From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.64]) by mx.groups.io with SMTP id smtpd.web09.4775.1618960649636206224 for ; Tue, 20 Apr 2021 16:17:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=zJyZ/IFv; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.94.64, mailfrom: eric.vantassell@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nD7PeIK4nrJZNAH5xIcmIHyC/yYJaAVXhFdHVtKmeg52w1f9dOZeatpY6l72kz5ggv58YgAylqOHpdOGVKhKZeMwicoZc6QS4Bv4NGURNuGG7awY1fU9m8OTcJxtYSi21V+Wqz7Q2TCtRQrJlPYjP+iNfmmopAjfCPkPHKWG2JvA0VUBLvnx/fVAEloh8xIqBFr2M+jjflrZEUA3Hk2QGsS+xEN/bwfO7kC4Cw9F9In+5M7KBxY9/WrR5xee3G1HKpRCj9QrkmqLKvuEajDqBFux82netaH1VOdG9nDoTEdLNvNuGuRl7yr06ONlrj/RoiBG+O0U7sMgb8j1Wrflsw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UnwVEg4KPPi/pXOlvgc2/+WNU5x9QXrF+VDkQOz1I7U=; b=QI5+5Ija4j7pzKyDjquz4lGdT2eSHIfnheWdtP1BcdQQzaOfHh0jIcaWFLxHGSFrFYPW5KU+gLs2RrXq1S5J2Q6MU/7K0jmoimiiZZy1FDyxpoGbo1kCkPuvWLIihyJzRwqan23lhBE2zO6V5en3z6Zu7ij8CEB7SD7/RPoI2JM549Zq5YdYmdmhJAJTCCPVYmCVn4ZklvUmrusQHsGbN+BJYMxfPe2jtORvr8Sr+/j0jFIvEVlzw5+BtpNogaem8Zpk5OeCu8P4+z5HBnVkNHrr5B0OGSd8xPTHndOskTrV9EHRfP+oYxHwqtpA/BoVGVi0HNghhBZNu5csDFkqWg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UnwVEg4KPPi/pXOlvgc2/+WNU5x9QXrF+VDkQOz1I7U=; b=zJyZ/IFvABwtE/fDeNLYXiuW3lb/sLuJc+trtY5LDcyXv5siqbDcv2RNH0o1SSeuPaq+yKmqXdB2Pb3fP61VHc4+dQtF9JITyts3molAToTl7KswXDuYAS2bi/kU8JY7Jxh7pIhiRrrliaA261HkOWp6sRTSzYZwe7dF2w7Eodk= Authentication-Results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB4624.namprd12.prod.outlook.com (2603:10b6:805:e7::15) by SN6PR12MB2845.namprd12.prod.outlook.com (2603:10b6:805:75::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.21; Tue, 20 Apr 2021 23:17:27 +0000 Received: from SN6PR12MB4624.namprd12.prod.outlook.com ([fe80::7572:4564:b382:863f]) by SN6PR12MB4624.namprd12.prod.outlook.com ([fe80::7572:4564:b382:863f%3]) with mapi id 15.20.4042.023; Tue, 20 Apr 2021 23:17:27 +0000 Subject: Re: [PATCH 3/3] OvmfPkg/PlatformPei: Mark TPM MMIO range as unencrypted for SEV To: Tom Lendacky , devel@edk2.groups.io Cc: Joerg Roedel , Borislav Petkov , Laszlo Ersek , Ard Biesheuvel , Jordan Justen , Brijesh Singh , James Bottomley , Jiewen Yao , Min Xu References: <1f64ca5689ec86c427e4db8c41da598896dca4ba.1618959281.git.thomas.lendacky@amd.com> From: Eric van Tassell Message-ID: <831dc0af-e5b8-ead1-6ef7-f94aff8df0b5@amd.com> Date: Tue, 20 Apr 2021 18:17:25 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 In-Reply-To: <1f64ca5689ec86c427e4db8c41da598896dca4ba.1618959281.git.thomas.lendacky@amd.com> X-Originating-IP: [165.204.77.11] X-ClientProxiedBy: SN4PR0201CA0034.namprd02.prod.outlook.com (2603:10b6:803:2e::20) To SN6PR12MB4624.namprd12.prod.outlook.com (2603:10b6:805:e7::15) Return-Path: evantass@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from [10.252.20.106] (165.204.77.11) by SN4PR0201CA0034.namprd02.prod.outlook.com (2603:10b6:803:2e::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.20 via Frontend Transport; Tue, 20 Apr 2021 23:17:26 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: f8cdba86-e031-4293-f4d3-08d9045276bc X-MS-TrafficTypeDiagnostic: SN6PR12MB2845: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: h7ZKY8ch8Nig7mAJl785EnsYNf04hbkaNICKLdNr8fLM3uM1T0OBhKrap+qKs0NptTi8W4HBzkcm0f1Z28VLQsEKux/L/6aEavpNn5T5PdBJOop07kJqBfWEzEVQqcpHxZMm8DUumeuMFRHNXIyb5oiVDaQE1q++BCndIr/sF34+U22duuTtQIwcWp6vW2Q7+9XYxSxDPX23enP31zpWjFRRRF517Y4fBYUFfU5t3KHurDSBEXjqKHa6ruK5nMVuingRexHtA3SahzCq5RkGxEMXG4VMGoLQt1bM9oBFm6/O9+vXimbkgdYoKBltsXMv6LAa9jCpls2pbj9SNTYXdZMMR118IfR31ThW6cSQe2Ig7WJ/kseoCIFW10ikniWOVjc/g782X35Vl9tDtm9BTaQswdxfBwAzLLtJ/l/OeNwQbsdTs+dS6sRBjBkW4gOhDZtBuB95eiHvBi1P+AygJbL++bcdnMCERW9Z751TsNwDXf++qZxy2JIObG6wGDF2FyptRvH0Xb3HiRHk0UjdxXcrVp7SKpv0oNGcnsWuiYDKD3fm7lEpEWhnej3J1txj0wkUFG99wVDxXFfWDg85qacaPX/oLSJ7/xVlqsat8xl1aloaYizlhXR98SUhFgSAvYA1gO5eqP8vTAz6wDCD4GsAtj+pQCXd9chwVi+qnzI7qVFxAUeGH8HbfFduuuWjzo6koHh6N8ZElXFjWCwvD0LyVB4af62Damm6ghFFT41625qB+rwRsxtDqUMEIQ/gca5gD//DDlOL9aKYsrc9TgvA5W1WU2F9G9Y/DT0XIFg= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB4624.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(376002)(136003)(366004)(346002)(396003)(39860400002)(36756003)(38350700002)(38100700002)(66946007)(53546011)(5660300002)(6486002)(8676002)(316002)(54906003)(4326008)(16576012)(31696002)(66476007)(2906002)(26005)(31686004)(478600001)(66556008)(83380400001)(186003)(52116002)(956004)(966005)(8936002)(16526019)(2616005)(45980500001)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?dTNvTlNuL2g1VVJ6WDI4SWswaEkzSHJBb2JxTWswa1RuaHRPbWhmMWEvQ0Vm?= =?utf-8?B?ZGk0bTZYUFliM3FMTzVkZ1FVT1dweUxLOXlXRTBpQmVhV04vWDhhL1hkc0gx?= =?utf-8?B?Q3VyU2FsemxqZkllUFlpcE9TWTlFb1RaRmxLUlR6bFFMTU02ZktIY2FLS0ZW?= =?utf-8?B?TnIzd0FJQmxNVTQ4eG5wVTdxMkI1aWgwem04S29QK3FiOU03NnJyL2F1VTZB?= =?utf-8?B?N0xHK3JuRkp1ZUp0Z1g3MmRtT1ZaNFFUalZHQ3NsOEtyWjk3Y256TDFaZFFH?= =?utf-8?B?N284U0sxU2dLNjBkWXgxdHFubWVuOUpJeldGaXU0SjJYMU9uRGpGSUtCWSs4?= =?utf-8?B?MWFCWVl3ZHRvSWIyUGV4SldjZzhCR2haOXcvWWdlWlFBNlpvcVF3TXA0Z2Rv?= =?utf-8?B?MFFGcmlwVEg0WllPa2hzZEF5Nzl3aTlDZ0MvRWhQWU9vUnJvR2N3TnBucXEz?= =?utf-8?B?dm0xbmVubEJRdHBRdU1FRDdOZWRJUytEeE1BUjMyTTRVV3hBL3M4ajN0MEh4?= =?utf-8?B?QVV5WXU5Y0VUYXdXaGtWVWFGK3hRYVV6TFRzNEFrdE5Cd0lsTXo3RFZQc2hr?= =?utf-8?B?cHhKbHoyMGFBeUJ4K0RFK2p0VnBGS0xGaUcxS2lGTzJ2dzd0OVNlM21KYkk2?= =?utf-8?B?dWx2Mk1hc0xxaWE1UEUwQjNQQy9rV0dJNHJBMmdrS1BQVmJHYlMyVENDZm56?= =?utf-8?B?SjVXY3RDQmNiS2RwejFIb1VtR2I3bVcvZnAzeVpac3duZHlWWGdGTm5LREdJ?= =?utf-8?B?SHF4WkhINDh6S1NhTU9kV1JqMzl1d3JCQTNhaEJFNHhSdnB4SExjWVFaaHlm?= =?utf-8?B?YW8rRmNiUjZaWGRUWFluZHJoSldkRTdPZXg0YUwyMlRsKzhzRXBSUGRxR1Uv?= =?utf-8?B?dlVPVTRiTEJDYUsrcjhHWWszTDNrRUNqSjc0cGZ3R3lsQlJySFcwL1BvblEy?= =?utf-8?B?ejlLc0xGQVBaZDlmVG52eWJUSENEaTVjSHZpVnJIUENrNXVUZlFLa2ZUUC9i?= =?utf-8?B?alhsOVBqQ3E2Q08rNUNEU2gyZ2pXbGF0ckRjZnhScU1TVU5qRVd4b0ZQQzdU?= =?utf-8?B?K09SNTAyUUhYeXlYUi94TDhDOUNTVGNjckxhaHJhcTFUWHYweHg5SFlxZjZV?= =?utf-8?B?RkdFQ0Z2cXl5KzNrWmhQcFdhb2t2L3VjTUJYWmR0MGRSYnNER1BRa01zQlho?= =?utf-8?B?ckFuQ2Nrakw1UCtnOGhIN2VjQkZkQ0NISFRzKy9nSzdFbVlsR1pxTFNNT0JN?= =?utf-8?B?UFN1c1oxa3kvMThxeTJJS1FYYXdnRjkzNW1rUjFHNHRpcDBxYlVmT0VrQXVR?= =?utf-8?B?WnNCRGt5LzN3VEt6RXozVFhIdldlUURYMnZnbGR4NTVLK21mL3FPQkJUa211?= =?utf-8?B?SW82YjB6QU1MNUhVS2pqUTNraUxwM3haQkxoQ3RGakZWazNhK0lMSHo1QWhJ?= =?utf-8?B?NCtkaFNheXRMZWgvci9vSlUwRno0L214Sjg1YTVxY3pEenBsZDl2Mk1iZFdN?= =?utf-8?B?dEYzY1VaSlZvU2gva0xSYXlmSHFYbTFMMDVQTm1lLzhJUUtYeE9XdlpwRjlj?= =?utf-8?B?K0phakdxSFBjSzlKM1FkbXN4cTF2Unp3YXZ2c0lJOS8vSGg5a3o1U3M0SWN3?= =?utf-8?B?VFhTTFhpZzAwVzF1K2hMYTUrc09YYm4wbmozZlJKbjlNU2x0eXJkRGRFZ3RM?= =?utf-8?B?eWdUMDVXdXFMaDhCcVlqd08xVEdYTVlKWUtGbEFTTyswK0cwSTRySGdka0RB?= =?utf-8?Q?2sEXpQlSoztOO5gcIdAtU4Vtmu1TPSVC+NPmsAL?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: f8cdba86-e031-4293-f4d3-08d9045276bc X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB4624.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Apr 2021 23:17:27.6648 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 9gEzXQdx+aA1/UnIb0vAS0nxiAevFfIB8VdvqrkkOFzWi4WWYn2sGjRa7tKlNo/dZAAX6N63a3g977Qq0FoncA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR12MB2845 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit On 4/20/21 5:54 PM, Tom Lendacky wrote: > From: Tom Lendacky > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3345 > > The TPM support in OVMF performs MMIO accesses during the PEI phase. At where are the phases defined and how many other are there? > this point, MMIO ranges have not been marked un-encyrpted, so an SEV-ES > guest will fail attempting to perform MMIO to an encrypted address. > > Read the PcdTpmBaseAddress and mark the specification defined range > (0x5000 in length) as un-encrypted, to allow an SEV-ES guest to process > the MMIO requests. > > Cc: Laszlo Ersek > Cc: Ard Biesheuvel > Cc: Jordan Justen > Cc: Brijesh Singh > Cc: James Bottomley > Cc: Jiewen Yao > Cc: Min Xu > Signed-off-by: Tom Lendacky > --- > OvmfPkg/PlatformPei/PlatformPei.inf | 1 + > OvmfPkg/PlatformPei/AmdSev.c | 19 +++++++++++++++++++ > 2 files changed, 20 insertions(+) > > diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf > index 6ef77ba7bb21..de60332e9390 100644 > --- a/OvmfPkg/PlatformPei/PlatformPei.inf > +++ b/OvmfPkg/PlatformPei/PlatformPei.inf > @@ -113,6 +113,7 @@ [Pcd] > > [FixedPcd] > gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress > + gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress > gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIMemoryNVS > gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIReclaimMemory > gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiReservedMemoryType > diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c > index dddffdebda4b..d524929f9e10 100644 > --- a/OvmfPkg/PlatformPei/AmdSev.c > +++ b/OvmfPkg/PlatformPei/AmdSev.c > @@ -141,6 +141,7 @@ AmdSevInitialize ( > ) > { > UINT64 EncryptionMask; > + UINT64 TpmBaseAddress; > RETURN_STATUS PcdStatus; > > // > @@ -206,6 +207,24 @@ AmdSevInitialize ( > } > } > > + // > + // PEI TPM support will perform MMIO accesses, be sure this range is not > + // marked encrypted. > + // > + TpmBaseAddress = PcdGet64 (PcdTpmBaseAddress); > + if (TpmBaseAddress != 0) { > + RETURN_STATUS DecryptStatus; > + > + DecryptStatus = MemEncryptSevClearPageEncMask ( > + 0, > + TpmBaseAddress, > + EFI_SIZE_TO_PAGES (0x5000), > + FALSE > + ); > + > + ASSERT_RETURN_ERROR (DecryptStatus); > + } > + > // > // Check and perform SEV-ES initialization if required. > // >