From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+115308+7686176+12367111@groups.io>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108])
	by spool.mail.gandi.net (Postfix) with ESMTPS id BFFC8D80110
	for <rebecca@openfw.io>; Fri,  9 Feb 2024 16:17:48 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=Pu1Ou3oWggg65cUGlrV3yQEMczNpmdzaifuD1G+nvfo=;
 c=relaxed/simple; d=groups.io;
 h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:Message-ID:Date:User-Agent:Subject:To:Cc:References:From:In-Reply-To:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding;
 s=20140610; t=1707495467; v=1;
 b=MEm1XjDopzcgcoRo4NPDV9it6m5voSen0jQ6fRqMNMOrbRbN4dlD3f7mRJFHpruscB6DT4ey
 FfupK7DIpItwSzW7IOsaNCWOUHO2WArZDSqEYA2/mKszeDiW4NgOEG8lMtZw/TN6oN040gWSX0d
 Cw2j7JZ712Nm3A6GcOB+WJWM=
X-Received: by 127.0.0.2 with SMTP id eEi6YY7687511xFfsRs4utyp; Fri, 09 Feb 2024 08:17:47 -0800
X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.63])
 by mx.groups.io with SMTP id smtpd.web10.16201.1707495466640466472
 for <devel@edk2.groups.io>;
 Fri, 09 Feb 2024 08:17:46 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=PR2jRfEbT9kifzWrP+l+mkrW1ipakbLRrjwtvPHtFi9/10UQJDpCz5fOLm1rGNWY9vINZ45h1omQ2lf8O0BTZo/EVNMMv9lkh5KtAu70GA3bPn4w8i4379UuXhECEtSQ+y8/oHkYeWuNnuhRdQQr51etYGvV7If5x1NGH+ewBet3IbfBboQ3PTPKEoQBEx1ouIm2coNf9fKKRnOd8R8l8Ce+BQ4g5gM7KlpnspcWOIsQCXbQA73bmm/sM/Gm7mr1+ko44uk9icx+u8KQhxaDnWbL0p3HquvhCoI/1hgv2iqIsHDA1oAoEnN7A6vfgLdU3SRgxuDTYHN0KspYp1SOIg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=mlpnrzE8JYd2wrVXoRxjxWXkxd5d1/9E4jIbf5XhZ3k=;
 b=UpIR8ChxcEkYkoLQ9JpP0oXbg9GQkx6gRtOe1rmgZ6cGlqZCOqNCVExB/MGYULKMRheXrQ3v6hM6o4aUS8I7f0byJNf+Y0a702ed2iQnF8ocHTZBxjP2VQm2zoZsrMsAvY7htUQtdOveYtrTP3WClH3kq1IEWkfL1H4hzdQ9fCMMuBdOUB0ZpBj9dCh5deKbOTVIoksQ6WqoNIWfszPwzcUf40f/BGYHLqZE+9qZ3E+Ug0XlufKhrE1faHdLNcGfv/dbytClD4DEGHJ2fDoqtG/apS+7dm/V95YE9Qi1l51Ca0Ic5PnhXb/9AQ3ajtrHjzLBuRo/NWbfk+Uh0yg/3g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass
 header.d=amd.com; arc=none
X-Received: from BL1PR12MB5732.namprd12.prod.outlook.com (2603:10b6:208:387::17)
 by BL3PR12MB6570.namprd12.prod.outlook.com (2603:10b6:208:38d::15) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7292.11; Fri, 9 Feb
 2024 16:17:43 +0000
X-Received: from BL1PR12MB5732.namprd12.prod.outlook.com
 ([fe80::f44f:4aa:d49e:d055]) by BL1PR12MB5732.namprd12.prod.outlook.com
 ([fe80::f44f:4aa:d49e:d055%7]) with mapi id 15.20.7292.010; Fri, 9 Feb 2024
 16:17:43 +0000
Message-ID: <7bfc9725-ef5c-2c3c-81c0-1394a09c9ce5@amd.com>
Date: Fri, 9 Feb 2024 10:17:40 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.15.1
Subject: Re: [edk2-devel] [PATCH 00/16] Provide SEV-SNP support for running under an SVSM
To: "Yao, Jiewen" <jiewen.yao@intel.com>,
 "devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>,
 "Aktas, Erdem" <erdemaktas@google.com>, Gerd Hoffmann <kraxel@redhat.com>,
 Laszlo Ersek <lersek@redhat.com>, Liming Gao <gaoliming@byosoft.com.cn>,
 "Kinney, Michael D" <michael.d.kinney@intel.com>,
 "Xu, Min M" <min.m.xu@intel.com>, "Liu, Zhiguang" <zhiguang.liu@intel.com>,
 "Kumar, Rahul R" <rahul.r.kumar@intel.com>, "Ni, Ray" <ray.ni@intel.com>,
 Michael Roth <michael.roth@amd.com>
References: <cover.1706307195.git.thomas.lendacky@amd.com>
 <MW4PR11MB5872462F1F0BF5D43C9B3E428C782@MW4PR11MB5872.namprd11.prod.outlook.com>
 <0fa719f4-bdeb-ec82-1fe5-8e3254b6f3ee@amd.com>
 <17AE677D909D4A42.23935@groups.io>
 <MW4PR11MB5872FE5E00EF83D4BD348F598C4B2@MW4PR11MB5872.namprd11.prod.outlook.com>
From: "Lendacky, Thomas via groups.io" <thomas.lendacky=amd.com@groups.io>
In-Reply-To: <MW4PR11MB5872FE5E00EF83D4BD348F598C4B2@MW4PR11MB5872.namprd11.prod.outlook.com>
X-ClientProxiedBy: SN7PR04CA0177.namprd04.prod.outlook.com
 (2603:10b6:806:125::32) To BL1PR12MB5732.namprd12.prod.outlook.com
 (2603:10b6:208:387::17)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BL1PR12MB5732:EE_|BL3PR12MB6570:EE_
X-MS-Office365-Filtering-Correlation-Id: 387ce83f-a709-4b4c-8c06-08dc298aa504
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Message-Info: 
	qWuRW69Db6H3vZxZQtCR/vnEomscPxU6J9imp9t5NN6d0XZNAqmD2/pyO84LMqAOIPePAaT56jMWrqxiRIANnDUqQvUtmqbgdWrwwOMW4KHEiuuY2oJVeIXsNoKO+W6jw2qxzyNi7d/WbAtTewJoWbX8OZlMn0gwb5SqvDOCvzzAbr/n1Mu4ylnYy2dpIy5ZIhCYw1obShjJHiTKk2uHzZfIBL+Mb7H6wnS/Zx7sIomllAegaSml6HXvBrRYf3Yrc9OE2DV73N141VuuDNiS7cTgSoEDMr3xTIfcV9xHTuQGGJpExc2Z5Hox/Vk2/eUcnv/LpZ9MRo4SJHxmslWEiCT9T5j4Ha/iMcjFE/X3iSvhsDQ+FZ0Lph9kqyeitzXxocjlUg/DERg12RrOkdC2xV1dqvJOexXkoAmfZ2v9I6bK/FaHifM4nlTkpI97L8hi8l1UtG2JTHXMGaQ7JCam/WgbL4Dzq7aP/M2r2zF0Gxl/XtUg/aun6nNe2+3mXp2K9qwFR4WO7EuerGu0znz2nq/nWxLafGku10hgNbBNujm4GLK3cHzD6zEh0/s41e2WZVv2/h9grV48YNUB/K9fyA==
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
	=?utf-8?B?T2lJVHhHcTV2Yk9IMVQwZ0dIVzNqVmdBaExuVExrdUxCN2o5eUVieldBWm9O?=
 =?utf-8?B?OStyaFlnbWp6Uyt2NVBFT2V3N245WXd5SitNMkVMRTYzZnJZV1pMUWxhcDhi?=
 =?utf-8?B?ZW01UStxMnI0cnd6WUdPOWp0Vko5a0Q1anMzSXpqemFzd0xqZHcvdjVmeWhp?=
 =?utf-8?B?dUdaREVMOG1jbVU4cXorMkUxUWVacG01V08wbUdzdllKemozYVc0Q1loWWNG?=
 =?utf-8?B?L2lnOUNsd3BiY1ZlRlJwTlVlSWZaaWZ0Q2pnZ2RQZ3Y1NUZiVmFBL2Z5RWpW?=
 =?utf-8?B?YlhxNm0yK1BlOTc1UjQwYkZURitGNkd4K3I3cUlDcVE2OGsxQ0dUMEhtTDRO?=
 =?utf-8?B?U2RYWlZSZU1IWm9lMHhMQjBYQmMvZ2o2STkxUzRMb1RScWRSQzRqK0VXNmdD?=
 =?utf-8?B?MGpMRFBsNFVCTUxEMEl1elpXYmwzaTQrU2xVUGx6dkErdVpHenA5SVhTaXF1?=
 =?utf-8?B?RkdmSngzU3A4WW51dW9WclVZNlIyRWRveDNZejUyVDVWOGNlQzBTbnQvazhm?=
 =?utf-8?B?YnNVclEwNEd5b0xCR2g4ZWFEbmJaUEVxQmxjMFBZTEVWcUt5bVFaL1dMR2gx?=
 =?utf-8?B?YmFvbThGLzQ4WE4yQ0tWVjZqSFVCUEk2aldBTXBpOVRjZ1Z5Z2oxMzRFWloy?=
 =?utf-8?B?TXN5RWZWRE95cDZyYTR4Q244M0cvRTR6a1FKa05IeStBZnorS0QvUzJ6TERI?=
 =?utf-8?B?TFNmTkY5MnJoK1BHZE8rdUxOVUpqcFJLZzZmcTRHbi94RVp2Kzl3NFJmRmRG?=
 =?utf-8?B?YlVkTUZyTmNoc0dmZWl6ZkpHNGw0OE9rYzAzZUNMVXp3VjVEeDYwSW1wOXBS?=
 =?utf-8?B?MXlpTTRTcm5wR29HSUxzM0l4MThVaGs5RFZVR3VUcnFycnZjeTcyOWxsWmpu?=
 =?utf-8?B?d3FocmpMVlM1alhzSUxiNWMzblJVRWUzMmhFVVRLNkdUSys4WDNZNklraG1D?=
 =?utf-8?B?Rm1tVVd6a1VUZHpaQXRwckZ2Z3dsaUZUNUlha1p2RXZNTmJndHo5bjhreGFZ?=
 =?utf-8?B?eE9YZERLZDRoRmliMEVYTEFsZ3hWMmlwUm1aaWJzS1NOaUg0YUpRU1NHd09X?=
 =?utf-8?B?MVpwUXVaYWQ4amFsOVZaNTlTUk9sVnpDQ0dxYnFZTy9IZnlvTXlhRWhobDBR?=
 =?utf-8?B?NzFxWS9zYVUvb1FSZEJqUGJoeGlBWU1RVkZobXJGdmxLcWVsd3lZVmlSMlp4?=
 =?utf-8?B?b3BOdm45N2d3akhjeFJZNmZUY3BJNEhLT1lNNG9adkMzRW1WZ2NhcytGek5y?=
 =?utf-8?B?WTZkaUN2TUZoM2dDY0JWcEZYL1kzR3RqUTRSd0luZ1pjS2l6TWw2dTFyQVg1?=
 =?utf-8?B?bGprZDlHOHlrMG9RNVVHTEQyOHpGZEpqUGRXS3pFdFZ0c3h0RjIwc1grc283?=
 =?utf-8?B?Q0VvRWlSRjNNd0h0bFhYSFJWMlBDa0VJZHlHYlBYYkZRRnNYeEpzRWVENUFl?=
 =?utf-8?B?ZEQxSlJJb2Myb1JUTlNQNVBoZzZ5UHp6bXVHVDVNUDg2bGIvZEYzM0pCRWdq?=
 =?utf-8?B?cEEva2dGcURML01qbERBbEZVQWxxbmJpQUg0cS91SDNDMExrVlZ0RlR6TXA2?=
 =?utf-8?B?bHFnZHArZDM2dmNCaFExWEtLUzB2dFBuZUR0a1ZwMG5vQW5ZcEI2NUJLOVoz?=
 =?utf-8?B?M3d5VVB1SllDczAxeGVUVEl4bmJuMjVpSS81c1lUckVFU0U3S3VWT0FrdUN4?=
 =?utf-8?B?Z05MMVJ0YVhRT1lZNEZRQUIyNXpyYkFzNE92ZkdWYkdCTnduakRKMWx5MXZE?=
 =?utf-8?B?VmNwaTBEMGlQS1BEbzN0ZU4wSUJjWm5EZnBSU3RvbHNVcDkxNGo0VEVXZGFR?=
 =?utf-8?B?Z28xWWpTV1FZV2gxNjFBb0RXMnhzRTFDOEZRaXlJZ2ljcWlTN1NKOGpOakVi?=
 =?utf-8?B?L2tmOGt4Y2ZpVG5URFM3enhNNUxFcG1kTjRXK0xrK1NzdmdLWkVtSWVoQ205?=
 =?utf-8?B?UWJOeXJDWnhtcE0raEVkdGtQSkpTYlNmSnMrK0ZMbmtEWktUQzFHbGMxdEs2?=
 =?utf-8?B?ajV0NHIvcVJlTys2M01oWEE5ai9XSC9rSFZOUW5BeU5TVEZXWFNCeFBvYU5O?=
 =?utf-8?B?cVA1ajZoamlqWHZpVWExUUdseVp0RU9XRUhvVzlKdm5EVXRubFY4NWZZc0pO?=
 =?utf-8?Q?+KnCZoldvkxYltPxb4dSzHNlw?=
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 387ce83f-a709-4b4c-8c06-08dc298aa504
X-MS-Exchange-CrossTenant-AuthSource: BL1PR12MB5732.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Feb 2024 16:17:43.4626
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 3YNtwgCeaokF/jHa8iicoUBJE6I8QjaWoil41n6h5b7ciM47v3xUgksF9B0t1WkBrWu8hc4803NRskYJcHFdIg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL3PR12MB6570
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,thomas.lendacky@amd.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
X-Gm-Message-State: ZFhJCHCovVFlAprDZnkIRR0Hx7686176AA=
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20140610 header.b=MEm1XjDo;
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io;
	dmarc=pass (policy=none) header.from=groups.io;
	arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}")

On 2/9/24 02:11, Yao, Jiewen wrote:
> Some initial feedback:
>=20
> Patch 1 - OvmfPkg/BaseMemEncryptSevLib: Re-organize page state change sup=
port
> Please split MdePkg update, since it requires different reviewer.

Yes, I had noticed this also and have split this out separately.

>=20
> Patch 4 - UefiCpuPkg/CcExitLib: Extend the CcExitLib library to support a=
n SVSM
> I am not sure why we need to expose SVSM API in CcExitLib. Why the Except=
ion handle need to aware of SVSM?
> If other library need SVSM API, then why not create a SvsmLib?

I chose the CcExitLib library because of the issuance of GHCB requests /=20
VMGEXIT and the guarding of the GHCB from that library today. I can=20
certainly look at creating a separate library if that is truly=20
required/preferred, but to me it made sense to put that function in that=20
library. Please let me know your thoughts.

>=20
> Patch 11 - UefiCpuPkg: Create APIC ID list PCD
> Why use PCD? Why not use HOB?

Yes, Ray had the same request and it will be converted to a HOB in the=20
next version.

Thanks,
Tom

>=20
> Thank you
> Yao, Jiewen
>=20
>> -----Original Message-----
>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, Jiew=
en
>> Sent: Sunday, January 28, 2024 12:11 PM
>> To: Tom Lendacky <thomas.lendacky@amd.com>; devel@edk2.groups.io
>> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>; Aktas, Erdem
>> <erdemaktas@google.com>; Gerd Hoffmann <kraxel@redhat.com>; Laszlo Ersek
>> <lersek@redhat.com>; Liming Gao <gaoliming@byosoft.com.cn>; Kinney, Mich=
ael
>> D <michael.d.kinney@intel.com>; Xu, Min M <min.m.xu@intel.com>; Liu,
>> Zhiguang <zhiguang.liu@intel.com>; Kumar, Rahul R <rahul.r.kumar@intel.c=
om>;
>> Ni, Ray <ray.ni@intel.com>; Michael Roth <michael.roth@amd.com>
>> Subject: Re: [edk2-devel] [PATCH 00/16] Provide SEV-SNP support for runn=
ing
>> under an SVSM
>>
>> Thanks Tom. Below is exactly what I am looking for:
>> "the decision to use the SVSM API will be based on the VMPL level at whi=
ch
>> OVMF is running."
>>
>> OVMF needs to detect SEV-SNP, then make next level decision on VMPL.
>> Makes sense to me.
>>
>> Thank you
>> Yao, Jiewen
>>
>>> -----Original Message-----
>>> From: Tom Lendacky <thomas.lendacky@amd.com>
>>> Sent: Sunday, January 28, 2024 1:49 AM
>>> To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io
>>> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>; Aktas, Erdem
>>> <erdemaktas@google.com>; Gerd Hoffmann <kraxel@redhat.com>; Laszlo
>> Ersek
>>> <lersek@redhat.com>; Liming Gao <gaoliming@byosoft.com.cn>; Kinney,
>> Michael
>>> D <michael.d.kinney@intel.com>; Xu, Min M <min.m.xu@intel.com>; Liu,
>>> Zhiguang <zhiguang.liu@intel.com>; Kumar, Rahul R
>> <rahul.r.kumar@intel.com>;
>>> Ni, Ray <ray.ni@intel.com>; Michael Roth <michael.roth@amd.com>
>>> Subject: Re: [PATCH 00/16] Provide SEV-SNP support for running under an=
 SVSM
>>>
>>> On 1/26/24 22:04, Yao, Jiewen wrote:
>>>> Thanks Tom.
>>>> Please give me some time to digest this patch set before I can give so=
me
>>> feedback.
>>>>
>>>> One quick question to you:
>>>> With this patch, we need to support multiple SEV modes:
>>>> 1. SEV guest firmware
>>>> 2. SEV-ES guest firmware
>>>> 3. SEV-SNP guest firmware
>>>> 4. SEV-SNP SVSM guest firmware
>>>
>>> This last mode is still an SNP guest, it just requires invoking an API =
to
>>> perform operations that require VMPL0 permissions. I'm not sure what yo=
u
>>> mean by having firmware at the end of each mode. The same firmware is u=
sed
>>> for all SEV guest modes as well as non-SEV guests.
>>>
>>>> And all these mode requires runtime detection. Am I right?
>>>
>>> Yes
>>>
>>>> If so, where is the flag to set those mode?
>>>
>>> There are function calls available to detect the SEV mode. See the
>>> implementation of MemEncryptSevIsEnabled(), MemEncryptSevEsIsEnabled()
>> and
>>> MemEncryptSevSnpIsEnabled().
>>>
>>> OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
>>> OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
>>> OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
>>>
>>> (OvmfPkg/Sec/AmdSev.c also has some early detection support)
>>>
>>> Note:
>>>     - An SEV-SNP guest is also considered an SEV-ES and SEV guest.
>>>     - An SEV-ES guest is also considered an SEV guest.
>>>
>>> Within the CcExitLib library, the decision to use the SVSM API will be
>>> based on the VMPL level at which OVMF is running.
>>>
>>> Thanks,
>>> Tom
>>>
>>>>
>>>> Please correct me if my understanding is wrong.
>>>>
>>>> Thank you
>>>> Yao, Jiewen
>>>>
>>>>> -----Original Message-----
>>>>> From: Tom Lendacky <thomas.lendacky@amd.com>
>>>>> Sent: Saturday, January 27, 2024 6:13 AM
>>>>> To: devel@edk2.groups.io
>>>>> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>; Aktas, Erdem
>>>>> <erdemaktas@google.com>; Gerd Hoffmann <kraxel@redhat.com>; Yao,
>>> Jiewen
>>>>> <jiewen.yao@intel.com>; Laszlo Ersek <lersek@redhat.com>; Liming Gao
>>>>> <gaoliming@byosoft.com.cn>; Kinney, Michael D
>>> <michael.d.kinney@intel.com>;
>>>>> Xu, Min M <min.m.xu@intel.com>; Liu, Zhiguang <zhiguang.liu@intel.com=
>;
>>>>> Kumar, Rahul R <rahul.r.kumar@intel.com>; Ni, Ray <ray.ni@intel.com>;
>>> Michael
>>>>> Roth <michael.roth@amd.com>
>>>>> Subject: [PATCH 00/16] Provide SEV-SNP support for running under an S=
VSM
>>>>>
>>>>>
>>>>> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4654
>>>>>
>>>>> This series adds SEV-SNP support for running OVMF under an Secure VM
>>>>> Service Module (SVSM) at a less privileged VM Privilege Level (VMPL).
>>>>> By running at a less priviledged VMPL, the SVSM can be used to provid=
e
>>>>> services, e.g. a virtual TPM, for the guest OS within the SEV-SNP
>>>>> confidential VM (CVM) rather than trust such services from the hyperv=
isor.
>>>>>
>>>>> Currently, OVMF expects to run at the highest VMPL, VMPL0, and there =
are
>>>>> certain SNP related operations that require that VMPL level. Specific=
ally,
>>>>> the PVALIDATE instruction and the RMPADJUST instruction when setting =
the
>>>>> the VMSA attribute of a page (used when starting APs).
>>>>>
>>>>> If OVMF is to run at a less privileged VMPL, e.g. VMPL2, then it must
>>>>> use an SVSM (which is running at VMPL0) to perform the operations tha=
t
>>>>> it is no longer able to perform.
>>>>>
>>>>> How OVMF interacts with and uses the SVSM is documented in the SVSM
>>>>> specification [1] and the GHCB specification [2].
>>>>>
>>>>> This series introduces support to run OVMF under an SVSM. It consists
>>>>> of:
>>>>>     - Reorganize the page state change support to not directly use th=
e
>>>>>       GHCB buffer since an SVSM will use the calling area buffer, ins=
tead
>>>>>     - Detecting the presence of an SVSM
>>>>>     - When not running at VMPL0, invoking the SVSM for page validatio=
n and
>>>>>       VMSA page creation/deletion
>>>>>     - Retrieving the list of vCPU APIC IDs and starting up all APs wi=
thout
>>>>>       performing a broadcast SIPI
>>>>>     - Detecting and allowing OVMF to run in a VMPL other than 0 when =
an
>>>>>       SVSM is present
>>>>>
>>>>> The series is based off of commit:
>>>>>
>>>>>     7d7decfa3dc8 ("UefiPayloadPkg/Crypto: Support external Crypto dri=
vers.")
>>>>>
>>>>> [1] https://www.amd.com/content/dam/amd/en/documents/epyc-
>> technical-
>>>>> docs/specifications/58019.pdf
>>>>> [2] https://www.amd.com/content/dam/amd/en/documents/epyc-
>> technical-
>>>>> docs/specifications/56421.pdf
>>>>>
>>>>> ---
>>>>>
>>>>> Tom Lendacky (16):
>>>>>     OvmfPkg/BaseMemEncryptSevLib: Re-organize page state change suppo=
rt
>>>>>     MdePkg/Register/Amd: Define the SVSM related information
>>>>>     MdePkg/BaseLib: Add a new VMGEXIT instruction invocation for SVSM
>>>>>     UefiCpuPkg/CcExitLib: Extend the CcExitLib library to support an =
SVSM
>>>>>     Ovmfpkg/CcExitLib: Extend CcExitLib to handle SVSM related servic=
es
>>>>>     OvmfPkg: Create a calling area used to communicate with the SVSM
>>>>>     OvmfPkg/CcExitLib: Add support for the SVSM_CORE_PVALIDATE call
>>>>>     OvmfPkg/CcExitLib: Add support for the SVSM create/delete vCPU ca=
lls
>>>>>     UefiCpuPkg/MpInitLib: Use CcExitSnpVmsaRmpAdjust() to set/clear V=
MSA
>>>>>     MdePkg: GHCB APIC ID retrieval support definitions
>>>>>     UefiCpuPkg: Create APIC ID list PCD
>>>>>     OvmfPkg/PlatformPei: Retrieve APIC IDs from the hypervisor
>>>>>     UefiCpuPkg/MpInitLib: Always use AP Create if PcdSevSnpApicIds is=
 set
>>>>>     UefiCpuPkg/MpInitLib: AP creation support under an SVSM
>>>>>     Ovmfpkg/CcExitLib: Provide SVSM discovery support
>>>>>     OvmfPkg/BaseMemEncryptLib: Check for presence of an SVSM when not
>> at
>>>>>       VMPL0
>>>>>
>>>>>    OvmfPkg/OvmfPkg.dec                                               =
    |   4 +
>>>>>    UefiCpuPkg/UefiCpuPkg.dec                                         =
    |   7 +-
>>>>>    OvmfPkg/AmdSev/AmdSevX64.fdf                                      =
    |   9 +-
>>>>>    OvmfPkg/OvmfPkgX64.fdf                                            =
    |   3 +
>>>>>    MdePkg/Library/BaseLib/BaseLib.inf                                =
    |   2 +
>>>>>    OvmfPkg/Library/CcExitLib/CcExitLib.inf                           =
    |   5 +-
>>>>>    OvmfPkg/Library/CcExitLib/SecCcExitLib.inf                        =
    |   5 +-
>>>>>    OvmfPkg/PlatformPei/PlatformPei.inf                               =
    |   3 +
>>>>>    OvmfPkg/ResetVector/ResetVector.inf                               =
    |   2 +
>>>>>    UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf                     =
    |   1 +
>>>>>    UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf                     =
    |   3 +-
>>>>>    MdePkg/Include/Library/BaseLib.h                                  =
    |  39 ++
>>>>>    MdePkg/Include/Register/Amd/Fam17Msr.h                            =
    |  19 +-
>>>>>    MdePkg/Include/Register/Amd/Ghcb.h                                =
    |  19 +-
>>>>>    MdePkg/Include/Register/Amd/Msr.h                                 =
    |   3 +-
>>>>>    MdePkg/Include/Register/Amd/Svsm.h                                =
    | 101 ++++
>>>>>    MdePkg/Include/Register/Amd/SvsmMsr.h                             =
    |  35 ++
>>>>>    OvmfPkg/Include/WorkArea.h                                        =
    |   7 +
>>>>>    OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h
>> |
>>> 4
>>>>> +-
>>>>>    OvmfPkg/Library/CcExitLib/CcExitSvsm.h                            =
    |  29 ++
>>>>>    UefiCpuPkg/Include/Library/CcExitLib.h                            =
    |  71 ++-
>>>>>    UefiCpuPkg/Library/MpInitLib/MpLib.h                              =
    |  27 +-
>>>>>
>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRamValidate.c
>>> |
>>>>> 16 +-
>>>>>    OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c
>> |
>>> 25
>>>>> +-
>>>>>
>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c
>>> |
>>>>> 20 +-
>>>>>
>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c
>>> |
>>>>> 25 +-
>>>>>
>>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c
>> |
>>>>> 203 ++++----
>>>>>    OvmfPkg/Library/CcExitLib/CcExitSvsm.c                            =
    | 532
>>>>> ++++++++++++++++++++
>>>>>    OvmfPkg/Library/CcExitLib/CcExitVcHandler.c                       =
    |  29 +-
>>>>>    OvmfPkg/PlatformPei/AmdSev.c                                      =
    | 100 +++-
>>>>>    UefiCpuPkg/Library/CcExitLibNull/CcExitLibNull.c                  =
    |  82 ++-
>>>>>    UefiCpuPkg/Library/MpInitLib/Ia32/AmdSev.c                        =
    |  19 +-
>>>>>    UefiCpuPkg/Library/MpInitLib/MpLib.c                              =
    |   7 +-
>>>>>    UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c                         =
    | 127 +++--
>>>>>    MdePkg/Library/BaseLib/Ia32/VmgExitSvsm.nasm                      =
    |  39 ++
>>>>>    MdePkg/Library/BaseLib/X64/VmgExitSvsm.nasm                       =
    |  94 ++++
>>>>>    OvmfPkg/ResetVector/ResetVector.nasmb                             =
    |   6 +-
>>>>>    OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm                       =
    |   9 +
>>>>>    UefiCpuPkg/UefiCpuPkg.uni                                         =
    |   3 +
>>>>>    39 files changed, 1524 insertions(+), 210 deletions(-)
>>>>>    create mode 100644 MdePkg/Include/Register/Amd/Svsm.h
>>>>>    create mode 100644 MdePkg/Include/Register/Amd/SvsmMsr.h
>>>>>    create mode 100644 OvmfPkg/Library/CcExitLib/CcExitSvsm.h
>>>>>    create mode 100644 OvmfPkg/Library/CcExitLib/CcExitSvsm.c
>>>>>    create mode 100644 MdePkg/Library/BaseLib/Ia32/VmgExitSvsm.nasm
>>>>>    create mode 100644 MdePkg/Library/BaseLib/X64/VmgExitSvsm.nasm
>>>>>
>>>>> --
>>>>> 2.42.0
>>>>
>>
>>
>>=20
>>
>=20


-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#115308): https://edk2.groups.io/g/devel/message/115308
Mute This Topic: https://groups.io/mt/103986434/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-