From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web11.11692.1589461822398319808 for ; Thu, 14 May 2020 06:10:22 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.115, mailfrom: ray.ni@intel.com) IronPort-SDR: t60np0neSwEMMXlCLp6QmiPsGwXp/FNrPNddZIYKZAn+Z3CCUEHLFjk7i69Q1jiPyOCPLv5vnP SE11D2fLKBxA== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 May 2020 06:10:21 -0700 IronPort-SDR: 8u1QJletJFQeVXm14uiGpK9dJ3NZVlpfZKCwXKcaFxWkbzHuzDk42boh3Ww8WJkZWHB+6RlsI9 0UJXtzO2cvkg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,391,1583222400"; d="scan'208";a="307099918" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by FMSMGA003.fm.intel.com with ESMTP; 14 May 2020 06:10:21 -0700 Received: from fmsmsx154.amr.corp.intel.com (10.18.116.70) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 14 May 2020 06:10:21 -0700 Received: from shsmsx106.ccr.corp.intel.com (10.239.4.159) by FMSMSX154.amr.corp.intel.com (10.18.116.70) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 14 May 2020 06:10:20 -0700 Received: from shsmsx104.ccr.corp.intel.com ([169.254.5.181]) by SHSMSX106.ccr.corp.intel.com ([169.254.10.232]) with mapi id 14.03.0439.000; Thu, 14 May 2020 21:10:16 +0800 From: "Ni, Ray" To: "devel@edk2.groups.io" , "thomas.lendacky@amd.com" , "afish@apple.com" CC: "Justen, Jordan L" , Laszlo Ersek , Ard Biesheuvel , "Kinney, Michael D" , "Gao, Liming" , "Dong, Eric" , Brijesh Singh , "You, Benjamin" , "Bi, Dandan" , "Dong, Guo" , "Wu, Hao A" , "Wang, Jian J" , "Ma, Maurice" , Fan Jeff Subject: Re: [edk2-devel] [PATCH v7 00/43] SEV-ES guest support Thread-Topic: [edk2-devel] [PATCH v7 00/43] SEV-ES guest support Thread-Index: AQHWGM1mq8koDOU5MUKpx39ysuf17qieIp6AgAE+bzCAAAT9AIAATReAgAK3hzCAAbmcgIADiKYw Date: Thu, 14 May 2020 13:10:16 +0000 Message-ID: <734D49CCEBEEF84792F5B80ED585239D5C54F7B4@SHSMSX104.ccr.corp.intel.com> References: <4da69262-e6a8-1374-2853-dab2a8f193d3@amd.com> <734D49CCEBEEF84792F5B80ED585239D5C530D55@SHSMSX104.ccr.corp.intel.com> <734D49CCEBEEF84792F5B80ED585239D5C535775@SHSMSX104.ccr.corp.intel.com> In-Reply-To: Accept-Language: en-US, zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: ray.ni@intel.com Content-Language: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Tom, I just discussed with original CPU owner Jeff and went through how IDT is = setup in the boot flow. Here is what I think you can do to avoid modifying the CpuExceptionHandler= Lib. 1. SecPlatformMain() modifies IDT[29] to point to your VC handler. This st= ep helps to build the VC handler in whole 32bit mode SEC+PEI. 2. Create a new DXE driver with dependency set to TRUE and call RegisterCp= uInteruptHandler(29, xx) in its entrypoint to register VC handler for whole= 64bit mode DXE. 3. Platform FDF uses apriori file mechanism to make sure the driver create= d in step #2 is dispatched as the 1st driver in DXE phase. This step is opt= ional if you accept there is some time that VC handler is not setup in earl= y DXE phase. 4. In the new DXE driver, gets the EFI_VECTOR_HANDOFF_INFO (MdePkg\Include= \Ppi\VectorHandoffInfo.h) from configuration table. It reports failure if the vector_handoff table says DO_NOT_HOOK for #= 29. It re-produces vector_handoff table with #29 set to DO_NOT_HOOK so th= at no one could use CpuArch protocol to override #29 handler. In general, I want to use the API/capability provided by CpuExceptionHandl= erLib instead of directly modifying it for handler registration. Directly modifying it gives an improper code reference/example for future = developers. Thanks, Ray > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Lendacky,= Thomas > Sent: Tuesday, May 12, 2020 11:00 PM > To: Ni, Ray ; devel@edk2.groups.io; afish@apple.com > Cc: Justen, Jordan L ; Laszlo Ersek ; Ard Biesheuvel > ; Kinney, Michael D ; Gao, Liming ; Dong, > Eric ; Brijesh Singh ; You, = Benjamin ; Bi, > Dandan ; Dong, Guo ; Wu, Hao A = ; Wang, Jian J > ; Ma, Maurice > Subject: Re: [edk2-devel] [PATCH v7 00/43] SEV-ES guest support >=20 > On 5/11/20 12:24 AM, Ni, Ray wrote: > > Tom, > > > > I agree with the first issue. I am not quite clear on the second one. >=20 > In regards to the exception propagation, the hypervisor is allowed to > request an exception as part of the return information. For example, the > guest issues a RDMSR instruction for an invalid MSR. The hypervisor woul= d > normally inject a #GP into the guest. With SEV-ES, the VC handler has to > do this. Hence the need to possibly propogate to other exception handler= s > after handling the #VC. >=20 > > > > SourceLevelDebugPkg provides source level debugging support early in S= EC > > through SourceLevelDebugPkg\Library\DebugAgent\SecPeiDebugAgent\. > > > > It hooks all Intel SDM defined exceptions. It hooks INT32 additionally= to > > support breaking from HOST. > > > > It doesn't use CpuExceptionLib because it hooks in very early SEC phas= e. > > > > Can you use the same way? >=20 > I can look at trying to do something like this. I guess the source level > debug needs to be aware of all the exceptions, which is why it hooks all > them. The SEV-ES support is only concerned with the #VC exception. It ju= st > seems like a lot of duplicated and extra code vs. checking for / handlin= g > the #VC exception in the CpuExceptionHandler library. >=20 > My plan for v8 is/was to have a NULL VmgExitLib library, of which the #V= C > handler would be part of the interface, with the CpuExceptionHandler > library invoking the #VC handler on #VC exception and having the OvmfPkg > provide a VmgExitLib library with all the functionality. >=20 > Thanks, > Tom >=20 > > > > Thanks, > > Ray > > > > *From:* devel@edk2.groups.io *On Behalf Of *And= rew > > Fish via groups.io > > *Sent:* Sunday, May 10, 2020 3:10 AM > > *To:* devel@edk2.groups.io; thomas.lendacky@amd.com > > *Cc:* Ni, Ray ; Justen, Jordan L > > ; Laszlo Ersek ; Ard > > Biesheuvel ; Kinney, Michael D > > ; Gao, Liming ; Dong= , > > Eric ; Brijesh Singh ; You= , > > Benjamin ; Bi, Dandan ; D= ong, > > Guo ; Wu, Hao A ; Wang, Jian J > > ; Ma, Maurice > > *Subject:* Re: [edk2-devel] [PATCH v7 00/43] SEV-ES guest support > > > > > > > > On May 9, 2020, at 7:34 AM, Lendacky, Thomas > > wrote: > > > > On 5/9/20 1:44 AM, Ni, Ray wrote: > > > > Tom, > > > > > > Hi Ray, > > > > > > I have a bit concern on your change that directly modifies > > CpuExceptionHandlerLib to handle > > exception #29. Today's CpuExceptionHandlerLib simplify dumps t= he > > exception context for > > every exception. Any component which wants to do specific hand= ling > > of certain exceptions > > should call RegisterCpuInterruptHandler(). Such as code in Cpu= Dxe > > driver: > > =A0=A0if (HEAP_GUARD_NONSTOP_MODE || NULL_DETECTION_NONSTOP_M= ODE) { > > =A0=A0=A0=A0RegisterCpuInterruptHandler (EXCEPT_IA32_DEBUG, > > DebugExceptionHandler); > > =A0=A0=A0=A0RegisterCpuInterruptHandler (EXCEPT_IA32_PAGE_FAU= LT, > > PageFaultExceptionHandler); > > =A0=A0} > > Is it possible for your feature to follow the same pattern? > > > > > > There are two problems: > > > > The first is that RegisterCpuInterruptHandler() is not implemented= for > > both the SEC and PEI phases, so it is not currently possible to > > register a handler that early. > > > > The second is that I need to be able to propagate an exception req= uest > > from the hypervisor. With the current implementation there doesn't > > appear to be an easy way to perform this propagation. > > > > If there's a way to accomplish both of the above I wouldn't be opp= osed > > to using RegisterCpuInterruptHandler() as long as there are no #VC= s > > that can occur between initializing exception handling and and > > registering the #VC handler. > > > > Thomas, > > > > As you point out it is tricky dealing with XIP code. You can't have > > globals that you can write and generally you use a PEI service to look > > tings up, the most common thing being using a HOB. But SEC has no serv= ices > > and I'm not sure you really want to be calling into the PEI Core on a > > random =A0exception. > > > > Here are the best options that popped into my head after reading your = email > > > > 1) IDT in RAM > > > > If your code populates the IDT the IDTR gives you access to the addres= s of > > the IDTR via an instruction. The PI Spec reserves IDT - sizeof (UNITN)= for > > a cached copy of the PEI Services Table, but otther than that you are = good > > to go. It should be possible to have a global so you can have the tabl= e > > required to implement RegisterCpuInterruptHandler(). There might be so= me > > usage =A0of IDT - ( 2* sizeof(UINTN)), I know I'm guilty, so storing d= ata > > after the IDT would be a good option. In general if your code allocate= s > > the memory for the IDT then you can treat the IDT as part of your priv= ate > > context data structure and that gives you access > > > > 2) IDT in ROM. > > > > For this it seems like you need a library to link in to > > the=A0CpuExceptionHandlerLib that allows you to override the handler. = If > > CpuInterruptHandlerOverride() returns NULL you do the current behavior= if > > not NULL then you call the returned handler. > > > > EFI_CPU_INTERRUPT_HANDLER > > > > EFIAPI > > > > OverrideCpuInterruptHandler ( > > > > =A0=A0IN EFI_EXCEPTION_TYPE =A0 =A0 =A0 =A0 =A0 =A0InterruptType > > > > =A0 ); > > > > Thanks, > > > > Andrew Fish > > > > PS Off topic, but it would also be useful to have a library that overr= ides > > the state dump display. For example using Xcode you can always display= a > > stack frame from the exception handler. > > > > > > > > Thanks, > > Tom > > > > > > Thanks, > > Ray > > > > -----Original Message----- > > From: Tom Lendacky > > > > Sent: Saturday, May 9, 2020 3:16 AM > > To: devel@edk2.groups.io > > Cc: Justen, Jordan L > >; Laszlo Ersek > > >; Ard Bieshe= uvel > > > >; Kinney, Michael D > > > >; Gao, Liming > > >; Dong= , > > Eric >; N= i, > > Ray >; Brijesh > > Singh >; > > You, Benjamin > > >; = Bi, > > Dandan >; > > Dong, Guo >= ; > > Wu, Hao A > > >; Wang, Ji= an J > > >; Ma= , > > Maurice > > > Subject: Re: [PATCH v7 00/43] SEV-ES guest support > > > > I was able to use the pull request method that Laszlo > > documented and fixed > > up all of the issues identified by the VS compiler. > > > > An additional change I'm planning to make for the next ver= sion > > (v8) of the > > patches is to create a NULL library instance of the VmgExi= tLib > > that will > > also include the #VC handler function. This will reduce th= e > > amount of code > > associated with this feature for platforms that don't > > use/support SEV-ES. > > > > Laszlo, this will mean that I will introduce a version of = the > > VmgExitLib > > under OvmfPkg that will provide the majority of the > > functionality that is > > present today in UefiCpuPkg. In essence, the functionality= in > > v7 patches 8 > > and 11 - 25 will now live under OvmfPkg instead of UefiCpu= Pkg. > > I think > > this is the better way to do this. Let me know if you have= any > > concerns. > > > > Thanks, > > Tom > > > > On 4/22/20 12:41 PM, Tom Lendacky wrote: > > > > This patch series provides support for running EDK2/OV= MF > > under SEV-ES. > > > > Secure Encrypted Virtualization - Encrypted State (SEV= -ES) > > expands on the > > SEV support to protect the guest register state from t= he > > hypervisor. See > > "AMD64 Architecture Programmer's Manual Volume 2: Syst= em > > Programming", > > section "15.35 Encrypted State (SEV-ES)" [1]. > > > > In order to allow a hypervisor to perform functions on > > behalf of a guest, > > there is architectural support for notifying a guest's > > operating system > > when certain types of VMEXITs are about to occur. This > > allows the guest to > > selectively share information with the hypervisor to > > satisfy the requested > > function. The notification is performed using a new > > exception, the VMM > > Communication exception (#VC). The information is shar= ed > > through the > > Guest-Hypervisor Communication Block (GHCB) using the > > VMGEXIT instruction. > > The GHCB format and the protocol for using it is > > documented in "SEV-ES > > Guest-Hypervisor Communication Block Standardization" = [2]. > > > > The main areas of the EDK2 code that are updated to > > support SEV-ES are > > around the exception handling support and the AP boot = support. > > > > Exception support is required starting in Sec, continu= ing > > through Pei > > and into Dxe in order to handle #VC exceptions that ar= e > > generated. =A0Each > > AP requires it's own GHCB page as well as a page to ho= ld > > values specific > > to that AP. > > > > AP booting poses some interesting challenges. The > > INIT-SIPI-SIPI sequence > > is typically used to boot the APs. However, the hyperv= isor > > is not allowed > > to update the guest registers. The GHCB document [2] t= alks > > about how SMP > > booting under SEV-ES is performed. > > > > Since the GHCB page must be a shared (unencrypted) pag= e, > > the processor > > must be running in long mode in order for the guest an= d > > hypervisor to > > communicate with each other. As a result, SEV-ES is on= ly > > supported under > > the X64 architecture. > > > > > [1]https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fw= ww.amd.com%2Fsystem%2Ffiles%2FTechDocs% > 2F24593.pdf&data=3D02%7C01%7Cthomas.lendacky%40amd.com%7Cf5d7875dfcf= 54e45c42208d7f3e4676b%7C3dd8961fe > 4884e608e11a82d994e183d%7C0%7C0%7C637246036118033165&sdata=3DH74fQl1= n2sXzCMSoGm1tGOKc5epMtVkGJFCid > wLMl5c%3D&reserved=3D0 > > > F24593.pdf&data=3D02%7C01%7Cthomas.lendacky%40amd.com%7Ca6a68a0fea9147d3= 9c2508d7f56ba3c1%7C3dd8961fe4884 > e608e11a82d994e183d%7C0%7C0%7C637247716490462692&sdata=3Di3CuKMgAY08Cl%2= FZWool7SIc3DTf%2BVA9HE%2BwpC8 > lyZo0%3D&reserved=3D0> > > [2]https://nam11.safelinks.protection.outlook.com/?url= = =3Dhttps%3A%2F%2Fdeveloper.amd.com%2Fwp- > content%2Fresources%2F56421.pdf&data=3D02%7C01%7Cthomas.lendacky%40a= md.com%7Cf5d7875dfcf54e45c42208d7f > 3e4676b%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637246036118033165&= amp;sdata=3DEwW9575nJMaWxizo2 > XrLHjrbUMJIB0WFTDLjwy%2BM%2F4k%3D&reserved=3D0 > > content%2Fresources%2F56421.pdf&data=3D02%7C01%7Cthomas.lendacky%40amd.c= om%7Ca6a68a0fea9147d39c2508d7f56b > a3c1%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637247716490472688&sda= ta=3D7GPXxfEPOzDIg8uFx2rx108eY4B > NIeKe0Of4K5Kuix4%3D&reserved=3D0> > > > > --- > > > > These patches are based on commit: > > be7295b36405 (".python/SpellCheck: Increase SpellCheck > > plugin max failures") > > > > Proper execution of SEV-ES relies on Bugzilla 2340 bei= ng > > fixed. > > > > A version of the tree (with an extra patch to workarou= nd > > Bugzilla 2340) can > > be found at: > > > https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fgith= ub.com%2FAMDESE%2Fovmf%2Ftree%2Fsev-es- > v14&data=3D02%7C01%7Cthomas.lendacky%40amd.com%7Cf5d7875dfcf54e45c42= 208d7f3e4676b%7C3dd8961fe4884e60 > 8e11a82d994e183d%7C0%7C0%7C637246036118033165&sdata=3DU8fIzb%2F4A8WB= aiVbScxUuGDw22kyxxnRP5olSyTedv > E%3D&reserved=3D0 > > > es- > v14&data=3D02%7C01%7Cthomas.lendacky%40amd.com%7Ca6a68a0fea9147d39c2508d= 7f56ba3c1%7C3dd8961fe4884e608e1 > 1a82d994e183d%7C0%7C0%7C637247716490482690&sdata=3D27Er3PcupFhMsb%2F%2F5= %2B9we7gW9NaDcjbVRgNp%2F%2F > 6vqMg%3D&reserved=3D0> > > > > Cc: Ard Biesheuvel > > > > Cc: Benjamin You > > > > Cc: Dandan Bi > > > > Cc: Eric Dong > > > > Cc: Guo Dong > > > Cc: Hao A Wu > > > Cc: Jian J Wang > > > > Cc: Jordan Justen > > > > Cc: Laszlo Ersek > > > > Cc: Liming Gao > > > > Cc: Maurice Ma > > > > Cc: Michael D Kinney > > > > Cc: Ray Ni = > > > > > Changes since v6: > > - Add function comments to all functions, including lo= cal > > functions > > - Add function parameter direction to all functions (i= n/out) > > - Add support for MMIO MOVZX/MOVSX instructions > > - Ensure the per-CPU variable page remains encrypted > > - Coding-style fixes as identified by Ecc > > > > Changes since v5: > > - Remove extraneous VmgExitLib usage > > - Miscellaneous changes to address feedback (coding st= yle, > > etc.) > > > > Changes since v4: > > - Move the SEV-ES protocol negotiation out of the SEC > > exception handler > > =A0=A0=A0and into the SecMain.c file. As a result: > > =A0=A0=A0- Move the SecGhcb related PCDs out of UefiC= puPkg and > > into OvmfPkg > > =A0=A0=A0- Combine SecAMDSevVcHandler.c and > > PeiDxeAMDSevVcHandler.c into a > > =A0=A0=A0=A0=A0single AMDSevVcHandler.c > > - Consolidate VmgExitLib usage into common LibraryClas= ses > > sections > > - Add documentation comments to the VmgExitLib functio= ns > > > > Changes since v3: > > - Remove the need for the MP library finalization rout= ine. > > The AP > > =A0=A0=A0jump table address will be held by the hyper= visor > > rather than > > =A0=A0=A0communicated via the GHCB MSR. This removes = some > > fragility around > > =A0=A0=A0the UEFI to OS transition. > > - Rename the SEV-ES RIP reset area to SEV-ES workarea = and > > use it to > > =A0=A0=A0communicate the SEV-ES status, so that SEC C= PU > > exception handling is > > =A0=A0=A0only established for an SEV-ES guest. > > - Fix SMM build breakageAdd around QemuFlashPtrWrite()= . > > - Fix SMM build breakage by adding VC exception suppor= t > > the SMM CPU > > =A0=A0=A0exception handling. > > - Add memory fencing around the invocation of AsmVmgEx= it(). > > - Clarify comments around the SEV-ES AP reset RIP valu= es > > and usage. > > - Move some PCD definitions from MdeModulePkg to UefiC= puPkg. > > - Remove the 16-bit code selector definition from MdeM= odulePkg > > > > Changes since v2: > > - Added a way to locate the SEV-ES fixed AP RIP addres= s > > for starting > > =A0=A0=A0AP's to avoid updating the actual flash imag= e (build > > time location > > =A0=A0=A0that is identified with a GUID value). > > - Create a VmgExit library to replace static inline fu= nctions. > > - Move some PCDs to the appropriate packages > > - Add support for writing to QEMU flash under SEV-ES > > - Add additional MMIO opcode support > > - Cleaned up the GHCB MSR CPUID protocol support > > > > Changes since v1: > > - Patches reworked to be more specific to the > > component/area being updated > > =A0=A0=A0and order of definition/usage > > - Created a library for VMGEXIT-related functions to > > replace use of inline > > =A0=A0=A0functions > > - Allocation method for GDT changed from AllocatePool = to > > AllocatePages > > - Early caching only enabled for SEV-ES guests > > - Ensure AP loop mode set to halt loop mode for SEV-ES= guests > > - Reserved SEC GHCB-related memory areas when S3 is en= abled > > > > Tom Lendacky (43): > > =A0=A0=A0MdeModulePkg: Create PCDs to be used in supp= ort of SEV-ES > > =A0=A0=A0UefiCpuPkg: Create PCD to be used in support= of SEV-ES > > =A0=A0=A0MdePkg: Add the MSR definition for the GHCB = register > > =A0=A0=A0MdePkg: Add a structure definition for the G= HCB > > =A0=A0=A0MdeModulePkg/DxeIplPeim: Support GHCB pages = when > > creating page tables > > =A0=A0=A0MdePkg/BaseLib: Add support for the XGETBV i= nstruction > > =A0=A0=A0MdePkg/BaseLib: Add support for the VMGEXIT = instruction > > =A0=A0=A0UefiCpuPkg: Implement library support for VM= GEXIT > > =A0=A0=A0OvmfPkg: Prepare OvmfPkg to use the VmgExitL= ib library > > =A0=A0=A0UefiPayloadPkg: Prepare UefiPayloadPkg to us= e the > > VmgExitLib library > > =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add base sup= port for > > the #VC exception > > =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support = for > > IOIO_PROT NAE events > > =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Support stri= ng IO for > > IOIO_PROT NAE > > =A0=A0=A0=A0=A0events > > =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support = for CPUID > > NAE events > > =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support = for > > MSR_PROT NAE events > > =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support = for NPF > > NAE events (MMIO) > > =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support = for WBINVD > > NAE events > > =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support = for RDTSC > > NAE events > > =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support = for RDPMC > > NAE events > > =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support = for INVD > > NAE events > > =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support = for > > VMMCALL NAE events > > =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support = for RDTSCP > > NAE events > > =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support = for > > MONITOR/MONITORX NAE > > =A0=A0=A0=A0=A0events > > =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support = for > > MWAIT/MWAITX NAE > > =A0=A0=A0=A0=A0events > > =A0=A0=A0UefiCpuPkg/CpuExceptionHandler: Add support = for DR7 > > Read/Write NAE > > =A0=A0=A0=A0=A0events > > =A0=A0=A0OvmfPkg/MemEncryptSevLib: Add an SEV-ES gues= t > > indicator function > > =A0=A0=A0OvmfPkg: Add support to perform SEV-ES initi= alization > > =A0=A0=A0OvmfPkg: Create a GHCB page for use during S= ec phase > > =A0=A0=A0OvmfPkg/PlatformPei: Reserve GHCB-related ar= eas if S3 > > is supported > > =A0=A0=A0OvmfPkg: Create GHCB pages for use during Pe= i and Dxe > > phase > > =A0=A0=A0OvmfPkg/PlatformPei: Move early GDT into ram= when > > SEV-ES is enabled > > =A0=A0=A0UefiCpuPkg: Create an SEV-ES workarea PCD > > =A0=A0=A0OvmfPkg: Reserve a page in memory for the SE= V-ES usage > > =A0=A0=A0OvmfPkg/ResetVector: Add support for a 32-bi= t SEV check > > =A0=A0=A0OvmfPkg/Sec: Add #VC exception handling for = Sec phase > > =A0=A0=A0OvmfPkg/Sec: Enable cache early to speed up = booting > > =A0=A0=A0OvmfPkg/QemuFlashFvbServicesRuntimeDxe: Bypa= ss flash > > detection with > > =A0=A0=A0=A0=A0SEV-ES is enabled > > =A0=A0=A0UefiCpuPkg: Add a 16-bit protected mode code= segment > > descriptor > > =A0=A0=A0UefiCpuPkg/MpInitLib: Add CPU MP data flag t= o indicate > > if SEV-ES is > > =A0=A0=A0=A0=A0enabled > > =A0=A0=A0UefiCpuPkg: Allow AP booting under SEV-ES > > =A0=A0=A0OvmfPkg: Use the SEV-ES work area for the SE= V-ES AP > > reset vector > > =A0=A0=A0OvmfPkg: Move the GHCB allocations into rese= rved memory > > =A0=A0=A0UefiCpuPkg/MpInitLib: Prepare SEV-ES guest A= Ps for OS use > > > > =A0=A0MdeModulePkg/MdeModulePkg.dec =A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A09 + > > =A0=A0OvmfPkg/OvmfPkg.dec =A0=A0=A0=A0=A0=A0=A0=A0=A0= = =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A09 + > > =A0=A0UefiCpuPkg/UefiCpuPkg.dec =A0=A0=A0=A0=A0=A0=A0= = =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A017 + > > =A0=A0OvmfPkg/OvmfPkgIa32.dsc =A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A06 + > > =A0=A0OvmfPkg/OvmfPkgIa32X64.dsc =A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A06 + > > =A0=A0OvmfPkg/OvmfPkgX64.dsc =A0=A0=A0=A0=A0=A0=A0=A0= = =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A06 + > > =A0=A0OvmfPkg/OvmfXen.dsc =A0=A0=A0=A0=A0=A0=A0=A0=A0= = =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A01 + > > =A0=A0UefiCpuPkg/UefiCpuPkg.dsc =A0=A0=A0=A0=A0=A0=A0= = =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A02 + > > =A0=A0UefiPayloadPkg/UefiPayloadPkgIa32.dsc =A0=A0=A0= = =A0=A0=A0=A0=A0| =A0=A0=A02 + > > =A0=A0UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc =A0=A0= = =A0=A0=A0| =A0=A0=A02 + > > =A0=A0OvmfPkg/OvmfPkgX64.fdf =A0=A0=A0=A0=A0=A0=A0=A0= = =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A09 + > > =A0=A0MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf =A0=A0= =A0=A0=A0=A0| =A0=A0=A02 + > > =A0=A0MdePkg/Library/BaseLib/BaseLib.inf =A0=A0=A0=A0= = =A0=A0=A0=A0=A0=A0=A0| =A0=A0=A04 + > > =A0=A0OvmfPkg/PlatformPei/PlatformPei.inf =A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0| =A0=A0=A07 + > > =A0=A0.../FvbServicesRuntimeDxe.inf =A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A02 + > > =A0=A0OvmfPkg/ResetVector/ResetVector.inf =A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0| =A0=A0=A08 + > > =A0=A0OvmfPkg/Sec/SecMain.inf =A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A04 + > > =A0=A0.../DxeCpuExceptionHandlerLib.inf =A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A05 + > > =A0=A0.../PeiCpuExceptionHandlerLib.inf =A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A05 + > > =A0=A0.../SecPeiCpuExceptionHandlerLib.inf =A0=A0=A0= =A0=A0=A0=A0=A0=A0| =A0=A0=A05 + > > =A0=A0.../SmmCpuExceptionHandlerLib.inf =A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A05 + > > =A0=A0UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf |= =A0=A0=A04 + > > =A0=A0UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf |= =A0=A0=A04 + > > =A0=A0UefiCpuPkg/Library/VmgExitLib/VmgExitLib.inf = =A0| =A0=A033 + > > =A0=A0.../Core/DxeIplPeim/X64/VirtualMemory.h =A0=A0= =A0=A0=A0=A0| =A0=A012 +- > > =A0=A0MdePkg/Include/Library/BaseLib.h =A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A031 + > > =A0=A0MdePkg/Include/Register/Amd/Fam17Msr.h =A0=A0= =A0=A0=A0=A0=A0| =A0=A042 + > > =A0=A0MdePkg/Include/Register/Amd/Ghcb.h =A0=A0=A0=A0= = =A0=A0=A0=A0=A0=A0=A0| =A0136 ++ > > =A0=A0OvmfPkg/Include/Library/MemEncryptSevLib.h =A0= =A0=A0| =A0=A012 + > > =A0=A0.../QemuFlash.h =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A013 + > > =A0=A0UefiCpuPkg/CpuDxe/CpuGdt.h =A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A04 +- > > =A0=A0UefiCpuPkg/Include/Library/VmgExitLib.h =A0=A0= =A0=A0=A0=A0| =A0117 ++ > > =A0=A0.../CpuExceptionHandlerLib/AMDSevVcCommon.h =A0= = =A0| =A0=A049 + > > =A0=A0.../CpuExceptionCommon.h =A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A02 + > > =A0=A0UefiCpuPkg/Library/MpInitLib/MpLib.h =A0=A0=A0= =A0=A0=A0=A0=A0=A0| =A0=A068 +- > > =A0=A0.../Core/DxeIplPeim/Ia32/DxeLoadFunc.c =A0=A0= =A0=A0=A0=A0=A0| =A0=A0=A04 +- > > =A0=A0.../Core/DxeIplPeim/X64/DxeLoadFunc.c =A0=A0=A0= = =A0=A0=A0=A0=A0| =A0=A011 +- > > =A0=A0.../Core/DxeIplPeim/X64/VirtualMemory.c =A0=A0= =A0=A0=A0=A0| =A0=A057 +- > > =A0=A0MdePkg/Library/BaseLib/Ia32/GccInline.c =A0=A0= =A0=A0=A0=A0| =A0=A045 + > > =A0=A0MdePkg/Library/BaseLib/X64/GccInline.c =A0=A0= =A0=A0=A0=A0=A0| =A0=A047 + > > =A0=A0.../MemEncryptSevLibInternal.c =A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A075 +- > > =A0=A0OvmfPkg/PlatformPei/AmdSev.c =A0=A0=A0=A0=A0=A0= = =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A089 + > > =A0=A0OvmfPkg/PlatformPei/MemDetect.c =A0=A0=A0=A0=A0= = =A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A023 + > > =A0=A0.../QemuFlash.c =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A023 +- > > =A0=A0.../QemuFlashDxe.c =A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A022 + > > =A0=A0.../QemuFlashSmm.c =A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A016 + > > =A0=A0OvmfPkg/Sec/SecMain.c =A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0188 +- > > =A0=A0UefiCpuPkg/CpuDxe/CpuGdt.c =A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A08 +- > > =A0=A0.../CpuExceptionHandlerLib/AMDSevVcHandler.c = =A0| =A0=A040 + > > =A0=A0.../CpuExceptionCommon.c =A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A02 +- > > =A0=A0.../Ia32/ArchAMDSevVcHandler.c =A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A038 + > > =A0=A0.../PeiDxeSmmCpuException.c =A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A016 + > > =A0=A0.../SecPeiCpuException.c =A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A016 + > > =A0=A0.../X64/ArchAMDSevVcHandler.c =A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| 1699 > > +++++++++++++++++ > > =A0=A0UefiCpuPkg/Library/MpInitLib/DxeMpLib.c =A0=A0= =A0=A0=A0=A0| =A0113 +- > > =A0=A0UefiCpuPkg/Library/MpInitLib/MpLib.c =A0=A0=A0= =A0=A0=A0=A0=A0=A0| =A0265 ++- > > =A0=A0UefiCpuPkg/Library/MpInitLib/PeiMpLib.c =A0=A0= =A0=A0=A0=A0| =A0=A019 + > > =A0=A0UefiCpuPkg/Library/VmgExitLib/VmgExitLib.c =A0= =A0=A0| =A0293 +++ > > =A0=A0UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c = =A0| =A0=A0=A02 +- > > =A0=A0MdeModulePkg/MdeModulePkg.uni =A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A0=A08 + > > =A0=A0MdePkg/Library/BaseLib/Ia32/VmgExit.nasm =A0=A0= = =A0=A0=A0| =A0=A037 + > > =A0=A0MdePkg/Library/BaseLib/Ia32/XGetBv.nasm =A0=A0= =A0=A0=A0=A0| =A0=A031 + > > =A0=A0MdePkg/Library/BaseLib/X64/VmgExit.nasm =A0=A0= =A0=A0=A0=A0| =A0=A032 + > > =A0=A0MdePkg/Library/BaseLib/X64/XGetBv.nasm =A0=A0= =A0=A0=A0=A0=A0| =A0=A034 + > > =A0=A0OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm = =A0| =A0100 + > > =A0=A0OvmfPkg/ResetVector/Ia32/PageTables64.asm =A0= =A0=A0=A0| =A0350 +++- > > =A0=A0OvmfPkg/ResetVector/ResetVector.nasmb =A0=A0=A0= = =A0=A0=A0=A0=A0| =A0=A020 + > > =A0=A0.../X64/ExceptionHandlerAsm.nasm =A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A017 + > > =A0=A0UefiCpuPkg/Library/MpInitLib/Ia32/MpEqu.inc =A0= = =A0| =A0=A0=A02 +- > > =A0=A0.../Library/MpInitLib/Ia32/MpFuncs.nasm =A0=A0= =A0=A0=A0=A0| =A0=A015 + > > =A0=A0UefiCpuPkg/Library/MpInitLib/X64/MpEqu.inc =A0= =A0=A0| =A0=A0=A04 +- > > =A0=A0UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm |= =A0370 +++- > > =A0=A0UefiCpuPkg/Library/VmgExitLib/VmgExitLib.uni = =A0| =A0=A015 + > > =A0=A0.../ResetVector/Vtf0/Ia16/Real16ToFlat32.asm = =A0| =A0=A0=A09 + > > =A0=A0UefiCpuPkg/UefiCpuPkg.uni =A0=A0=A0=A0=A0=A0=A0= = =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0| =A0=A011 + > > =A0=A075 files changed, 4707 insertions(+), 102 delet= ions(-) > > =A0=A0create mode 100644 > > UefiCpuPkg/Library/VmgExitLib/VmgExitLib.inf > > =A0=A0create mode 100644 MdePkg/Include/Register/Amd/= Ghcb.h > > =A0=A0create mode 100644 UefiCpuPkg/Include/Library/V= mgExitLib.h > > =A0=A0create mode 100644 > > UefiCpuPkg/Library/CpuExceptionHandlerLib/AMDSevVcComm= on.h > > =A0=A0create mode 100644 > > UefiCpuPkg/Library/CpuExceptionHandlerLib/AMDSevVcHand= ler.c > > =A0=A0create mode 100644 > > UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchAMD= SevVcHandler.c > > =A0=A0create mode 100644 > > UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ArchAMDS= evVcHandler.c > > =A0=A0create mode 100644 > > UefiCpuPkg/Library/VmgExitLib/VmgExitLib.c > > =A0=A0create mode 100644 MdePkg/Library/BaseLib/Ia32/= VmgExit.nasm > > =A0=A0create mode 100644 MdePkg/Library/BaseLib/Ia32/= XGetBv.nasm > > =A0=A0create mode 100644 MdePkg/Library/BaseLib/X64/V= mgExit.nasm > > =A0=A0create mode 100644 MdePkg/Library/BaseLib/X64/X= GetBv.nasm > > =A0=A0create mode 100644 > > OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm > > =A0=A0create mode 100644 > > UefiCpuPkg/Library/VmgExitLib/VmgExitLib.uni > > > > > > > > > > >=20 >=20