From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (NAM12-DM6-obe.outbound.protection.outlook.com [40.107.243.79]) by mx.groups.io with SMTP id smtpd.web09.1804.1624391272386577642 for ; Tue, 22 Jun 2021 12:47:52 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=YONDoB+w; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.243.79, mailfrom: brijesh.singh@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NHBU5NsJupYP2AJPYaCNhbGPooiGQcKHA6MYAyECunhpuJ0XVAMpHU9+EnE1nA7C40zbVO7bAi5EHrCxKLm8SZlMmFuGqNFxCvomd0H3kEauY8jg3IrdBeHLljSwM7aes0x1nHreTrhuK6+TMfVBSavoFxdf5rLCy2TTk+TDucxTJjfex54LgNK+pBqKFS/BUW+eySmUvaFItSWDTz31+2bIIgTT2g01KAWp8liBUyC82LilXmcbPvDgSVZySsRI9RJ8PUrRw7uYaff0RAkEBhuWcnPNEgYZuk6Szb/hevtqFbnMsY7oy9/ZpLBCP0UZtjCVUfYdeSBSXqUr/XUmwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sU+t3U2W3eQS3GL+MmSsEolEwwYN0N3NScNOlDOU0x8=; b=N56C438HHfWvDrarXxNAsptJ3vLxK8P3/msC8DqtQO96FtvBc18iR5EfuIDk4UanChcV9xaHuLsq5ZJiTRObE7FByGpEU/fTQDRc9oHELWuj8UJqlsxSOvvZ4vV40yXg34bswsm8RZHScdUs3gC4wmO5zz56z7tWGBJbUaqwcxv0/PRA/MBMg0WfpQuJpvygT97OVZsiU+c01H0WL1VyCLBlHFWXUn1SPVZH2xS3407bWGiNXnPJb8Xla5hPtzK6yJ1JmEJjXtGSgbv9wUTab/91Yi6n75PBFfCWuf1kmZSw9ABLQQhDCiAPYgr/XJFPM7XLq6wp7Y6H9BJlaArb1g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sU+t3U2W3eQS3GL+MmSsEolEwwYN0N3NScNOlDOU0x8=; b=YONDoB+wbuGv9IyGHSy8l6WP/pllt5bIlKe+c+IHX1GlB1EYfe558kIk1Z3vuafPlkeVotHdRRQw6iRJx7TVj4AfFMGEfz1Y/gh9jCKTjB9uTqfS15iGaQHpMXOYCdQ9wkMv7JhDDqNIaD/+g6N3wBvwcbi0CjyZL+doS3Zl+j4= Authentication-Results: arm.com; dkim=none (message not signed) header.d=none;arm.com; dmarc=none action=none header.from=amd.com; Received: from BYAPR12MB2711.namprd12.prod.outlook.com (2603:10b6:a03:63::10) by BY5PR12MB5014.namprd12.prod.outlook.com (2603:10b6:a03:1c4::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.18; Tue, 22 Jun 2021 19:47:50 +0000 Received: from BYAPR12MB2711.namprd12.prod.outlook.com ([fe80::40e3:aade:9549:4bed]) by BYAPR12MB2711.namprd12.prod.outlook.com ([fe80::40e3:aade:9549:4bed%7]) with mapi id 15.20.4242.023; Tue, 22 Jun 2021 19:47:50 +0000 Cc: brijesh.singh@amd.com, Thomas.Lendacky@amd.com, jejb@linux.ibm.com, erdemaktas@google.com, jiewen.yao@intel.com, min.m.xu@intel.com, lersek@redhat.com, jordan.l.justen@intel.com, ard.biesheuvel@arm.com Subject: Re: [PATCH v4 1/4] OvmfPkg/MemEncryptHypercallLib: add library to support SEV hypercalls. To: Ashish Kalra , devel@edk2.groups.io References: <7d0a30a022a7d3d3e056af8f79b87ed9991d2f52.1624281247.git.ashish.kalra@amd.com> From: "Brijesh Singh" Message-ID: <742885b1-b880-fd09-d76a-be495b294332@amd.com> Date: Tue, 22 Jun 2021 14:47:47 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 In-Reply-To: <7d0a30a022a7d3d3e056af8f79b87ed9991d2f52.1624281247.git.ashish.kalra@amd.com> X-Originating-IP: [165.204.77.11] X-ClientProxiedBy: SA0PR11CA0168.namprd11.prod.outlook.com (2603:10b6:806:1bb::23) To BYAPR12MB2711.namprd12.prod.outlook.com (2603:10b6:a03:63::10) Return-Path: brijesh.singh@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from [172.31.11.236] (165.204.77.11) by SA0PR11CA0168.namprd11.prod.outlook.com (2603:10b6:806:1bb::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.18 via Frontend Transport; Tue, 22 Jun 2021 19:47:49 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: c5dace49-41ef-4a60-276a-08d935b69e0d X-MS-TrafficTypeDiagnostic: BY5PR12MB5014: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4502; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: xZUFAjnf/NiGxs8bbvuHKDA2NL3og1RB1Qtc4ejq2K5koKkQGhgSOEp7I/kAzGFZk8VKtNpBqzALOmbADFvXw4Y4hFnqFXsRLUB0lo9TzRdiIsZhdJD6Gq+oTYhm3sJrR8VrFeMG1yLoM/KZto56x+X6YxLcNnLWEw0ilsPWaRQ7THWXAGmBy/NvBAy9raijfmdV0KWORbqytvO6hGqibGi1Ff3XeUsUdTMIA0nBG1gepH1NxUSt2/aAGJBfxmQl5SCCkNSX1MH0PIv0jAMvYe5iHGNchsgdUP3S9Fj8l44TvnugwODOcBCvsRwyTzixFZqSi+trcrYQEXeg5ldcbc7devSD5hJ7CcD38btX4fLtqjX5081nF8UfAgqegeSAoKu+XHe125sWQ2pzTs/pC/ho41IlWASrVpHVrne0xi5LxCh8TcIyMYMJcBrFirbI2kWc8J2B2zsZkKio9zowTQNZmknqf0rD+pgAOc2AITZLw+4q8lJ44GUzqum1Iyg31mGWefBaCo/Jrvdy1mH2Xcfi+8ruP9eUSdSiAX9f9JXad+8vC6M/m5ESXedxp56FrotHGgZbEAopAq0B3Qy1D1M9DgILec/JJYVP0vppMjaG8/GAtVOm0FRYhQ7P1mTKNEbGY2NGoAFYfrDMydfc8+lt9q5x9SCfVSI80ZG2dYSwq3lMr/jdqhW57MOLX+wMjPUOjoV5vK73Eb+Fb6JuaeZ2uPhIj72hf+DFQJ17iDA= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BYAPR12MB2711.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(376002)(39860400002)(366004)(396003)(346002)(136003)(6486002)(316002)(26005)(86362001)(44832011)(16526019)(186003)(16576012)(478600001)(4326008)(31696002)(2906002)(53546011)(30864003)(31686004)(8936002)(5660300002)(2616005)(956004)(66556008)(66476007)(36756003)(83380400001)(52116002)(38350700002)(66946007)(38100700002)(19627235002)(8676002)(43740500002)(45980500001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?OURJNHpVZXNXM3VQOHZ1V2xQMkhobEpCdzdrRVhyUkVRK3pZNG9YRmxMM3VX?= =?utf-8?B?WUtrNkFTR1czZkVJUlg3V0s0K2FSbGpSNXBsOVZkSS9oY1lQTGxURjV2MDJV?= =?utf-8?B?NUVTeTdvS1hBTE9HSS96dXQ5YU5VYUk1dkEvWUpXd0cxRVVWbC82a21KejM3?= =?utf-8?B?YlA4cVBsVm80NmMvdTJ4REo3aWZ2UVBFSEo2YkFLODIyT2dRSHRMbFZXL3dT?= =?utf-8?B?eFdvNXpEaUo2SE1scEZwZ3lVdU5xeHVyK3JzZXJVd2Z6cXpieTRJVlUycXZO?= =?utf-8?B?cDF1ZFZWVC9GWVQwaUtOQTVvZDkvRmQwR0t3WDFQZ1drTVovMTZxeVpYN3pW?= =?utf-8?B?dEF6QXpvSVA2d1lqVGNKcHZhMWtCZ00zQmtXdXczS2FPWW9YQlk5bHkvamZr?= =?utf-8?B?OU01QWtpbmF3ZWN6dGxoQWtKeHhLR0R2c3B3cGpaQW5ZU25PTXRRRTM4WXZX?= =?utf-8?B?WFVtSkZySmNIUzBjWWNGUEF0WVNCZ2w1cjVWdFgwM3BRckh4aFUzNU1tZmdF?= =?utf-8?B?d3ZzdVdWV0lxT3g4WkVTZnQ0SGpyNzh3ZlVuTDM1czNpdDJQV2dRY2w5Tkw0?= =?utf-8?B?VFptTWVNRkxTOUJYWnEyU1BFcGVNNmt2N3dIWHBCbHNhQ3pPVXZKL1RtWUpE?= =?utf-8?B?S2d4ZzYyR3JvOG9aamU4SXBoazhjWkNjNjNBNlZqTVZXeHp5MzRKU0lYVDFq?= =?utf-8?B?VmN4VDUwck5iWFppa3huNVY1d0NCTGdIbXd4WlBrYWZvblJVQlUyNnVFVlg3?= =?utf-8?B?WkRNMFkvWVhTZldvTVpySm1IQU0rTHNVNTZPeWROYjc5clJUN0xkc2l4SlZl?= =?utf-8?B?Zlg3TTUzOVVjSkcwM2lHQk9kMEVRTGJpejNkSkhyd3M1NTdqbUdxaHRoWG01?= =?utf-8?B?S2xGSzI1OEY4STRkT0J3WUZWT0lWVitKNHhwSjc0aXk1RlFRbEZVZXhiQXVy?= =?utf-8?B?WU9UNEoxWGJXWEd2OVlWTHBzTzRHWXdWRUdMSzBWSmpqRXJuVzRxLzJvdWN6?= =?utf-8?B?dEJ3UkdqTEVFRExyWCtrYm5sMy9TbEVHMjNONVpxUDJPK1ZPQUd3VXNsR2J0?= =?utf-8?B?MlM5dFR4eWoyYXhILzBKRVhMTGVDK1loRUkyaHVxekJnS2VvUDlnZXVnWnpN?= =?utf-8?B?QzJyY1F4Q1NJMlNaNm13cktGc3BJSkJlU2ZUQVJuSitUbVNzc1lJR01Wa2Jx?= =?utf-8?B?eHg3Z2JmdXNySk9IQzYra2NBb1BvdVk2U3N2U0lOVHAzcWhDS1o0cktuT0ZX?= =?utf-8?B?dkgzdHdzdk42Q09hbWVDMVhST3pVdCtlYVZKYnA0YnJQVndvYnVpRC9mTnJy?= =?utf-8?B?dVhpbStUeC8xOE1uZVBTbUg3eHl3WG94VHlHbDRUMjBhS2o4OStOM0tNQUFL?= =?utf-8?B?V0NTZzRCZkkwL2dub29zZTVHZHcxUkxMN0hTb00xblBVSWpmczNGUkxLZHo3?= =?utf-8?B?MEVlL3hJZEFYTTFVTTdLQmlRc1JSeWZlYTVvcjFxQ25LVGtlbmFCTFVySzdN?= =?utf-8?B?U2h5Q3kyMXZsOHR4SHdCSlNTRW51eC9jb3NMTTRPYnhXNlZOeGJuNi92VkJl?= =?utf-8?B?QytCc3oxdW5hYWwrK3ArOXBZU2JRVERxSkhTZHE4Ylo2NklQZ2syRG5zQ3Vw?= =?utf-8?B?NkIybWtaamh1ZG82bFhVRFJzVFZHTkxVbmN4RG1xd3NEV2RvQzZvNWJFQnRt?= =?utf-8?B?ZzNRcUJLNGQ0dE9Ca0dxcVl3VEJTRVJ6cFJHbGVreXJxb0E2Tjgwb2UyOW5T?= =?utf-8?Q?OUxoFHs1Oy5D52DpltZND4Et4/y8XCVfocNR3Oa?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: c5dace49-41ef-4a60-276a-08d935b69e0d X-MS-Exchange-CrossTenant-AuthSource: BYAPR12MB2711.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jun 2021 19:47:50.3856 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: A5RMWmuD2zQfI1429MoOVrLtY3xSQAo8dM6+Wg006ZXvhYkrU5PAdPyIX5bk7yU0KnMiDDymKIpVe2DUarl4LQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR12MB5014 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 6/21/2021 8:56 AM, Ashish Kalra wrote: > From: Ashish Kalra > > Add SEV and SEV-ES hypercall abstraction library to support SEV Page > encryption/deceryption status hypercalls for SEV and SEV-ES guests. > > Cc: Jordan Justen > Cc: Laszlo Ersek > Cc: Ard Biesheuvel > Remove this newline. > Signed-off-by: Ashish Kalra > --- > Maintainers.txt | 2 + > OvmfPkg/Include/Library/MemEncryptHypercallLib.h | 43 ++++++++ > OvmfPkg/Library/MemEncryptHypercallLib/Ia32/MemEncryptHypercallLib.c | 37 +++++++ > OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.inf | 42 ++++++++ > OvmfPkg/Library/MemEncryptHypercallLib/X64/AsmHelperStub.nasm | 28 ++++++ > OvmfPkg/Library/MemEncryptHypercallLib/X64/MemEncryptHypercallLib.c | 105 ++++++++++++++++++++ > OvmfPkg/OvmfPkgIa32.dsc | 1 + > OvmfPkg/OvmfPkgIa32X64.dsc | 1 + > OvmfPkg/OvmfPkgX64.dsc | 1 + > OvmfPkg/OvmfXen.dsc | 1 + > 10 files changed, 261 insertions(+) > > diff --git a/Maintainers.txt b/Maintainers.txt > index ea54e0b7e9..8ecc8464ba 100644 > --- a/Maintainers.txt > +++ b/Maintainers.txt > @@ -449,8 +449,10 @@ F: OvmfPkg/AmdSev/ > F: OvmfPkg/AmdSevDxe/ > F: OvmfPkg/Include/Guid/ConfidentialComputingSecret.h > F: OvmfPkg/Include/Library/MemEncryptSevLib.h > +F: OvmfPkg/Include/Library/MemEncryptHypercallLib.h > F: OvmfPkg/IoMmuDxe/AmdSevIoMmu.* > F: OvmfPkg/Library/BaseMemEncryptSevLib/ > +F: OvmfPkg/Library/MemEncryptHypercallLib/ > F: OvmfPkg/Library/PlatformBootManagerLibGrub/ > F: OvmfPkg/Library/VmgExitLib/ > F: OvmfPkg/PlatformPei/AmdSev.c > diff --git a/OvmfPkg/Include/Library/MemEncryptHypercallLib.h b/OvmfPkg/Include/Library/MemEncryptHypercallLib.h > new file mode 100644 > index 0000000000..b241a189b6 > --- /dev/null > +++ b/OvmfPkg/Include/Library/MemEncryptHypercallLib.h > @@ -0,0 +1,43 @@ > +/** @file > + > + Define Secure Encrypted Virtualization (SEV) hypercall library. > + > + Copyright (c) 2020, AMD Incorporated. All rights reserved.
^^^^ 2021 > + > + SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#ifndef _MEM_ENCRYPT_HYPERCALL_LIB_H_ > +#define _MEM_ENCRYPT_HYPERCALL_LIB_H_ > + > +#include > + > +#define KVM_HC_MAP_GPA_RANGE 12 > +#define KVM_MAP_GPA_RANGE_PAGE_SZ_4K 0 > +#define KVM_MAP_GPA_RANGE_PAGE_SZ_2M (1 << 0) > +#define KVM_MAP_GPA_RANGE_PAGE_SZ_1G (1 << 1) > +#define KVM_MAP_GPA_RANGE_ENC_STAT(n) ((n) << 4) > +#define KVM_MAP_GPA_RANGE_ENCRYPTED KVM_MAP_GPA_RANGE_ENC_STAT(1) > +#define KVM_MAP_GPA_RANGE_DECRYPTED KVM_MAP_GPA_RANGE_ENC_STAT(0) > + > +/** > + This hyercall is used to notify hypervisor when a page is marked as > + 'decrypted' (i.e C-bit removed). > + Looking at the function signature it seems this routine is used for both set and clear. Please update the comment accordingly. > + @param[in] PhysicalAddress The physical address that is the start address > + of a memory region. > + @param[in] Length The length of memory region > + @param[in] Mode SetCBit or ClearCBit > + > +**/ > + > +VOID > +EFIAPI > +SetMemoryEncDecHypercall3 ( > + IN UINTN PhysicalAddress, > + IN UINTN Length, > + IN UINTN Mode > + ); > + > +#endif > diff --git a/OvmfPkg/Library/MemEncryptHypercallLib/Ia32/MemEncryptHypercallLib.c b/OvmfPkg/Library/MemEncryptHypercallLib/Ia32/MemEncryptHypercallLib.c > new file mode 100644 > index 0000000000..2e73d47ee6 > --- /dev/null > +++ b/OvmfPkg/Library/MemEncryptHypercallLib/Ia32/MemEncryptHypercallLib.c > @@ -0,0 +1,37 @@ > +/** @file > + > + Secure Encrypted Virtualization (SEV) hypercall helper library > + > + Copyright (c) 2020, AMD Incorporated. All rights reserved.
^^^^ 2021 > + > + SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#include > +#include > +#include > + > +/** > + This hyercall is used to notify hypervisor when a page is marked as > + 'decrypted' (i.e C-bit removed). > + > + @param[in] PhysicalAddress The physical address that is the start address > + of a memory region. > + @param[in] Length The length of memory region > + @param[in] Mode SetCBit or ClearCBit > + > +**/ > + > +VOID > +EFIAPI > +SetMemoryEncDecHypercall3 ( > + IN PHYSICAL_ADDRESS PhysicalAddress, > + IN UINTN Pages, > + IN UINTN Mode > + ) > +{ > + // > + // Memory encryption bit is not accessible in 32-bit mode > + // > +} > diff --git a/OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.inf b/OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.inf > new file mode 100644 > index 0000000000..a77d58a7e6 > --- /dev/null > +++ b/OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.inf > @@ -0,0 +1,42 @@ > +## @file > +# Library provides the hypervisor helper functions for SEV guest > +# > +# Copyright (c) 2020 Advanced Micro Devices. All rights reserved.
^^^^ 2021 > +# > +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +# > +## > + > +[Defines] > + INF_VERSION = 1.25 > + BASE_NAME = MemEncryptHypercallLib > + FILE_GUID = 86f2501e-f128-45f3-91c4-3cff31656ca8 > + MODULE_TYPE = BASE > + VERSION_STRING = 1.0 > + LIBRARY_CLASS = MemEncryptHypercallLib > + > +# > +# The following information is for reference only and not required by the build > +# tools. > +# > +# VALID_ARCHITECTURES = IA32 X64 > +# > + > +[Packages] > + MdeModulePkg/MdeModulePkg.dec > + MdePkg/MdePkg.dec > + UefiCpuPkg/UefiCpuPkg.dec > + OvmfPkg/OvmfPkg.dec > + > +[Sources.X64] > + X64/MemEncryptHypercallLib.c > + X64/AsmHelperStub.nasm > + > +[Sources.IA32] > + Ia32/MemEncryptHypercallLib.c > + > +[LibraryClasses] > + BaseLib > + DebugLib > + VmgExitLib > diff --git a/OvmfPkg/Library/MemEncryptHypercallLib/X64/AsmHelperStub.nasm b/OvmfPkg/Library/MemEncryptHypercallLib/X64/AsmHelperStub.nasm > new file mode 100644 > index 0000000000..f29b96f9b0 > --- /dev/null > +++ b/OvmfPkg/Library/MemEncryptHypercallLib/X64/AsmHelperStub.nasm > @@ -0,0 +1,28 @@ > +DEFAULT REL > +SECTION .text > + > +; VOID > +; EFIAPI > +; SetMemoryEncDecHypercall3AsmStub ( > +; IN UINT HypercallNum, > +; IN INTN Arg1, > +; IN INTN Arg2, > +; IN INTN Arg3 > +; ); > +global ASM_PFX(SetMemoryEncDecHypercall3AsmStub) > +ASM_PFX(SetMemoryEncDecHypercall3AsmStub): > + ; UEFI calling conventions require RBX to > + ; be nonvolatile/callee-saved. > + push rbx > + ; Copy HypercallNumber to rax > + mov rax, rcx > + ; Copy Arg1 to the register expected by KVM > + mov rbx, rdx > + ; Copy Arg2 to register expected by KVM > + mov rcx, r8 > + ; Copy Arg2 to register expected by KVM > + mov rdx, r9 > + ; Call VMMCALL > + vmmcall > + pop rbx > + ret > diff --git a/OvmfPkg/Library/MemEncryptHypercallLib/X64/MemEncryptHypercallLib.c b/OvmfPkg/Library/MemEncryptHypercallLib/X64/MemEncryptHypercallLib.c > new file mode 100644 > index 0000000000..1c09ea012b > --- /dev/null > +++ b/OvmfPkg/Library/MemEncryptHypercallLib/X64/MemEncryptHypercallLib.c > @@ -0,0 +1,105 @@ > +/** @file > + > + Secure Encrypted Virtualization (SEV) hypercall helper library > + > + Copyright (c) 2020, AMD Incorporated. All rights reserved.
^^^^ 2021 > + > + SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > + > +// > +// Interface exposed by the ASM implementation of the core hypercall > +// > +// > + > +VOID > +EFIAPI > +SetMemoryEncDecHypercall3AsmStub ( > + IN UINTN HypercallNum, > + IN UINTN PhysicalAddress, > + IN UINTN Length, > + IN UINTN Mode > + ); > + The function signature does not match with documented signature. Fix the SetMemoryEncDecHypercall3AsmStub() documented in AsmHelperStub.nasm to use UINTN. > +STATIC > +VOID > +GhcbSetRegValid ( > + IN OUT GHCB *Ghcb, > + IN GHCB_REGISTER Reg > + ) > +{ > + UINT32 RegIndex; > + UINT32 RegBit; > + > + RegIndex = Reg / 8; > + RegBit = Reg & 0x07; > + > + Ghcb->SaveArea.ValidBitmap[RegIndex] |= (1 << RegBit); > +} > + This looks similar to VmgSetOffsetValid(). > +/** > + This hyercall is used to notify hypervisor when a page is marked as > + 'decrypted' (i.e C-bit removed). > +Please update the comment. > + @param[in] PhysicalAddress The physical address that is the start address > + of a memory region. > + @param[in] Length The length of memory region > + @param[in] Mode SetCBit or ClearCBit > + > +**/ > + > +VOID > +EFIAPI > +SetMemoryEncDecHypercall3 ( > + IN PHYSICAL_ADDRESS PhysicalAddress, > + IN UINTN Pages, > + IN UINTN Mode > + ) > +{ > + if (MemEncryptSevEsIsEnabled ()) {> + MSR_SEV_ES_GHCB_REGISTER Msr; > + GHCB *Ghcb; > + BOOLEAN InterruptState; > + UINT64 Status; > + > + Msr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB); > + Ghcb = Msr.Ghcb; > + > + VmgInit (Ghcb, &InterruptState); > + > + Ghcb->SaveArea.Rax = KVM_HC_MAP_GPA_RANGE; > + GhcbSetRegValid (Ghcb, GhcbRax); > + Ghcb->SaveArea.Rbx = PhysicalAddress; > + GhcbSetRegValid (Ghcb, GhcbRbx); > + Ghcb->SaveArea.Rcx = Pages; > + GhcbSetRegValid (Ghcb, GhcbRcx); > + Ghcb->SaveArea.Rdx = Mode; > + GhcbSetRegValid (Ghcb, GhcbRdx); > + Ghcb->SaveArea.Cpl = AsmReadCs() & 0x3; > + GhcbSetRegValid (Ghcb, GhcbCpl); > + > + Status = VmgExit (Ghcb, SVM_EXIT_VMMCALL, 0, 0); > + if (Status) { > + DEBUG ((DEBUG_ERROR, "SVM_EXIT_VMMCALL failed %lx\n", Status)); You need to issue an SEV-ES guest termination vmexit followed by a deadloop to ensure that boot does not proceed. You probably also need to check for the RAX register for the return code. > + } > + VmgDone (Ghcb, InterruptState); > + } else { > + SetMemoryEncDecHypercall3AsmStub ( > + KVM_HC_MAP_GPA_RANGE, > + PhysicalAddress, > + Pages, > + Mode > + ); How do you know whether the hyperviosr supports the Live migration ? In other words, is it safe to call the HC without knowing if HV supports the feature ? Also, what will happen if we pass a bogus GPA. Does the HC return an error ? Same as SEV-ES block, you probably need to check the RAX register for the return code. On failure, cause an assert() and terminate the boot. > + } > +} > diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc > index f53efeae79..36f1d82ce7 100644 > --- a/OvmfPkg/OvmfPkgIa32.dsc > +++ b/OvmfPkg/OvmfPkgIa32.dsc > @@ -176,6 +176,7 @@ > VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf > LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf > MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf > + MemEncryptHypercallLib|OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.inf > !if $(SMM_REQUIRE) == FALSE > LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf > !endif > diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc > index b3662e17f2..2a743688b4 100644 > --- a/OvmfPkg/OvmfPkgIa32X64.dsc > +++ b/OvmfPkg/OvmfPkgIa32X64.dsc > @@ -180,6 +180,7 @@ > VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf > LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf > MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf > + MemEncryptHypercallLib|OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.inf > !if $(SMM_REQUIRE) == FALSE > LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf > !endif > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc > index 0a237a9058..eb9da51a15 100644 > --- a/OvmfPkg/OvmfPkgX64.dsc > +++ b/OvmfPkg/OvmfPkgX64.dsc > @@ -180,6 +180,7 @@ > VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf > LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf > MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf > + MemEncryptHypercallLib|OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.inf > !if $(SMM_REQUIRE) == FALSE > LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf > !endif > diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc > index 3c1ca6bfd4..de0c052832 100644 > --- a/OvmfPkg/OvmfXen.dsc > +++ b/OvmfPkg/OvmfXen.dsc > @@ -167,6 +167,7 @@ > QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgDxeLib.inf > QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf > MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf > + MemEncryptHypercallLib|OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.inf > LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf > CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf > FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf > Update the AmdSev.dsc to include this library. -Brijesh