From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (NAM10-BN7-obe.outbound.protection.outlook.com [40.107.92.53]) by mx.groups.io with SMTP id smtpd.web11.7151.1626445344561921992 for ; Fri, 16 Jul 2021 07:22:24 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=LcxwPuom; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.92.53, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gxNaaSqejDjoINByM2nNuXWCavFzmAjK4sTcg/ts69zF/hZQuex4RLOsUaPf8NybbItiP1FtBumrKw/EsGQ/MElwZnBxGNlNrhA3Uk4a5JQO/DSkAFOjed7wCw9G0KkjVrAS+CKFgH4HwcvoxLm9B0QzJQWaZWLLGIDm6dQXt0JunwnFk/6CBZrG32PJWSNewR0RgBnxE3iu4gyjdAmocMvVD0Wg36kPCPx4Yh2YxP9a5bOndAOsgY5GFZoTIPJkTB3VVQVtJjpABrMtYbwRKcWR1xIwkT6bFca1Q0RVNQkfPolJd+NMtGx+1hz88pGYPI8ifPgNjFDtSkpzDbuFoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6RMP67hcJ+MhmoroYF0OTg+IE6Zrw+0nDBdKBI4BbQc=; b=GQp4TkRbDqnSRbXbCvfTEEzWl2VOLYIceQdh699gSP0biyQLP3s/d+6Tr/cWSoD1sMekCEhO+txL7pZrJ/xqOkdBM0Ch/nwSOEZl8XEWGD+GucszAuXifqw/B8URotFhdRiEGBnDTx10M8IYxP765X3ptra24l6zA+ktjRWgV3G6gMbxhTR6zpWaCQyhglDLRK8m8X94c90CVCZmuSy6arOIpFWbaAq+XRJBo0+eFgfo+3rS6Tuw3zp9w6sg3u7vbeo95zqf0hQ/J2OSlEwUUHTGrTO9a12Cls0Xwbf94lru2fqLYaOladHSAaNaiuzV54G8D+AFEQVaXq+B2EI9nw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6RMP67hcJ+MhmoroYF0OTg+IE6Zrw+0nDBdKBI4BbQc=; b=LcxwPuomh2jUGS22nd4A0wvDr5i2nOHxW89Gov/8YMIwEJniyZrAFpz63XA2b987J6tyx8aLajYfG3OaW6I1tG5kDCOFTce+tpG0ttWdvU1S5O0cAZFgKSUTDvpG/l+lPGxHwzF3taKuMrc6ALWULPbx0sJYnGtDN7V0udzedbc= Authentication-Results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=amd.com; Received: from DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) by DM4PR12MB5133.namprd12.prod.outlook.com (2603:10b6:5:390::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.23; Fri, 16 Jul 2021 14:22:23 +0000 Received: from DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::73:2581:970b:3208]) by DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::73:2581:970b:3208%3]) with mapi id 15.20.4331.026; Fri, 16 Jul 2021 14:22:23 +0000 Subject: Re: [PATCH v5 3/4] OvmfPkg/PlatformPei: Mark SEC GHCB page as unencrypted via hypercall To: Ashish Kalra , devel@edk2.groups.io Cc: dovmurik@linux.vnet.ibm.com, brijesh.singh@amd.com, tobin@ibm.com, jejb@linux.ibm.com, lersek@redhat.com, jordan.l.justen@intel.com, ard.biesheuvel@arm.com, erdemaktas@google.com, jiewen.yao@intel.com, min.m.xu@intel.com References: <959ad1f27b83dd52524ef187ff9fc96c90a8ab86.1625687246.git.ashish.kalra@amd.com> From: "Lendacky, Thomas" Message-ID: <6fc8c340-dac7-e3b3-52cc-5cec16d1ab5e@amd.com> Date: Fri, 16 Jul 2021 09:22:20 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 In-Reply-To: <959ad1f27b83dd52524ef187ff9fc96c90a8ab86.1625687246.git.ashish.kalra@amd.com> X-ClientProxiedBy: SN4PR0201CA0042.namprd02.prod.outlook.com (2603:10b6:803:2e::28) To DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from office-ryzen.texastahm.com (67.79.209.213) by SN4PR0201CA0042.namprd02.prod.outlook.com (2603:10b6:803:2e::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.21 via Frontend Transport; Fri, 16 Jul 2021 14:22:21 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 5eaef091-e1f5-46bb-d10e-08d9486520c8 X-MS-TrafficTypeDiagnostic: DM4PR12MB5133: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:2657; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: TQrQnDkNYgqOToZo6acdvgf+k7p9QwGmNe3gZjF4lf/uEpqank/tQ/lDBgelMk/U/Z3WHJZtD1axNfazMBzuwZeHVrldOjoBuHkFZBPacDZQ162jmpkZKsiPfv1a8G8mPa+3bQYYyyZnh55Ch41x7HImA/oQlyWj0ht7vQXKPoRfWjfSit94wJ1Iuh8lBZ26oZHOYGl7b0nGwIBW7m+imOOm71wctshsUo1cP7CblWiVKkWvqQf6xeoPfxIlqumoT4XzKablfkClGGRQ9uv8KLglW4WztpTmu6+pJpQH16Zii0exp6yClnzcBlIHbOSrDYqqWq8ZqUpn9vz571+8xUOp1mnHg9MiXShuJqouEVSbJhvgD5PSITfFtTrc5h2NGOKc8oL2RsDF2Sep00Knb1AKv2y5Ca0ICucUayxre1KKlCEOySrexd2GugJBL39okYuCfMa66BUVexxC3jN8HzNDRetzWcHPOxcSiBPyGaJOokI+IQ1Zlp02iA+K8wlIpH5DMPBmURQaM4e+GmPEvK2H1qDRTSLfO7ahz2gYRlF6M3IqvBXRtUzM6gtd9HZJq/gySJHP6hhekJE4apgXQHuohrXPZgZrHYahxLWic0jHjtW66giuw9JNP44HVFwnVGBDgxEKl4EzKcYcJ7PCtOxYmxbwtZymorc9or1vF94lIoQ9tgadTjM6RjWsrNc3/oQrVObtk7+1sJAq5BLvo+WF4K8Vj+BSqeqycaJ9NfU= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM4PR12MB5229.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(376002)(39860400002)(346002)(366004)(396003)(136003)(478600001)(66476007)(66946007)(31696002)(86362001)(26005)(7416002)(186003)(31686004)(66556008)(8676002)(2906002)(8936002)(19627235002)(38100700002)(5660300002)(4326008)(316002)(6486002)(53546011)(6506007)(956004)(36756003)(6512007)(2616005)(45980500001)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?Z3NSR1VHSUhJQ1VBNjBET01XSkNTSnM1RXlsQzJzdWhZV0ZKYW91L1pUZ2wx?= =?utf-8?B?VmZCMEF1QzJZdHBxN3c3VVJtRXY2T0trai9MWk1KcjdKU1RYUkNzbnhCTDRO?= =?utf-8?B?anIzcWNlRzRPclExOGVKenA1eU00aHBBd2tDMkVKMnQ5a0oxK2tUOUpITk44?= =?utf-8?B?NUpOUFA3YkVDRVhob0NLS3RCYVloRHFsOU1HalFJMGFOTVpUYVBWTVVQRkFs?= =?utf-8?B?eWhtK0pLUGR3K2RHeEFneWpsN1BhRHFzRnZXa0svbzBxQnhVaVJSSW9QSEQw?= =?utf-8?B?Q1pzeHZoNGZ1Y3BvM3FEMlQ4V2NMOHE5UDV5L0pBa01RK1BJVmZrZEc0YjZL?= =?utf-8?B?dkdiWENnbmpjeDdLcHdGVDJNQkRLUWpKRXB5bHNORVNwcUgxZ2wrcFp5eGQx?= =?utf-8?B?ajlCNXU3RWpzaXdVeXZQVUNOalRlcllpdkNxbm9UdGpVSVdXNUY5ZW9Md0lu?= =?utf-8?B?TWVTdUFWeFNCY0Ruc1FFb2hqT3lrZkNCUitGQXlHZTQraFRSdExHUFlKd3hI?= =?utf-8?B?d0hDTUJRV2pHNkEyak9zOE0xZE5TSC9CdTM5bGFUdUtTaFZDZ0VtaVBXeVNm?= =?utf-8?B?YnhpeTBsc2tIclNBd2xJbllZL2grbWtUc01vVUNhbFJ4c2JBejZOdnZFUWd0?= =?utf-8?B?cml1RFlleUxlcUN3VXZ5c1hDeFVHQ2NIYmkvdE1sRkxQZnkzQXRLOStmSDJ5?= =?utf-8?B?YlYvNDVQUms3VStzenBOb21Ibll2SE5EenMzd3hLN0M3bjlqbGoxbnRSQjRP?= =?utf-8?B?bVZYRmZSbS8wVTZ2V01DOGdaeThoUXZ0L1RYT2JvY1V5OEFaWkcyM1BRV0xB?= =?utf-8?B?SXZmMk9PUnpGa0ZPVm9JdDBWQ0FuRlVNekx3aTN2MkphTFRmZ3dmd1dQTG9w?= =?utf-8?B?YjFHOEZOalg3L1JRdGFhWnlzVGVabmRha2ozZmhEckJLckFiRHZ4clViZGdw?= =?utf-8?B?VUFzRVRiWWFWUWd1WmVkWkx6OHhQRUpZZ3hCd2lDbW5MR2trUUdVbkJNbkZq?= =?utf-8?B?ZDkzbHJtb3A4N0N2eWVhczB6eEN3c2c2NFVxUFVYSnNOVlB1K3dXc05hQncr?= =?utf-8?B?OGlFUlpDcURZc3luaVNjOXFUZlhQckk5Q1lKOFR4VUhacm82d0tSa1F6N1Bv?= =?utf-8?B?cXFZd25YOCszNEU1MFlYbGRzWVJqZzFneGlhQ0twMytyS1g4SlZNMW1qTkNv?= =?utf-8?B?OWhPZkdoOEdYYzZyRVAzcG9qWlNBSEZFVFV5SkEyNkZQaU5zV3JLaXJMWmZB?= =?utf-8?B?b2RaTnlkVE5KVXMyWHUxblBDd1UrNGovRU0zYW02VEpmZCtTY2htTTNhSm1R?= =?utf-8?B?WDlMcWlWeU5MTGZNazFlU2lldWhHdkpZTzlYL0QyckRKZWNlelRHZ2RNeTA4?= =?utf-8?B?RkNVbVBNZnZQdmt6TUdJSDlrZ3k4TnNwR1Z1eXZYZjlJV2xDemRZTDBsRmZS?= =?utf-8?B?eXZTWG5Sa1NDa3Rld2FxYkRjZWVkNTlubEhZbS9NMCtHRC9Vbk40MGZOeFh3?= =?utf-8?B?TUNsNVBSQlJiVklsSEVUOURoY0ZTZlNtTWlFL05PSmpoYnNaNlpDOXNLc3ps?= =?utf-8?B?a0xxaVdDYnhmMnM3ZzdrZ042czhsRXBuOHJPY21LZlFFQ09scUZMWnZUUmdK?= =?utf-8?B?c3A4bEdSRERGcW5EbDJDNGJIMDRUd0liZlRCTUppZkNucEh1d3FudTR4Mm5E?= =?utf-8?B?T1FobkF0c2doTUZKZ0N0eGVwS2hDS3FFYWw1UURCZVU2OTh6S3JzSEkyQjFI?= =?utf-8?Q?S4uns4yBikqZHE3zZkRl8s6cIzxTRwuKV/n4c/u?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5eaef091-e1f5-46bb-d10e-08d9486520c8 X-MS-Exchange-CrossTenant-AuthSource: DM4PR12MB5229.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Jul 2021 14:22:22.9719 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: /m9JVnw3r50PLpHb/dDfoj/tij3NvWrnifIR0wT0MaZfhq53sL6jdH0IRw28cFlDE1P+KSHG3gIPaTI/EKnG/Q== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB5133 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 7/8/21 9:08 AM, Ashish Kalra wrote: > From: Ashish Kalra > > Mark the SEC GHCB page (that is mapped as unencrypted in > ResetVector code) in the hypervisor page status tracking. > > Cc: Jordan Justen > Cc: Laszlo Ersek > Cc: Ard Biesheuvel > Signed-off-by: Ashish Kalra > --- > OvmfPkg/PlatformPei/AmdSev.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c > index a8bf610022..1ec0de48fe 100644 > --- a/OvmfPkg/PlatformPei/AmdSev.c > +++ b/OvmfPkg/PlatformPei/AmdSev.c > @@ -52,6 +52,15 @@ AmdSevEsInitialize ( > PcdStatus = PcdSetBoolS (PcdSevEsIsEnabled, TRUE); > ASSERT_RETURN_ERROR (PcdStatus); > > + // > + // GHCB_BASE setup during reset-vector needs to be marked as s/GHCB_BASE/The SEC Ghcb/ > + // decrypted in the hypervisor page encryption bitmap. Is the "hypervisor page encryption bitmap" valid anymore? This gets passed up to userspace now, right? You should go through all the patches to be sure you aren't talking about a bitmap anymore and just state that you're updating the encryption state with the hypervisor. > + // > + SetMemoryEncDecHypercall3 (FixedPcdGet32 (PcdOvmfSecGhcbBase), The first argument needs to be moved down to a line of its own and indented like the following arguments. > + EFI_SIZE_TO_PAGES(FixedPcdGet32 (PcdOvmfSecGhcbSize)), > + KVM_MAP_GPA_RANGE_DECRYPTED Ah, now I see this #define used, but you should be passing a 0 or 1, right? This happens to evaluate to 0, but it's the wrong way to call this function. Thanks, Tom > + ); > + > // > // Allocate GHCB and per-CPU variable pages. > // Since the pages must survive across the UEFI to OS transition >