G+TY3NYZA3ExA19M8+e/DIzSycFrvYF0kwurweGgXfLDW6fMw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jfGilDYuLMsugQefCfXvDqsEjP4+g11sAhChQMJqTwQ=; b=O3DFUpiwpZcnACmXgRT9/oW0DV2/b54dWJ7SOkh/gf+UBH1v8KiiFMLnwfZkruurxlzTjuM4BVmAa3KBeZoYVkKXPBHSLp9CCRZY5CLSu2c2Ln0UEqB17C1XvvK6qhCuqoCd5tHZE0eqpohM970VB4si8JdsQ4NKPH+Cd19o0rM= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=amd.com; Received: from DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) by BN6PR12MB1506.namprd12.prod.outlook.com (2603:10b6:405:10::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5250.14; Fri, 13 May 2022 13:56:08 +0000 Received: from DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::db8:5b23:acf0:6f9a]) by DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::db8:5b23:acf0:6f9a%4]) with mapi id 15.20.5250.016; Fri, 13 May 2022 13:56:08 +0000 Message-ID: <62b8bc5f-3d0a-9ad6-1049-ea260cf01b19@amd.com> Date: Fri, 13 May 2022 08:56:06 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 Subject: Re: [PATCH] UefiCpuPkg: Store SEV-SNP AP jump table in the secrets page To: Michael Roth , devel@edk2.groups.io References: <20220513132253.397679-1-michael.roth@amd.com> From: "Lendacky, Thomas" In-Reply-To: <20220513132253.397679-1-michael.roth@amd.com> X-ClientProxiedBy: SA9PR13CA0042.namprd13.prod.outlook.com (2603:10b6:806:22::17) To DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) Return-Path: Thomas.Lendacky@amd.com MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 32d554a1-ac55-4b85-b3d4-08da34e854a2 X-MS-TrafficTypeDiagnostic: BN6PR12MB1506:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Blt6PUDTnmU3FodobZyQg+MnVoKbh5LEQBpKtwVmJsaUhJFqDl3FZjIkTm2GEAEMp4rNdMy9bCTjTfULrDpD4DJq+dmKXduVk4QQ5AU1+LPdMb0jy/09AHuZ7rNVuvpeHL+oZCG4Fa/YB8B9ttsRndSEPrL3g5k7EZDzv6OBCwjSCsLAAkZJjO/s9jWKbDW/IxrLnNbUFLFlCjFseNFcQujy3I1AhruMO0RSCWB1uh0uqiUQTWDjt7TjvWlUrPLfP/kqeO0UWnUoIqToy5lwUxAam2qDXffF4pmjOWRFqS2s1VB/uXthoERH98KL/rLwTDLtS+F2BA/Gd38Tg0rC2lKGk2DkTDiXfHpGUvi4XyjVfm+C7SvZheRwvJIZrjHUMIcUCtR2+W9T0O61ZqMSAgbk2wiHdkipeV/2tS34I6pRj49AbHVDIaYQ9HPXhaZSBNa2w/J+mpu9vsZ4k8csnsKZsRHBH9I2NGzWJMSpjrpt6auATRX/rRFyv3guwz6Qkutjmt6e3deHItau2R9G8pvYYhsXH/agRTOQR27TKsUzm+yVR//dXBwmmIiVaIMjTO1YvMATKw9PuePsaz/MK1zv+YjHqloSBeJUrd61ofb6SMWL2LJt9bDFKcOFu9/NNY9GA9YYZ0v8BOYZMPuKkVND1AG9KGLnqydJVn9O9j/DsEKD1iayPSrGmEjxDYrgUd8rMNiL4xZS6iesEWiPkWsKGimc4HBYgwTeRGYYCjdsHflI5ChVnF3VC971hxC/ X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM4PR12MB5229.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(4636009)(366004)(8936002)(2906002)(38100700002)(508600001)(30864003)(316002)(19627235002)(8676002)(5660300002)(66476007)(83380400001)(66946007)(66556008)(53546011)(6506007)(6486002)(186003)(2616005)(6512007)(26005)(31686004)(86362001)(36756003)(31696002)(45980500001)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?eUhuTk9xTzZtbXF0TFIyN0JCc3I2N3owQnY3bnozcHFjZllyeUZWSHBHbW10?= =?utf-8?B?bzB3NlZrZERRTDhTMlZhQTBmVWM5WVBiNWtBaDZyVjQ0MmpkWGNPUmZHK3Mv?= =?utf-8?B?a2h1TG5XUEZvVS9pZTNnQ2hvdUhNUURiUFhTRXBrcVhRL2VKaEdybjlzNU8z?= =?utf-8?B?dGZBcW1jeUZCcVlrVFVFbGVKY0piMVpuaHFjVHZ2TlJ1ZFlZYm1PU1ZpcTNV?= =?utf-8?B?c0crZG04UVUvMXVNS21XRTkrTHdQUlgwdzZqSElLbFFsTXZjaFlYVmMxczF0?= =?utf-8?B?RlNva2k5ZVY3WkhEcnBoQytTMFAvRGxmcFlFbnB6NTB2N1R1NXk5czd5dkJP?= =?utf-8?B?U2tBa1M4OFNQRW15TVlyakdVM2VIUFY5bUxFRU1wd3k2R0x0ZWViNEE3TXZ5?= =?utf-8?B?RUlSOGdteThvdVhGWlAwZm5uMkh0UlVLbGg1aks2eEZ3eE1IbE16eGZzRG1T?= =?utf-8?B?aWtxLzVDYzZacGFRY2phWjFYTThXbFRPNDJWRkxxWFAvb09YMzNPNnBtZkFl?= =?utf-8?B?Q0ROcHR5NnIrcFczNEFDdXk2K0FzYUZZYUYreWZCdDVzYUFwQkFvOHNyWGlU?= =?utf-8?B?UEowaFNlNzU2REMvYllsRmE4TG1CSEdaTU9jSkNCb0JQbHZSSmt2SkNkeGsr?= =?utf-8?B?T1FBMldML1RrYVB5MEV4eEZCRi9ha3pXZDNwZmphaEJiaVlzUUxkYmx2Qm9s?= =?utf-8?B?WlgxUzNOdVFlYVAyVm1tRnd0SmVCYTRoWHJpOUY5UkhCcUR6elJaU0p2a0px?= =?utf-8?B?OTM5bllQYjBZaGRWdENtcys1L1BaQ2JtdFF6aXNKNkt5T2xmcDNWb0VpS0tq?= =?utf-8?B?RFlQT3ZYOXN4Vm94U1lST24wSmZDZHdQbVNXNkhiT0VubDNiY2dNV3hKSmNG?= =?utf-8?B?eGphQXc0TXFQK2Z0STRSNHhXNW1rRlpsVmJnemtBL1lhRC9GanFtSnZGTjNV?= =?utf-8?B?NjQrSEF4UXhuZlUzUFFuMVpKcEQ5ZGFHOXVCTmlvNHloTmdoM3FpRFp1SG5V?= =?utf-8?B?eWZ2Q1FMMFE0cVVhaWVRVUdHbEw1L3ZJR2JQZGEvcEd3T2J6NEhSb244OFd5?= =?utf-8?B?YXljcHdOMFByOTB1S3BTc3RxbTN4ZTNoNUZsRTFQOVgxY3FwakZJa3lLK3po?= =?utf-8?B?V2F6QmlNbkVWUXpBTENDRkg0MTY0aWVwWFd0TTdyRlBwcFNyams5QkVkUFF5?= =?utf-8?B?bm52VkRvZjVSYXlkaG5GaEF2Z0tTQ1FkVm1vRWZaU2FiOTRHZnZHM0VFbDNQ?= =?utf-8?B?VUVFSWpzL3FxY0xxdWt0UVdIdm1pVEN6dGN3R0MySzNGbW1YakloQXZEOERY?= =?utf-8?B?bDlNR1MwbE5RRWRKaGJPdmFmNytSQnFpMlFxQ1FodVc2QnA0VkVhMDBJUmtD?= =?utf-8?B?dXhOdEp1UG01K3dCTzh4UXBFR09nRERBTTIzT1ZsaDY5U3pVVkxyc00xZGNs?= =?utf-8?B?dXpneTh0N1N2WlFxN05LY05rcDRYbTYzazQydGNHemNqSkxGcVc5N1ZTc1BU?= =?utf-8?B?bWVUNC9qWlY1V2drOU5DOWJQV1B2VFo4SmZJOWlHOURkeEoxWW1UVTRCVVg5?= =?utf-8?B?SlRkN1l2MWlVUTZXckxNR0dVTUJ3TXVPNHBKcnoyRmVLRnBPTEtYVTIvZW0z?= =?utf-8?B?dWZoNnZrSlRYaWNJdkttQnN4QWt1RmliS0VsbGRhSDV5ZEl1N3c5UU44NWtz?= =?utf-8?B?UE5rMDk2OG5xMkJQMWNNSll6U2pjRUV3bytRc3hzb3NzSi93VWZKNkZyUkUz?= =?utf-8?B?cVc5b3A1dTVrbFVURFlvaXhUaHdRSzZaSUdFd0d3MkQzdGt6QVRzaFozVlFt?= =?utf-8?B?M0xDWGtVVkYvOWEvNFI5T0pUaEJETUMzVHJqNC9TQzNhNHl5ZWs5djF0ZzhU?= =?utf-8?B?L2VuK21GcHBVbFd1RXU1UVovNy9mUE5ZRHJ0eUZEclRhMkYzb3pGZm1TNHlE?= =?utf-8?B?T0VpanRXanI2M2dxWHZyNFVnSjhUOGxHczV5dFpHVmp5b054Q29LMDIzT2dp?= =?utf-8?B?Sk1RU2ZqNllSdW82L1pqWCtzVFY4UjlrR0IyNjlTOWMwME5mTXErUDk0UkRI?= =?utf-8?B?TDFheEFrMTdEU2tTdjc0MnJJenh3VzJlTTZBY2liamRsdG5VQXNkd3Q1UGR6?= =?utf-8?B?TVcvc05IYk5zVzFMZC9QRWR0QmZVeUt4TXhZVml0eFlIMVhuWU8rU3Z1dVlo?= =?utf-8?B?UGhNdDhPdXFOV2h1dkwrQndaL2NIaHNvUlVpdGE4MzFrd2NlUExndDg1eHpo?= =?utf-8?B?cWk0dXZOZzBPMkwrUThtUkdOVDVCMFpBc1VJOVlud1JWUStNL3d0a0pnY0VQ?= =?utf-8?B?Z2ttMkpLUEI0SktsWGZTYVlQenZCT3lwZit1aENTaE05cmZPTWNOUT09?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 32d554a1-ac55-4b85-b3d4-08da34e854a2 X-MS-Exchange-CrossTenant-AuthSource: DM4PR12MB5229.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 May 2022 13:56:08.4914 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Mw2ycCcxGHQpBFELGoLsHMI5QN+3j7ortqrZjpYFoZ0o5pMlfxu3qxVsWHBPebOH1p7PhaTB61bU9kIburKYPw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR12MB1506 Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 5/13/22 08:22, Michael Roth wrote: > A full-featured SEV-SNP guest will not rely on the AP jump table, and > will instead use the AP Creation interface defined by the GHCB. However, > a guest is still allowed to use the AP jump table if desired. > > However, unlike with SEV-ES guests, SEV-SNP guests should not > store/retrieve the jump table address via GHCB requests to the > hypervisor, they should instead store/retrieve it via the SEV-SNP > secrets page. Implement the store side of this for OVMF. > > Suggested-by: Tom Lendacky > Signed-off-by: Michael Roth > --- > MdePkg/Include/AmdSevSnpSecretsPage.h | 51 +++++++++++++++++++ > MdePkg/MdePkg.dec | 4 ++ > OvmfPkg/AmdSev/AmdSevX64.dsc | 3 ++ > OvmfPkg/CloudHv/CloudHvX64.dsc | 3 ++ > OvmfPkg/IntelTdx/IntelTdxX64.dsc | 3 ++ > OvmfPkg/Microvm/MicrovmX64.dsc | 3 ++ > OvmfPkg/OvmfPkgIa32.dsc | 3 ++ > OvmfPkg/OvmfPkgIa32X64.dsc | 3 ++ > OvmfPkg/OvmfPkgX64.dsc | 3 ++ > OvmfPkg/PlatformPei/AmdSev.c | 5 ++ > OvmfPkg/PlatformPei/PlatformPei.inf | 1 + > UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 1 + > UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 9 ++++ > 13 files changed, 92 insertions(+) > create mode 100644 MdePkg/Include/AmdSevSnpSecretsPage.h > > diff --git a/MdePkg/Include/AmdSevSnpSecretsPage.h b/MdePkg/Include/AmdSevSnpSecretsPage.h > new file mode 100644 > index 0000000000..55c7475ff0 > --- /dev/null > +++ b/MdePkg/Include/AmdSevSnpSecretsPage.h Just wondering if this should be in the MdePkg/Include/Register/Amd directory? > @@ -0,0 +1,51 @@ > +/** @file > +Definitions for AMD SEV-SNP Secrets Page > + > +Copyright (c) 2022 AMD Inc. All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#ifndef AMD_SEV_SNP_SECRETS_PAGE_H_ > +#define AMD_SEV_SNP_SECRETS_PAGE_H_ > + > +// > +// OS-defined area of secrets page > +// > +// As defined by "SEV-ES Guest-Hypervisor Communication Block Standardization", > +// revision 1.50, section 2.7, "SEV-SNP Secrets Page". This should be using at least revision 2.00 (if not 2.01 which is in the process of being published). 2.01 uses some of the 40-byte reserved area to hold the high 32-bits of the message sequence numbers (since the SNP API changed after the GHCB spec was published to convert the sequence numbers from 32-bit to 64-bit). The changes are backwards compatible, so not a big deal as to whether to implement since OVMF doesn't make any guest request API calls. Thanks, Tom > +// > +typedef PACKED struct _SNP_SECRETS_OS_AREA { > + UINT32 MsgSeqNum0; > + UINT32 MsgSeqNum1; > + UINT32 MsgSeqNum2; > + UINT32 MsgSeqNum3; > + UINT64 ApJumpTablePa; > + UINT8 Reserved[40]; > + UINT8 GuestUsage[32]; > +} SNP_SECRETS_OS_AREA; > + > +#define VMPCK_KEY_LEN 32 > + > +// > +// SEV-SNP Secrets page > +// > +// As defined by "SEV-SNP Firmware ABI", revision 1.51, section 8.17.2.5, > +// "PAGE_TYPE_SECRETS". > +// > +typedef PACKED struct _SNP_SECRETS_PAGE { > + UINT32 Version; > + UINT32 ImiEn : 1, > + Reserved : 31; > + UINT32 Fms; > + UINT32 Reserved2; > + UINT8 Gosvw[16]; > + UINT8 Vmpck0[VMPCK_KEY_LEN]; > + UINT8 Vmpck1[VMPCK_KEY_LEN]; > + UINT8 Vmpck2[VMPCK_KEY_LEN]; > + UINT8 Vmpck3[VMPCK_KEY_LEN]; > + SNP_SECRETS_OS_AREA OsArea; > + UINT8 Reserved3[3840]; > +} SNP_SECRETS_PAGE; > + > +#endif > diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec > index f1ebf9e251..a365bfcfe8 100644 > --- a/MdePkg/MdePkg.dec > +++ b/MdePkg/MdePkg.dec > @@ -2417,5 +2417,9 @@ > # @Prompt Memory encryption attribute > gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0|UINT64|0x0000002e > > + ## This dynamic PCD indicates the location of the SEV-SNP secrets page. > + # @Prompt SEV-SNP secrets page address > + gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0|UINT64|0x0000002f > + > [UserExtensions.TianoCore."ExtraFiles"] > MdePkgExtra.uni > diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc > index f0700035c1..02306945fd 100644 > --- a/OvmfPkg/AmdSev/AmdSevX64.dsc > +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc > @@ -575,6 +575,9 @@ > # Set ConfidentialComputing defaults > gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0 > > + # Set SEV-SNP Secrets page address default > + gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0 > + > !include OvmfPkg/OvmfTpmPcds.dsc.inc > > gEfiMdePkgTokenSpaceGuid.PcdFSBClock|100000000 > diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc > index d1c85f60c7..7143698253 100644 > --- a/OvmfPkg/CloudHv/CloudHvX64.dsc > +++ b/OvmfPkg/CloudHv/CloudHvX64.dsc > @@ -630,6 +630,9 @@ > # Set ConfidentialComputing defaults > gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0 > > + # Set SEV-SNP Secrets page address default > + gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0 > + > [PcdsDynamicHii] > !include OvmfPkg/OvmfTpmPcdsHii.dsc.inc > > diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc > index 80c331ea23..b19718c572 100644 > --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc > +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc > @@ -512,6 +512,9 @@ > > gEfiMdePkgTokenSpaceGuid.PcdFSBClock|100000000 > > + # Set SEV-SNP Secrets page address default > + gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0 > + > ################################################################################ > # > # Components Section - list of all EDK II Modules needed by this Platform. > diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc > index 20c3c9c4d8..42673c29ee 100644 > --- a/OvmfPkg/Microvm/MicrovmX64.dsc > +++ b/OvmfPkg/Microvm/MicrovmX64.dsc > @@ -613,6 +613,9 @@ > # Set ConfidentialComputing defaults > gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0 > > + # Set SEV-SNP Secrets page address default > + gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0 > + > ################################################################################ > # > # Components Section - list of all EDK II Modules needed by this Platform. > diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc > index 533bbdb435..8ffef069a3 100644 > --- a/OvmfPkg/OvmfPkgIa32.dsc > +++ b/OvmfPkg/OvmfPkgIa32.dsc > @@ -649,6 +649,9 @@ > # Set ConfidentialComputing defaults > gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0 > > + # Set SEV-SNP Secrets page address default > + gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0 > + > !if $(CSM_ENABLE) == FALSE > gEfiMdePkgTokenSpaceGuid.PcdFSBClock|100000000 > !endif > diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc > index cb68e612bd..0b4d5001b2 100644 > --- a/OvmfPkg/OvmfPkgIa32X64.dsc > +++ b/OvmfPkg/OvmfPkgIa32X64.dsc > @@ -657,6 +657,9 @@ > # Set ConfidentialComputing defaults > gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0 > > + # Set SEV-SNP Secrets page address default > + gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0 > + > !if $(CSM_ENABLE) == FALSE > gEfiMdePkgTokenSpaceGuid.PcdFSBClock|100000000 > !endif > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc > index 71526bba31..3a3223be6b 100644 > --- a/OvmfPkg/OvmfPkgX64.dsc > +++ b/OvmfPkg/OvmfPkgX64.dsc > @@ -680,6 +680,9 @@ > # Set ConfidentialComputing defaults > gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0 > > + # Set SEV-SNP Secrets page address default > + gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress|0 > + > !if $(CSM_ENABLE) == FALSE > gEfiMdePkgTokenSpaceGuid.PcdFSBClock|100000000 > !endif > diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c > index 385562b44c..70352ca43b 100644 > --- a/OvmfPkg/PlatformPei/AmdSev.c > +++ b/OvmfPkg/PlatformPei/AmdSev.c > @@ -408,6 +408,11 @@ AmdSevInitialize ( > // > if (MemEncryptSevSnpIsEnabled ()) { > PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSevSnp); > + ASSERT_RETURN_ERROR (PcdStatus); > + PcdStatus = PcdSet64S ( > + PcdSevSnpSecretsAddress, > + (UINT64)(UINTN)PcdGet32 (PcdOvmfSnpSecretsBase) > + ); > } else if (MemEncryptSevEsIsEnabled ()) { > PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSevEs); > } else { > diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf > index 00372fa0eb..c688e4ee24 100644 > --- a/OvmfPkg/PlatformPei/PlatformPei.inf > +++ b/OvmfPkg/PlatformPei/PlatformPei.inf > @@ -114,6 +114,7 @@ > gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr > gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures > gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask > + gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress > > [FixedPcd] > gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase > diff --git a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf > index e1cd0b3500..d8cfddcd82 100644 > --- a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf > +++ b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf > @@ -80,3 +80,4 @@ > gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard ## CONSUMES > gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase ## CONSUMES > gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr ## CONSUMES > + gEfiMdePkgTokenSpaceGuid.PcdSevSnpSecretsAddress ## CONSUMES > diff --git a/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c b/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c > index 60d14a5a0e..6014dce136 100644 > --- a/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c > +++ b/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c > @@ -15,6 +15,7 @@ > #include > #include > #include > +#include > > #include > > @@ -216,6 +217,14 @@ GetSevEsAPMemory ( > > DEBUG ((DEBUG_INFO, "Dxe: SevEsAPMemory = %lx\n", (UINTN)StartAddress)); > > + if (ConfidentialComputingGuestHas (CCAttrAmdSevSnp)) { > + SNP_SECRETS_PAGE *Secrets = (SNP_SECRETS_PAGE *)(INTN)PcdGet64 (PcdSevSnpSecretsAddress); > + > + Secrets->OsArea.ApJumpTablePa = (UINT64)(UINTN)StartAddress; > + > + return (UINTN)StartAddress; > + } > + > // > // Save the SevEsAPMemory as the AP jump table. > //