From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: lersek@redhat.com) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Mon, 30 Sep 2019 11:52:11 -0700 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8D62AC049D7C; Mon, 30 Sep 2019 18:52:10 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-111.rdu2.redhat.com [10.10.121.111]) by smtp.corp.redhat.com (Postfix) with ESMTP id C77F660127; Mon, 30 Sep 2019 18:52:07 +0000 (UTC) Subject: Re: [edk2-devel] [RFC PATCH v2 08/44] OvmfPkg: Create GHCB pages for use during Pei and Dxe phase To: "Lendacky, Thomas" , "devel@edk2.groups.io" Cc: Jordan Justen , Ard Biesheuvel , Michael D Kinney , Liming Gao , Eric Dong , Ray Ni , "Singh, Brijesh" References: <9799d415f652618c8a960cdb0040918185588652.1568922728.git.thomas.lendacky@amd.com> <8779b242-a38c-3bf7-ce85-469197fee287@amd.com> From: "Laszlo Ersek" Message-ID: <7e394768-f0f4-894d-e0c8-71bc9598e5ff@redhat.com> Date: Mon, 30 Sep 2019 20:52:06 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <8779b242-a38c-3bf7-ce85-469197fee287@amd.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Mon, 30 Sep 2019 18:52:10 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 09/26/19 16:00, Lendacky, Thomas wrote: > On 9/26/19 3:00 AM, Laszlo Ersek wrote: >> Hi Tom, >> >> On 09/19/19 21:52, Lendacky, Thomas wrote: >>> From: Tom Lendacky >>> >>> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198 >>> >>> Allocate memory for the GHCB pages during SEV initialization for use >>> during Pei and Dxe phases. The GHCB page(s) must be shared pages, so >>> clear the encryption mask from the current page table entries. Upon >>> successful allocation, set the GHCB PCDs (PcdGhcbBase and PcdGhcbSize). >> >> skimming this patch and the next two ones for OvmfPkg (#10, #11), I'm a >> bit lost. I'm missing a parallel between the "early X64 page tables" and >> the GHCB-related pages. >> >> The former are set up (in X64 OVMF) in SEC, and are used throughout PEI >> until the DXE IPL builds new ones for the DXE phase. The latter also >> *seemed* to be set up in SEC, and I thought they'd be used throughout >> PEI -- I assumed the next place we'd need to massage GHCB pages would be >> similarly in the DXE IPL, or thereabouts. >> >> However, in this patch, we seem to allocate new pages for GHCB, and the >> commit message implies they are supposed to be used during PEI. That >> diverges from how long the "early X64 page tables" are used. > > At this stage, we need a GHCB page for every (v)CPU. So a new allocation > is done and then the pages are marked unencrypted. Once the new GHCB > pages are allocated, the original GHCB page for SEC is no longer needed > because the new allocation replaces it in the BSP. But the early page > table is still required in order to access all of the memory from the 2MB > range (0x800000 to 0x9fffff). > >> >> I guess this difference could be justified, especially because we do MP >> stuff in PEI. (And we need separate GHCB stuff per VCPU -- in SEC we >> only consider the BSP.) >> >> But then, the question becomes: what exactly do we need the GHCB page >> allocated in SEC for? From the blurb, it seems that the GHCB allows the > > There are lots of different ways to cause a #VC. A #VC is generated for > debug statements that use port I/O, MMIO, intercept-able MSR accesses, > CPUID instructions, WBINVD instructions, etc. Many of these things happen > during SEC. With the debug serial output enabled, over 8,000 #VC > exceptions occur before allocating the new GHCB pages in > AmdSevEsInitialize(). > >> guest to selectively (actively) share information with the hypervisor -- >> such as (parts of?) the register file, which the hypervisor cannot >> directly access, for a SEV-ES guest. >> >> But, we never seem to place such information at PcdOvmfSecGhcbBase (aka >> GHCB_BASE) in SEC. We program the GHCB's base address, and then we clear >> the GHCB, but that seems to be it. Do we write anything non-zero to that >> block, ever? > > Yes, that happens in the SEC exception handler. When the #VC occurs, the > GHCB information is filled in and a VMGEXIT instruction is issued to exit > to the hypervisor. The hypervisor then accesses the GHCB in order to > perform the requested function. Thanks, very helpful. Can you please work this info into the relevant commit messages? (No need to repost just because of that, of course.) Thanks! Laszlo