From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM02-DM3-obe.outbound.protection.outlook.com (NAM02-DM3-obe.outbound.protection.outlook.com [40.107.95.80]) by mx.groups.io with SMTP id smtpd.web11.81.1649179859544653270 for ; Tue, 05 Apr 2022 10:30:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=oauX7txJ; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.95.80, mailfrom: ashish.kalra@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gZLYK/2Qn0C18vj2zq/dnelpxNjN8ByCgaXGsHbIeGEHSX29rn/9k0bsE20MnTfVGdQw2Ipz23OR7wJe4LBDxDVxfk3slmKU+E8bdHj+l0F2dam8vYyeYcu2TL4dAcAB/f+vRqync58EW0tkbzUau5qLbFXLjvWn7C96cr40qwW8FQqGiqpPhmT/oTA10FIX9s8psv0W67BbJMbIL2u+FCOFteoDgXUWTybvE1UTlqfGp35hiN59cQjUI7xFaVw+YJwj5wyPk9pSX/YbrqWKjRbF+Lw8BuHYP9VK80Tbd2GnMmHkGnn8t2gMeHNEZsKaulpd3UhfFWF12rn7tyeshw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LGe5GDInGdNpXdBL76Y/ywgZVcMmTw46OvTTZEhWjaA=; b=QszfyZsxd+GeGuuQAC2/OR1PqZnsGcmvsDkAVffjhtx0EnYpE/Vn+DJ1coimW+zumqVaKIzxkEtUuMiKLw013x/gocr2XqfhPWiNH+MyPP+8E40e0Rb2fhhFABfi+/5hebJJwZbqbvzpGQd2rb9xGLR6ssSmoOe3udNdzSNZtFZ1W7KLvNhK+Gfduyi674bjwZ0uyxNQ7mqkIeBkw9n6XAeXHPrMda8w+QcZVEBkaxdVHPzQ5vql9FmE2fbS7ksgOqYqbUoknVaV0y8qk769o2tyevYnhE4IFHwzQe127t4QwD0iu90Z1f9ycU2h+S7ETKnEo4qnzShVPNQ6669KXA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LGe5GDInGdNpXdBL76Y/ywgZVcMmTw46OvTTZEhWjaA=; b=oauX7txJvP7d4RZPOO85wmrPNaaSPWrvEUz0RodiOqPORR5pb/vJvzM+XchlZWEcLqpOJv/yehezfbwAfwV0f0ysak9LncUZGxq+iXb0q+y7fLgQJjPrhE7whXJUMbMqEQWcJi+Lof1sgdu556yovHK+qVfKsL+CKFlj9Y1O51M= Received: from BN9PR03CA0203.namprd03.prod.outlook.com (2603:10b6:408:f9::28) by DM6PR12MB2732.namprd12.prod.outlook.com (2603:10b6:5:4a::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.31; Tue, 5 Apr 2022 17:30:57 +0000 Received: from BN8NAM11FT066.eop-nam11.prod.protection.outlook.com (2603:10b6:408:f9:cafe::d9) by BN9PR03CA0203.outlook.office365.com (2603:10b6:408:f9::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.31 via Frontend Transport; Tue, 5 Apr 2022 17:30:57 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; Received: from SATLEXMB04.amd.com (165.204.84.17) by BN8NAM11FT066.mail.protection.outlook.com (10.13.177.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.5123.19 via Frontend Transport; Tue, 5 Apr 2022 17:30:56 +0000 Received: from ashkalraubuntuserver.amd.com (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Tue, 5 Apr 2022 12:30:55 -0500 From: "Ashish Kalra" To: CC: , , , , , , , , Subject: [PATCH v8 1/6] OvmfPkg/BaseMemEncryptLib: Detect SEV live migration feature. Date: Tue, 5 Apr 2022 17:30:45 +0000 Message-ID: <76bd51fdab5cdb0a69374979b8638380e2879714.1649178155.git.ashish.kalra@amd.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 Return-Path: Ashish.Kalra@amd.com X-Originating-IP: [10.180.168.240] X-ClientProxiedBy: SATLEXMB03.amd.com (10.181.40.144) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 0bb2d43f-da05-47df-3581-08da172a0b0e X-MS-TrafficTypeDiagnostic: DM6PR12MB2732:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: rT2+NgbnPkrSCuP0wk9XTyZ9FrvisJwx4tQheIMzZGBx/aaEj382WnfgcOq7wqyJBSwUmO7QR6VJn4Djw5qpXGGeCEdlhScNPYu6ev2y2enCHqBBgElZYKGlpJ8UmAKlvbSvn2yARaCXVcWfpjgOA3dv5zfZXITKBBe2EJZlw86LcQF8Hjy1Hw8zOXFdmPAelvNJM/+B7ko59ChOT8BhFEOrI77PYr7fRSH//Bf9PYOmz8op1gE2Rlck4LJ6KgV/Lw0nVfrFX4QUgUxOlQx9lTGfKLVIfvv11d8X56R00FqUPztMqore8RF3RrjXDtI0PkXH2TC03KvpLANT7SatnhrWloM/aBe8TkboyxFDc3x9Cop3qFRbaHfvMFxujIVflfdzM9hXJjh565imMYo5gxwRxX2xxBEn3dT0C8wg/pUVynbcGQcarvlP2y6QtFWF5mgq0GoEj44B8etvEszBXiRVXKlFcC9l/IZIx6n2uSCtcBOvLlGVjxWNUfgs5AjQDd3KML+KVDzAnSfQNkAMdnqITEd3w6gIhV1DDcxefpMjmvsEvVxVixCZDD6Lofk1eMOHLx4ZyFIfyE/TDFHNzcButziIlF2EjonCH1TDr82U23t0haUSKS1NUXYiIDlCNIy2ll54D3CM6qquPXy1yUIUtZJ8/g149F8ZNvi6oppJ1Rqxp0PvcuOplufkwPnvdh1aX7kdr7SD6g4cl2QrCQ== X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230001)(4636009)(36840700001)(40470700004)(46966006)(426003)(8936002)(47076005)(86362001)(508600001)(7696005)(40460700003)(36756003)(2616005)(36860700001)(336012)(5660300002)(2906002)(81166007)(82310400005)(186003)(54906003)(26005)(356005)(8676002)(83380400001)(6666004)(316002)(70206006)(70586007)(6916009)(4326008)(16526019)(36900700001);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Apr 2022 17:30:56.7267 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 0bb2d43f-da05-47df-3581-08da172a0b0e X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT066.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB2732 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain From: Ashish Kalra Add support to check if we are running inside KVM HVM and KVM HVM supports SEV Live Migration feature. Cc: Jordan Justen Cc: Ard Biesheuvel Signed-off-by: Ashish Kalra --- OvmfPkg/Include/Library/MemEncryptSevLib.h | 12 ++++ .../DxeMemEncryptSevLibInternal.c | 49 ++++++++++++++-- .../PeiDxeMemEncryptSevLibInternal.c | 58 +++++++++++++++++++ .../PeiDxeMemEncryptSevLibInternal.h | 31 ++++++++++ .../PeiMemEncryptSevLibInternal.c | 42 ++++++++++++++ .../SecMemEncryptSevLibInternal.c | 18 ++++++ 6 files changed, 206 insertions(+), 4 deletions(-) create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSe= vLibInternal.h diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/L= ibrary/MemEncryptSevLib.h index 4fa9c0d700..babec60df4 100644 --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h @@ -83,6 +83,18 @@ MemEncryptSevIsEnabled ( VOID=0D );=0D =0D +/**=0D + Returns a boolean to indicate whether SEV live migration is enabled.=0D +=0D + @retval TRUE SEV live migration is enabled=0D + @retval FALSE SEV live migration is not enabled=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +MemEncryptSevLiveMigrationIsEnabled (=0D + VOID=0D + );=0D +=0D /**=0D This function clears memory encryption bit for the memory region specifi= ed by=0D BaseAddress and NumPages from the current page table context.=0D diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibIntern= al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c index 4aba0075b9..d80ebe2fac 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c @@ -18,10 +18,14 @@ #include =0D #include =0D =0D -STATIC UINT64 mCurrentAttr =3D 0;=0D -STATIC BOOLEAN mCurrentAttrRead =3D FALSE;=0D -STATIC UINT64 mSevEncryptionMask =3D 0;=0D -STATIC BOOLEAN mSevEncryptionMaskSaved =3D FALSE;=0D +#include "PeiDxeMemEncryptSevLibInternal.h"=0D +=0D +STATIC UINT64 mCurrentAttr =3D 0;=0D +STATIC BOOLEAN mCurrentAttrRead =3D FALSE;=0D +STATIC UINT64 mSevEncryptionMask =3D 0;=0D +STATIC BOOLEAN mSevEncryptionMaskSaved =3D FALSE;=0D +STATIC BOOLEAN mSevLiveMigrationStatus =3D FALSE;=0D +STATIC BOOLEAN mSevLiveMigrationStatusChecked =3D FALSE;=0D =0D /**=0D The function check if the specified Attr is set.=0D @@ -111,6 +115,24 @@ MemEncryptSevSnpIsEnabled ( return ConfidentialComputingGuestHas (CCAttrAmdSevSnp);=0D }=0D =0D +/**=0D + Figures out if we are running inside KVM HVM and=0D + KVM HVM supports SEV Live Migration feature.=0D +**/=0D +STATIC=0D +VOID=0D +EFIAPI=0D +InternalDetectSevLiveMigrationFeature (=0D + VOID=0D + )=0D +{=0D + if (KvmDetectSevLiveMigrationFeature ()) {=0D + mSevLiveMigrationStatus =3D TRUE;=0D + }=0D +=0D + mSevLiveMigrationStatusChecked =3D TRUE;=0D +}=0D +=0D /**=0D Returns a boolean to indicate whether SEV-ES is enabled.=0D =0D @@ -141,6 +163,25 @@ MemEncryptSevIsEnabled ( return ConfidentialComputingGuestHas (CCAttrAmdSev);=0D }=0D =0D +/**=0D + Returns a boolean to indicate whether SEV live migration is enabled.=0D +=0D + @retval TRUE SEV live migration is enabled=0D + @retval FALSE SEV live migration is not enabled=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +MemEncryptSevLiveMigrationIsEnabled (=0D + VOID=0D + )=0D +{=0D + if (!mSevLiveMigrationStatusChecked) {=0D + InternalDetectSevLiveMigrationFeature ();=0D + }=0D +=0D + return mSevLiveMigrationStatus;=0D +}=0D +=0D /**=0D Returns the SEV encryption mask.=0D =0D diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibInt= ernal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibIntern= al.c index 78ea16ae06..868392f7e2 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibInternal.c @@ -16,6 +16,8 @@ #include =0D #include =0D =0D +#include "PeiDxeMemEncryptSevLibInternal.h"=0D +=0D /**=0D Locate the page range that covers the initial (pre-SMBASE-relocation) SM= RAM=0D Save State Map.=0D @@ -61,3 +63,59 @@ MemEncryptSevLocateInitialSmramSaveStateMapPages ( =0D return RETURN_SUCCESS;=0D }=0D +=0D +/**=0D + Figures out if we are running inside KVM HVM and=0D + KVM HVM supports SEV Live Migration feature.=0D +=0D + @retval TRUE SEV live migration is supported.=0D + @retval FALSE SEV live migration is not supported.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +KvmDetectSevLiveMigrationFeature (=0D + VOID=0D + )=0D +{=0D + CHAR8 Signature[13];=0D + UINT32 mKvmLeaf;=0D + UINT32 RegEax;=0D + UINT32 RegEbx;=0D + UINT32 RegEcx;=0D + UINT32 RegEdx;=0D +=0D + Signature[12] =3D '\0';=0D + for (mKvmLeaf =3D 0x40000000; mKvmLeaf < 0x40010000; mKvmLeaf +=3D 0x100= ) {=0D + AsmCpuid (=0D + mKvmLeaf,=0D + NULL,=0D + (UINT32 *)&Signature[0],=0D + (UINT32 *)&Signature[4],=0D + (UINT32 *)&Signature[8]=0D + );=0D +=0D + if (AsciiStrCmp (Signature, "KVMKVMKVM") =3D=3D 0) {=0D + DEBUG ((=0D + DEBUG_INFO,=0D + "%a: KVM Detected, signature =3D %a\n",=0D + __FUNCTION__,=0D + Signature=0D + ));=0D +=0D + RegEax =3D mKvmLeaf + 1;=0D + RegEcx =3D 0;=0D + AsmCpuid (mKvmLeaf + 1, &RegEax, &RegEbx, &RegEcx, &RegEdx);=0D + if ((RegEax & KVM_FEATURE_MIGRATION_CONTROL) !=3D 0) {=0D + DEBUG ((=0D + DEBUG_INFO,=0D + "%a: SEV Live Migration feature supported\n",=0D + __FUNCTION__=0D + ));=0D +=0D + return TRUE;=0D + }=0D + }=0D + }=0D +=0D + return FALSE;=0D +}=0D diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibInt= ernal.h b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibIntern= al.h new file mode 100644 index 0000000000..b0ef053cd9 --- /dev/null +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibInternal.h @@ -0,0 +1,31 @@ +/** @file=0D +=0D + Secure Encrypted Virtualization (SEV) library helper function=0D +=0D + Copyright (c) 2021, AMD Incorporated. All rights reserved.
=0D +=0D + SPDX-License-Identifier: BSD-2-Clause-Patent=0D +=0D +**/=0D +=0D +#ifndef PEI_DXE_MEM_ENCRYPT_SEV_LIB_INTERNAL_H_=0D +#define PEI_DXE_MEM_ENCRYPT_SEV_LIB_INTERNAL_H_=0D +=0D +#include =0D +=0D +#define KVM_FEATURE_MIGRATION_CONTROL BIT17=0D +=0D +/**=0D + Figures out if we are running inside KVM HVM and=0D + KVM HVM supports SEV Live Migration feature.=0D +=0D + @retval TRUE SEV live migration is supported.=0D + @retval FALSE SEV live migration is not supported.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +KvmDetectSevLiveMigrationFeature (=0D + VOID=0D + );=0D +=0D +#endif // PEI_DXE_MEM_ENCRYPT_SEV_LIB_INTERNAL_H_=0D diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibIntern= al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c index 3f8f91a5da..72bd6e98f8 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c @@ -17,6 +17,11 @@ #include =0D #include =0D =0D +#include "PeiDxeMemEncryptSevLibInternal.h"=0D +=0D +STATIC BOOLEAN mSevLiveMigrationStatus =3D FALSE;=0D +STATIC BOOLEAN mSevLiveMigrationStatusChecked =3D FALSE;=0D +=0D /**=0D Read the workarea to determine whether SEV is enabled. If enabled,=0D then return the SevEsWorkArea pointer.=0D @@ -83,6 +88,24 @@ MemEncryptSevSnpIsEnabled ( return Msr.Bits.SevSnpBit ? TRUE : FALSE;=0D }=0D =0D +/**=0D + Figures out if we are running inside KVM HVM and=0D + KVM HVM supports SEV Live Migration feature.=0D +**/=0D +STATIC=0D +VOID=0D +EFIAPI=0D +InternalDetectSevLiveMigrationFeature (=0D + VOID=0D + )=0D +{=0D + if (KvmDetectSevLiveMigrationFeature ()) {=0D + mSevLiveMigrationStatus =3D TRUE;=0D + }=0D +=0D + mSevLiveMigrationStatusChecked =3D TRUE;=0D +}=0D +=0D /**=0D Returns a boolean to indicate whether SEV-ES is enabled.=0D =0D @@ -121,6 +144,25 @@ MemEncryptSevIsEnabled ( return Msr.Bits.SevBit ? TRUE : FALSE;=0D }=0D =0D +/**=0D + Returns a boolean to indicate whether SEV live migration is enabled.=0D +=0D + @retval TRUE SEV live migration is enabled=0D + @retval FALSE SEV live migration is not enabled=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +MemEncryptSevLiveMigrationIsEnabled (=0D + VOID=0D + )=0D +{=0D + if (!mSevLiveMigrationStatusChecked) {=0D + InternalDetectSevLiveMigrationFeature ();=0D + }=0D +=0D + return mSevLiveMigrationStatus;=0D +}=0D +=0D /**=0D Returns the SEV encryption mask.=0D =0D diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibIntern= al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c index 80aceba01b..b05dbec02e 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c @@ -121,6 +121,24 @@ MemEncryptSevIsEnabled ( return Msr.Bits.SevBit ? TRUE : FALSE;=0D }=0D =0D +/**=0D + Returns a boolean to indicate whether SEV live migration is enabled.=0D +=0D + @retval TRUE SEV live migration is enabled=0D + @retval FALSE SEV live migration is not enabled=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +MemEncryptSevLiveMigrationIsEnabled (=0D + VOID=0D + )=0D +{=0D + //=0D + // Not used in SEC phase.=0D + //=0D + return FALSE;=0D +}=0D +=0D /**=0D Returns the SEV encryption mask.=0D =0D --=20 2.25.1