From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (NAM10-BN7-obe.outbound.protection.outlook.com [40.107.92.84]) by mx.groups.io with SMTP id smtpd.web10.23453.1628518803432020460 for ; Mon, 09 Aug 2021 07:20:03 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=qsBOeRwv; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.92.84, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=I99WoW/969Ur5IY5XeTMoDDfiOp1TxGmYsPFimsU4GCKEr+hoCz0IzhP2yR0QRIeonQJH/fKdVYX7mfAhJ2H9TX5bWuplYLkFkHQTZAa7G2QaNyxhDgkoIUb8lEAsdFzvmKiSIeAMbRlvyFRSN40TrgpoK7kseAvEbZW744mY0MA6qtKnBBiBPF1VJ8OVNsGL34ojMNW6dV7r7L0REColt+Rxm+jy4qdMocZ6C8sFBRSXbqc+jTagkGsDmixB5enyNPUCUy/Mt15t3UCvoT0kwhQiYeb0XeoZL/K+A5aErvqXeeLOdsC+vUiTMhBhkAtUkrercl7dot7aC8qaGTgPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=t+YqEs+Oynb3gSZl5A0sQdmr5JcMsbP8HNO+T0b5Pec=; b=nvD8GsABsxD60p7x0r6QORedzVO7UdUryShVTZKE6sl5tYC7DJXP3nrOPE2B/FEAn+IZ8Nf/msaOg2chGPhYlnditCImGFv1alBSVdFe18oP95JMxH96MB8vjO9hOso4PcjK285Zh7n/4foH0yq+TJPTMJFP++RutpoG0GD1/LJjlrFGlNp7kktGg+bxx6cb7U6TSWom+V2B5KkBhWe/2RQv5GZGSdlFiBe6zz5wfCZu2SqmcoZurFSbpcLqw8jetW3Qd33Aw5sdQfUjmm6+1ABC3IOHSJufM6G0W0FvpLcx9aY98Ax8Mew5UuIfeO87QteBv4TjIB3OSbgjXrRGgA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=t+YqEs+Oynb3gSZl5A0sQdmr5JcMsbP8HNO+T0b5Pec=; b=qsBOeRwvugDp4CD0z89c5X8MEyo3orrToYfxryS3dPudBPEP/vv9GQq5E0Api/QL8YuPfe4G0P7lLOTGl+9CFPyee/QuSBprSmplHcgDOiKYDNHXRKnqLnhJY7tx9gmUXcdWeBO33AaV6THjvsfrea5bRbz6xqYS5t8OIH8YtcA= Authentication-Results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=amd.com; Received: from DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) by DM6PR12MB5549.namprd12.prod.outlook.com (2603:10b6:5:209::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.16; Mon, 9 Aug 2021 14:20:01 +0000 Received: from DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::73:2581:970b:3208]) by DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::73:2581:970b:3208%3]) with mapi id 15.20.4394.023; Mon, 9 Aug 2021 14:20:01 +0000 Subject: Re: [PATCH v6 2/6] OvmfPkg/BaseMemEncryptLib: Hypercall API for page encryption state change To: Ashish Kalra , devel@edk2.groups.io Cc: dovmurik@linux.vnet.ibm.com, brijesh.singh@amd.com, tobin@ibm.com, jejb@linux.ibm.com, jordan.l.justen@intel.com, ard.biesheuvel@arm.com, erdemaktas@google.com, jiewen.yao@intel.com, min.m.xu@intel.com References: <13cc36f3dbb0e5a0d10b241ef23ff67b7bd507b7.1627906232.git.ashish.kalra@amd.com> From: "Lendacky, Thomas" Message-ID: <89769020-0d95-552d-e0e1-f98f89efb231@amd.com> Date: Mon, 9 Aug 2021 09:19:58 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 In-Reply-To: <13cc36f3dbb0e5a0d10b241ef23ff67b7bd507b7.1627906232.git.ashish.kalra@amd.com> X-ClientProxiedBy: SA0PR11CA0184.namprd11.prod.outlook.com (2603:10b6:806:1bc::9) To DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from [10.236.30.241] (165.204.77.1) by SA0PR11CA0184.namprd11.prod.outlook.com (2603:10b6:806:1bc::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.17 via Frontend Transport; Mon, 9 Aug 2021 14:20:00 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 92ac7570-023a-4902-4ea3-08d95b40c642 X-MS-TrafficTypeDiagnostic: DM6PR12MB5549: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8273; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: GiB8uRt/fRIvQFZ1za5DUCF3f7aQtphCPwZKfVng3oot39HKyerkOHlVkdp9EwLqbP0OVGia1lYiVbLLgG7dBtLHZiERb0h2zBPHlfrI/Khq8cOGAFfHmEgP0a4hRtz6lTPDJxCdxIgzrg36PfwJW65YGhpsedJOe1wkdZtX+bzN6vSMeCddZHqYCVfO/Q85EuQXDHeXgFYnPvjoG3nyKCPROF/Jk7aAYBiZ/u6oAFP4wGPgbhOQzNfQpxnMq8uH4El3BqhwlhxMxiuowM4eufVOZE3Huc9m67xuZDVry6lr27cpWTuO3k5fvD7gkSSHcGR5PQAqIMzqfs8WPnBayxK9wuneuYxqJTcEzESsI8V44o3bTSVBw4APBnyVnSXJ40mkeGLu5s6cz6oQI95UN/qDzWk/EetFXzgBegiaCqAUvgSS0b3ki90N99S8xCxsDI8GGinJGMKLwUqK3WxUJqHcoWPm+V8NmqN/0t1tcY2XuaXaCqv+w2zxrO7yivK06Q0zdsXUg/AeRHv4fxVOz7JRzI35z2OTY8ZpU2TLjaX3UccNd4TMztRpAvxrvL2bnTK11/oInS1+dsyEl9w0YU6U+3YeoUybaqTL78vjIIqk+CtXYM3j3nQmzkpHwzC+LwLNzPwVF81hFH+REgZHadVMLIdO3XVAhMZ7p8cJXfHIysuvwOS5KyjQvGoBUIvLMN7kFJQhLlBCdUhHIRfHSv6ktxV3vEXt2/KXenqmnrAhNIC7TCkWbAbfyEr61kuI X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM4PR12MB5229.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(396003)(39860400002)(376002)(136003)(366004)(346002)(8676002)(83380400001)(16576012)(86362001)(36756003)(8936002)(31696002)(26005)(19627235002)(478600001)(2906002)(316002)(186003)(66946007)(31686004)(66476007)(66556008)(5660300002)(53546011)(4326008)(6486002)(956004)(38100700002)(2616005)(45980500001)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?Nk9sY3dNc1ArellabzNoajJmSUJVZ1gwNUNqd0Fibm9oNFJJSS9mOXlzZmhl?= =?utf-8?B?SG1sOTJwaVdvVzlvS0Y5eXRkaEo3ZlNPQkFvNWltQk5YV0FOZ21TcThLQzBV?= =?utf-8?B?emxrd3VVL0JWUEJ3bXB2R2V1bmxsTHdSczk4MVgvNGVtRGVRQXUxZFVjSVJq?= =?utf-8?B?eFJXZlZuQ2prd0lhRU84UHIwQUFaM0NDdDZpbEsyZUxaSk1TSHhzRUZHUFB3?= =?utf-8?B?VmpaaGxVYWJ6MmdVNFNSWjdLTzdTaWI4S084OXRDYXRIcTVCQVpDeHRGUnJh?= =?utf-8?B?V2htVDFMS08yU2pKR3dLWEw3d3FrOEplR0xYbXozcVZPbGtEcFE0ZmM5Wnhq?= =?utf-8?B?dWNwNUcvYThITTQyeGNnVis1bmNOMzZIQjYvN2ZoQXJXbmtKSmZmdFBJbUdJ?= =?utf-8?B?eUY0WVdzdk1PRXl2OEZhZXBPVFhxejlWUS9ONlNENGlDdUJYWUt3U1VaMzV0?= =?utf-8?B?Q05UcEpKSmdiMkMzNGVlOWxad1Q5OTVVZnMrUU1MU2dPRmZhSU10NDJ1WkY3?= =?utf-8?B?ZXUzTUFycHRDOFEreXd0RUZ2MHY1NmNhMFBGZGRRYkZ0eGI0bzB2K3YxZTVR?= =?utf-8?B?TFNjeFIwOWM1bVJ0UjdXekRsR3VSdWM4THFuN2Z2N0twL29na2g3UnlkTzhB?= =?utf-8?B?bVc5eXR4QXVhM0xyOWhmV1RpYlI4czh4VzNRUVc0M1JJNWpMem9VazV1TGdH?= =?utf-8?B?S3FERzNnYmJTZVFRaGVCWWlYbVZmOWdDeUROb3Q1US9XRWUrbkdFVnZjdWpx?= =?utf-8?B?bHVLSWdrRTgyamxyOVN4eWVnWldKVkJ2M2JaSHM4SDhrbFBWOS9lTlVHdXB4?= =?utf-8?B?UDdyM1BmbjhzRUFjLzVtYmdVSnFLckFNZ1pFTDRBU1I1TjllM1FrMTN3UkJU?= =?utf-8?B?RXhONlVCRkMxekJ6VGlqclVMb1hTTkY3RVNaVXNMcVZPNHBqVUdaWDlvZzFP?= =?utf-8?B?ODdHaDNkVDY1ZEw4OTZrcGsxUFUyVkQyeHVDc2J6UmxHZ2RuMmEwazdGeWV4?= =?utf-8?B?U01PbmYwdDgvUzFHNERteXVrZ3FaeDRwRHhjaU9pamxrRmVJdEN6azEvYS9D?= =?utf-8?B?czNEcVgyUFRFYUNOVDBHV0s1aElpTkJHWU5peUUyVW5keG1VRitrQkVERkJD?= =?utf-8?B?cmZyYUFqN2ZvU0ZnY1JEelFxajlwSWZWVkZITHFJMTVucXdlaHlLRDdWcVFY?= =?utf-8?B?NVhaYTV6TjdQRDFlbUpZWGRnNXBLTHViREhpNFhMMm5RUTd6OThEL0srNHo1?= =?utf-8?B?eUJtRmhUTXErOWZSRzBnWVptTTlsNHVkbnRuWElydG5Fc0N5bXZMdVVxaW85?= =?utf-8?B?ZmlqZDF5WkpJNlFmUlpmdXNUeUNsREZqa3JZWno0T2xxejQwRjdvVllZVC8x?= =?utf-8?B?cGRrWDVBQU14T09OcXdrUzJ0eGMyNm1KNzRjQmFudE4yK3A5Mk9kZjMzU2lx?= =?utf-8?B?TzBOeXRheVlQVStRSEd4ZU5NZFY1Z0x6T3FHVUZmY0VUdlNjRUVDb0ZmRjlX?= =?utf-8?B?UGV0bzJQR0ZBZlVQbkJaRXdhMU1pak05YkNhRzh1anJWWlQ3Z3FWUFF5Q3dH?= =?utf-8?B?RzNKRTEyN3NtY05RUEJoNmRXWjRYa2ptdXpIRDBLTXlvK2lZNmdEY1hxbWcy?= =?utf-8?B?U1o3UHFCanoxb3k5TFdlNkdxSnBKb0ZJV0UvSkRhZWhOT0t6Q2xOcFlHcDJV?= =?utf-8?B?M2Y3czExZ2o4MHVpcFFyZ2VkMzRENWlkVHBsTmV0WTBxdyt3cGRZODRYNmxT?= =?utf-8?Q?8u8O369t1ChmUjBiUyVcPKzUiggk2AEy6w1bHg9?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 92ac7570-023a-4902-4ea3-08d95b40c642 X-MS-Exchange-CrossTenant-AuthSource: DM4PR12MB5229.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Aug 2021 14:20:01.3039 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: NOLo1s5vZ8b6BxNstQ4wtPHjkg/Pbrj4NMxdrwC0LGeCpp6rTKsn1AVdl72EBEI2KwVrFcB8+fYX2roLuDUYoA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB5549 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 8/2/21 7:31 AM, Ashish Kalra wrote: > From: Ashish Kalra > > Add API to issue hypercall on page encryption state change. > > By default all the SEV guest memory regions are considered encrypted, > if a guest changes the encryption attribute of the page (e.g mark a > page as decrypted) then notify hypervisor. Hypervisor will need to > track the unencrypted pages. The information will be used during > guest live migration, guest page migration and guest debugging. > > This hypercall is used to notify hypervisor when the page's > encryption state changes. > > Cc: Jordan Justen > Cc: Ard Biesheuvel > Signed-off-by: Brijesh Singh > Signed-off-by: Ashish Kalra > --- > OvmfPkg/Include/Library/MemEncryptSevLib.h | 43 +++++++++++++ > OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf | 1 + > OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c | 27 +++++++++ > OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf | 1 + > OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c | 20 ++++++ > OvmfPkg/Library/BaseMemEncryptSevLib/X64/AsmHelperStub.nasm | 33 ++++++++++ > OvmfPkg/Library/BaseMemEncryptSevLib/X64/MemEncryptSevLib.c | 64 ++++++++++++++++++++ > 7 files changed, 189 insertions(+) > > diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/Library/MemEncryptSevLib.h > index 59f694fb8a..56cc7bb958 100644 > --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h > +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h > @@ -249,4 +249,47 @@ KvmDetectSevLiveMigrationFeature( > VOID > ); > > +/** > + This hypercall is used to notify hypervisor when the page's encryption > + state changes. > + > + @param[in] PhysicalAddress The physical address that is the start address > + of a memory region. > + @param[in] Pages Number of pages in memory region. > + @param[in] IsEncrypted Encrypted or Decrypted. > + > + @retval RETURN_SUCCESS Hypercall returned success. > + @retval RETURN_UNSUPPORTED Hypercall not supported. > + @retval RETURN_NO_MAPPING Hypercall returned error. > +**/ > +RETURN_STATUS > +EFIAPI > +SetMemoryEncDecHypercall3 ( > + IN UINTN PhysicalAddress, > + IN UINTN Pages, > + IN BOOLEAN IsEncrypted > + ); > + > +#define KVM_HC_MAP_GPA_RANGE 12 > +#define KVM_MAP_GPA_RANGE_PAGE_SZ_4K 0 > +#define KVM_MAP_GPA_RANGE_PAGE_SZ_2M BIT0 > +#define KVM_MAP_GPA_RANGE_PAGE_SZ_1G BIT1 > +#define KVM_MAP_GPA_RANGE_ENC_STAT(n) ((n) << 4) s/STAT/STATE/ ? > +#define KVM_MAP_GPA_RANGE_ENCRYPTED KVM_MAP_GPA_RANGE_ENC_STAT(1) > +#define KVM_MAP_GPA_RANGE_DECRYPTED KVM_MAP_GPA_RANGE_ENC_STAT(0) > + > +/** > + Interface exposed by the ASM implementation of the core hypercall Need to put the function parameters in the comment here. > + > + @retval Hypercall returned status. > +**/ > +UINTN > +EFIAPI > +SetMemoryEncDecHypercall3AsmStub ( > + IN UINTN HypercallNum, > + IN UINTN PhysicalAddress, > + IN UINTN Pages, > + IN UINTN Attributes > + ); > + > #endif // _MEM_ENCRYPT_SEV_LIB_H_ > diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf > index f2e162d680..0c28afadee 100644 > --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf > +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf > @@ -38,6 +38,7 @@ > X64/PeiDxeVirtualMemory.c > X64/VirtualMemory.c > X64/VirtualMemory.h > + X64/AsmHelperStub.nasm > > [Sources.IA32] > Ia32/MemEncryptSevLib.c > diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c b/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c > index be260e0d10..516d639489 100644 > --- a/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c > +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c > @@ -136,3 +136,30 @@ MemEncryptSevClearMmioPageEncMask ( > // > return RETURN_UNSUPPORTED; > } > + > +/** > + This hyercall is used to notify hypervisor when the page's encryption > + state changes. > + > + @param[in] PhysicalAddress The physical address that is the start address > + of a memory region. > + @param[in] Pages Number of Pages in the memory region. > + @param[in] IsEncrypted Encrypted or Decrypted. > + > + @retval RETURN_SUCCESS Hypercall returned success. > + @retval RETURN_UNSUPPORTED Hypercall not supported. > + @retval RETURN_NO_MAPPING Hypercall returned error. > +**/ > +RETURN_STATUS > +EFIAPI > +SetMemoryEncDecHypercall3 ( > + IN UINTN PhysicalAddress, > + IN UINTN Pages, > + IN BOOLEAN IsEncrypted > + ) > +{ > + // > + // Memory encryption bit is not accessible in 32-bit mode > + // > + return RETURN_UNSUPPORTED; > +} > diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf > index 03a78c32df..3233ca7979 100644 > --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf > +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf > @@ -38,6 +38,7 @@ > X64/PeiDxeVirtualMemory.c > X64/VirtualMemory.c > X64/VirtualMemory.h > + X64/AsmHelperStub.nasm > > [Sources.IA32] > Ia32/MemEncryptSevLib.c > diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c > index d9f7befcd2..ebb1c39319 100644 > --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c > +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c > @@ -118,6 +118,26 @@ MemEncryptSevLiveMigrationIsEnabled ( > return FALSE; > } > > +/** > + Interface exposed by the ASM implementation of the core hypercall > + > + @retval Hypercall returned status. > +**/ > +UINTN > +EFIAPI > +SetMemoryEncDecHypercall3AsmStub ( > + IN UINTN HypercallNum, > + IN UINTN PhysicalAddress, > + IN UINTN Pages, > + IN UINTN Attributes > + ) > +{ > + // > + // Not used in SEC phase. > + // > + return RETURN_UNSUPPORTED; > +} > + > /** > Returns the SEV encryption mask. > > diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/AsmHelperStub.nasm b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/AsmHelperStub.nasm > new file mode 100644 > index 0000000000..0ec35dd9b6 > --- /dev/null > +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/AsmHelperStub.nasm > @@ -0,0 +1,33 @@ > +/** @file > + > + ASM helper stub to invoke hypercall > + > + Copyright (c) 2021, AMD Incorporated. All rights reserved.
> + > + SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +DEFAULT REL > +SECTION .text > + > +; UINTN > +; EFIAPI > +; SetMemoryEncDecHypercall3AsmStub ( > +; IN UINTN HypercallNum, > +; IN UINTN Arg1, > +; IN UINTN Arg2, > +; IN UINTN Arg3 > +; ); > +global ASM_PFX(SetMemoryEncDecHypercall3AsmStub) > +ASM_PFX(SetMemoryEncDecHypercall3AsmStub): > + ; UEFI calling conventions require RBX to > + ; be nonvolatile/callee-saved. > + push rbx > + mov rax, rcx ; Copy HypercallNumber to rax > + mov rbx, rdx ; Copy Arg1 to the register expected by KVM > + mov rcx, r8 ; Copy Arg2 to register expected by KVM > + mov rdx, r9 ; Copy Arg3 to register expected by KVM > + vmmcall ; Call VMMCALL > + pop rbx > + ret > diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/MemEncryptSevLib.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/MemEncryptSevLib.c > index a57e8fd37f..fa679c9fc9 100644 > --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/MemEncryptSevLib.c > +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/MemEncryptSevLib.c > @@ -143,3 +143,67 @@ MemEncryptSevClearMmioPageEncMask ( > ); > > } > + > +/** > + This hyercall is used to notify hypervisor when the page's encryption > + state changes. > + > + @param[in] PhysicalAddress The physical address that is the start address > + of a memory region. > + @param[in] Pages Number of Pages in the memory region. > + @param[in] IsEncrypted Encrypted or Decrypted. > + > + @retval RETURN_SUCCESS Hypercall returned success. > + @retval RETURN_UNSUPPORTED Hypercall not supported. > + @retval RETURN_NO_MAPPING Hypercall returned error. > +**/ > +RETURN_STATUS > +EFIAPI > +SetMemoryEncDecHypercall3 ( > + IN UINTN PhysicalAddress, > + IN UINTN Pages, > + IN BOOLEAN IsEncrypted > + ) > +{ > + RETURN_STATUS Ret; > + UINTN Error; > + UINTN EncryptMask; > + > + Ret = RETURN_UNSUPPORTED; > + > + if (MemEncryptSevLiveMigrationIsEnabled ()) { > + Ret = RETURN_SUCCESS; > + // > + // The encryption bit is set/clear on the smallest page size, hence > + // use the 4k page size in MAP_GPA_RANGE hypercall below. > + // > + // Also, when the GCD map is being walked and the c-bit being cleared > + // from MMIO and NonExistent memory spaces, the physical address > + // range being passed may not be page-aligned and adding an assert > + // here prevents booting. Hence, rounding it down when calling > + // SetMemoryEncDecHypercall3AsmStub below. > + // > + > + EncryptMask = IsEncrypted ? KVM_MAP_GPA_RANGE_ENCRYPTED : > + KVM_MAP_GPA_RANGE_DECRYPTED; Just a nit, but EncryptMask is a bit confusing because is sounds like the encryption mask used by SEV, but it's really the page encryption state as defined by the hypercall, maybe call it EncryptionState or EncryptState? > + > + Error = SetMemoryEncDecHypercall3AsmStub ( > + KVM_HC_MAP_GPA_RANGE, > + PhysicalAddress & ~EFI_PAGE_MASK, > + Pages, > + KVM_MAP_GPA_RANGE_PAGE_SZ_4K | EncryptMask > + ); > + > + if (Error != 0) { > + DEBUG ((DEBUG_ERROR, > + "SetMemoryEncDecHypercall3 failed, Phys = %Lx, Pages = %Ld, Err = %Ld\n", I don't believe the "L" is needed for "Phys" and "Pages" since those are UINTN variables. > + PhysicalAddress, > + Pages, > + (INT64)Error)); Indentation needs to be two spaces past the "DEBUG" function call. Thanks, Tom > + > + Ret = RETURN_NO_MAPPING; > + } > + } > + > + return Ret; > +} >