From: "Lendacky, Thomas" <thomas.lendacky@amd.com>
To: devel@edk2.groups.io
Cc: Brijesh Singh <brijesh.singh@amd.com>,
Ard Biesheuvel <ard.biesheuvel@arm.com>,
Eric Dong <eric.dong@intel.com>,
Jordan Justen <jordan.l.justen@intel.com>,
Laszlo Ersek <lersek@redhat.com>,
Liming Gao <liming.gao@intel.com>,
Michael D Kinney <michael.d.kinney@intel.com>,
Ray Ni <ray.ni@intel.com>,
Anthony Perard <anthony.perard@citrix.com>,
Julien Grall <julien@xen.org>
Subject: [PATCH v12 35/46] OvmfPkg/PlatformPei: Reserve SEV-ES work area if S3 is supported
Date: Mon, 27 Jul 2020 10:26:16 -0500 [thread overview]
Message-ID: <6de8f3220156163493b3614eb8c6e63f6d1d3095.1595863587.git.thomas.lendacky@amd.com> (raw)
In-Reply-To: <cover.1595863587.git.thomas.lendacky@amd.com>
From: Tom Lendacky <thomas.lendacky@amd.com>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Protect the SEV-ES work area memory used by an SEV-ES guest.
Regarding the lifecycle of the SEV-ES memory area:
PcdSevEsWorkArea
(a) when and how it is initialized after first boot of the VM
If SEV-ES is enabled, the SEV-ES area is initialized during
the SEC phase [OvmfPkg/ResetVector/Ia32/PageTables64.asm].
(b) how it is protected from memory allocations during DXE
If SEV-ES is enabled, then InitializeRamRegions()
[OvmfPkg/PlatformPei/MemDetect.c] protects the ranges with either
an AcpiNVS (S3 enabled) or BootServicesData (S3 disabled) memory
allocation HOB, in PEI.
(c) how it is protected from the OS
If S3 is enabled, then (b) reserves it from the OS too.
If S3 is disabled, then the range needs no protection.
(d) how it is accessed on the S3 resume path
It is rewritten same as in (a), which is fine because (b) reserved it.
(e) how it is accessed on the warm reset path
It is rewritten same as in (a).
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Julien Grall <julien@xen.org>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
---
OvmfPkg/PlatformPei/PlatformPei.inf | 2 ++
OvmfPkg/PlatformPei/MemDetect.c | 20 ++++++++++++++++++++
2 files changed, 22 insertions(+)
diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
index 4742e1bdf42b..c53be2f4925c 100644
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -118,6 +118,8 @@ [FixedPcd]
gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiReservedMemoryType
gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiRuntimeServicesCode
gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiRuntimeServicesData
+ gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase
+ gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize
[FeaturePcd]
gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable
diff --git a/OvmfPkg/PlatformPei/MemDetect.c b/OvmfPkg/PlatformPei/MemDetect.c
index 6b5fee166b5d..ffbbef891a11 100644
--- a/OvmfPkg/PlatformPei/MemDetect.c
+++ b/OvmfPkg/PlatformPei/MemDetect.c
@@ -940,5 +940,25 @@ InitializeRamRegions (
);
}
}
+
+#ifdef MDE_CPU_X64
+ if (MemEncryptSevEsIsEnabled ()) {
+ //
+ // If SEV-ES is enabled, reserve the SEV-ES work area.
+ //
+ // Since this memory range will be used by the Reset Vector on S3
+ // resume, it must be reserved as ACPI NVS.
+ //
+ // If S3 is unsupported, then various drivers might still write to the
+ // work area. We ought to prevent DXE from serving allocation requests
+ // such that they would overlap the work area.
+ //
+ BuildMemoryAllocationHob (
+ (EFI_PHYSICAL_ADDRESS)(UINTN) FixedPcdGet32 (PcdSevEsWorkAreaBase),
+ (UINT64)(UINTN) FixedPcdGet32 (PcdSevEsWorkAreaSize),
+ mS3Supported ? EfiACPIMemoryNVS : EfiBootServicesData
+ );
+ }
+#endif
}
}
--
2.27.0
next prev parent reply other threads:[~2020-07-27 15:31 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-27 15:25 [PATCH v12 00/46] SEV-ES guest support Lendacky, Thomas
2020-07-27 15:25 ` [PATCH v12 01/46] MdeModulePkg: Create PCDs to be used in support of SEV-ES Lendacky, Thomas
2020-07-27 15:25 ` [PATCH v12 02/46] UefiCpuPkg: Create PCD " Lendacky, Thomas
2020-07-27 15:25 ` [PATCH v12 03/46] MdePkg: Add the MSR definition for the GHCB register Lendacky, Thomas
2020-07-27 15:25 ` [PATCH v12 04/46] MdePkg: Add a structure definition for the GHCB Lendacky, Thomas
2020-07-27 15:25 ` [PATCH v12 05/46] MdeModulePkg/DxeIplPeim: Support GHCB pages when creating page tables Lendacky, Thomas
2020-07-27 15:25 ` [PATCH v12 06/46] MdePkg/BaseLib: Add support for the XGETBV instruction Lendacky, Thomas
2020-07-27 15:25 ` [PATCH v12 07/46] MdePkg/BaseLib: Add support for the VMGEXIT instruction Lendacky, Thomas
2020-07-28 1:34 ` Liming Gao
2020-07-28 4:07 ` Lendacky, Thomas
2020-07-28 7:39 ` Liming Gao
2020-07-28 12:04 ` Laszlo Ersek
2020-07-28 13:44 ` Liming Gao
2020-07-28 14:13 ` Lendacky, Thomas
2020-07-28 15:19 ` Laszlo Ersek
2020-07-29 1:13 ` Liming Gao
2020-07-27 15:25 ` [PATCH v12 08/46] UefiCpuPkg: Implement library support for VMGEXIT Lendacky, Thomas
2020-07-27 15:25 ` [PATCH v12 09/46] OvmfPkg: Prepare OvmfPkg to use the VmgExitLib library Lendacky, Thomas
2020-07-27 15:25 ` [PATCH v12 10/46] UefiPayloadPkg: Prepare UefiPayloadPkg " Lendacky, Thomas
2020-07-27 15:25 ` [PATCH v12 11/46] UefiCpuPkg/CpuExceptionHandler: Add base support for the #VC exception Lendacky, Thomas
2020-07-27 15:25 ` [PATCH v12 12/46] OvmfPkg/VmgExitLib: Implement library support for VmgExitLib in OVMF Lendacky, Thomas
2020-07-27 15:25 ` [PATCH v12 13/46] OvmfPkg/VmgExitLib: Add support for IOIO_PROT NAE events Lendacky, Thomas
2020-07-27 15:25 ` [PATCH v12 14/46] OvmfPkg/VmgExitLib: Support string IO " Lendacky, Thomas
2020-07-27 15:25 ` [PATCH v12 15/46] OvmfPkg/VmgExitLib: Add support for CPUID " Lendacky, Thomas
2020-07-27 15:25 ` [PATCH v12 16/46] OvmfPkg/VmgExitLib: Add support for MSR_PROT " Lendacky, Thomas
2020-07-27 15:25 ` [PATCH v12 17/46] OvmfPkg/VmgExitLib: Add support for NPF NAE events (MMIO) Lendacky, Thomas
2020-07-27 15:25 ` [PATCH v12 18/46] OvmfPkg/VmgExitLib: Add support for WBINVD NAE events Lendacky, Thomas
2020-07-27 15:26 ` [PATCH v12 19/46] OvmfPkg/VmgExitLib: Add support for RDTSC " Lendacky, Thomas
2020-07-27 15:26 ` [PATCH v12 20/46] OvmfPkg/VmgExitLib: Add support for RDPMC " Lendacky, Thomas
2020-07-27 15:26 ` [PATCH v12 21/46] OvmfPkg/VmgExitLib: Add support for INVD " Lendacky, Thomas
2020-07-27 15:26 ` [PATCH v12 22/46] OvmfPkg/VmgExitLib: Add support for VMMCALL " Lendacky, Thomas
2020-07-27 15:26 ` [PATCH v12 23/46] OvmfPkg/VmgExitLib: Add support for RDTSCP " Lendacky, Thomas
2020-07-27 15:26 ` [PATCH v12 24/46] OvmfPkg/VmgExitLib: Add support for MONITOR/MONITORX " Lendacky, Thomas
2020-07-27 15:26 ` [PATCH v12 25/46] OvmfPkg/VmgExitLib: Add support for MWAIT/MWAITX " Lendacky, Thomas
2020-07-27 15:26 ` [PATCH v12 26/46] OvmfPkg/VmgExitLib: Add support for DR7 Read/Write " Lendacky, Thomas
2020-07-27 15:26 ` [PATCH v12 27/46] OvmfPkg/MemEncryptSevLib: Add an SEV-ES guest indicator function Lendacky, Thomas
2020-07-27 15:26 ` [PATCH v12 28/46] OvmfPkg: Add support to perform SEV-ES initialization Lendacky, Thomas
2020-07-27 15:26 ` [PATCH v12 29/46] OvmfPkg: Create a GHCB page for use during Sec phase Lendacky, Thomas
2020-07-27 15:26 ` [PATCH v12 30/46] OvmfPkg/PlatformPei: Reserve GHCB-related areas if S3 is supported Lendacky, Thomas
2020-07-27 15:26 ` [PATCH v12 31/46] OvmfPkg: Create GHCB pages for use during Pei and Dxe phase Lendacky, Thomas
2020-07-27 15:26 ` [PATCH v12 32/46] OvmfPkg/PlatformPei: Move early GDT into ram when SEV-ES is enabled Lendacky, Thomas
2020-07-27 15:26 ` [PATCH v12 33/46] UefiCpuPkg: Create an SEV-ES workarea PCD Lendacky, Thomas
2020-07-27 15:26 ` [PATCH v12 34/46] OvmfPkg: Reserve a page in memory for the SEV-ES usage Lendacky, Thomas
2020-07-27 15:26 ` Lendacky, Thomas [this message]
2020-07-27 15:26 ` [PATCH v12 36/46] OvmfPkg/ResetVector: Add support for a 32-bit SEV check Lendacky, Thomas
2020-07-27 15:26 ` [PATCH v12 37/46] OvmfPkg/Sec: Add #VC exception handling for Sec phase Lendacky, Thomas
2020-07-27 15:26 ` [PATCH v12 38/46] OvmfPkg/Sec: Enable cache early to speed up booting Lendacky, Thomas
2020-07-27 15:26 ` [PATCH v12 39/46] OvmfPkg/QemuFlashFvbServicesRuntimeDxe: Bypass flash detection with SEV-ES Lendacky, Thomas
2020-07-27 17:41 ` [edk2-devel] [PATCH v12 00/46] SEV-ES guest support Laszlo Ersek
2020-07-27 17:43 ` Laszlo Ersek
2020-07-27 17:49 ` Lendacky, Thomas
2020-07-28 10:07 ` Laszlo Ersek
2020-07-28 12:52 ` Lendacky, Thomas
2020-07-28 13:59 ` Laszlo Ersek
2020-07-27 18:43 ` [PATCH v12 40/46] UefiCpuPkg: Add a 16-bit protected mode code segment descriptor Lendacky, Thomas
2020-07-27 18:43 ` [PATCH v12 41/46] UefiCpuPkg/MpInitLib: Add CPU MP data flag to indicate if SEV-ES is enabled Lendacky, Thomas
2020-07-27 18:43 ` [PATCH v12 42/46] UefiCpuPkg: Allow AP booting under SEV-ES Lendacky, Thomas
2020-07-27 18:43 ` [PATCH v12 43/46] OvmfPkg: Use the SEV-ES work area for the SEV-ES AP reset vector Lendacky, Thomas
2020-07-27 18:43 ` [PATCH v12 44/46] OvmfPkg: Move the GHCB allocations into reserved memory Lendacky, Thomas
2020-07-27 18:43 ` [PATCH v12 45/46] UefiCpuPkg/MpInitLib: Prepare SEV-ES guest APs for OS use Lendacky, Thomas
2020-07-27 18:43 ` [PATCH v12 46/46] Maintainers.txt: Add reviewers for the OvmfPkg SEV-related files Lendacky, Thomas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6de8f3220156163493b3614eb8c6e63f6d1d3095.1595863587.git.thomas.lendacky@amd.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox