From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 256C080352 for ; Tue, 7 Mar 2017 08:35:54 -0800 (PST) Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 734EF3B71E; Tue, 7 Mar 2017 16:35:54 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-184.phx2.redhat.com [10.3.116.184]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v27GZqGm016389; Tue, 7 Mar 2017 11:35:52 -0500 To: Tom Lendacky , Brijesh Singh , jordan.l.justen@intel.com, edk2-devel@ml01.01.org References: <148884284887.29188.7643544710695103939.stgit@brijesh-build-machine> <148884285589.29188.3336162059588227554.stgit@brijesh-build-machine> <3ec1cf2d-952d-97fa-108d-a6c70e613277@amd.com> Cc: leo.duran@amd.com, brijesh.sing@amd.com From: Laszlo Ersek Message-ID: <8aff33dd-51c1-0d06-b7e0-dfa59ac93b76@redhat.com> Date: Tue, 7 Mar 2017 17:35:50 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1 MIME-Version: 1.0 In-Reply-To: <3ec1cf2d-952d-97fa-108d-a6c70e613277@amd.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Tue, 07 Mar 2017 16:35:54 +0000 (UTC) Subject: Re: [RFC PATCH v1 1/5] OvmfPkg/ResetVector: Set memory encryption when SEV is active X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Mar 2017 16:35:54 -0000 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit On 03/07/17 17:25, Tom Lendacky wrote: > On 3/6/2017 5:27 PM, Brijesh Singh wrote: >> SEV guest VMs have the concept of private and shared memory. Private >> memory is encrypted with the guest-specific key, while shared memory >> may be encrypted with hypervisor key. The C-bit (encryption attribute) >> in PTE indicates whether the page is private or shared. >> >> If SEV is active, set the memory encryption attribute while building >> the page table. >> >> Contributed-under: TianoCore Contribution Agreement 1.0 >> Signed-off-by: Brijesh Singh >> --- >> OvmfPkg/ResetVector/Ia32/PageTables64.asm | 52 >> +++++++++++++++++++++++++++++ >> 1 file changed, 52 insertions(+) >> >> diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm >> b/OvmfPkg/ResetVector/Ia32/PageTables64.asm >> index 6201cad..eaf9732 100644 >> --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm >> +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm >> @@ -26,6 +26,7 @@ BITS 32 >> %define PAGE_GLOBAL 0x0100 >> %define PAGE_2M_MBO 0x080 >> %define PAGE_2M_PAT 0x01000 >> +%define KVM_FEATURE_SEV 0x08 >> >> %define PAGE_2M_PDE_ATTR (PAGE_2M_MBO + \ >> PAGE_ACCESSED + \ >> @@ -37,6 +38,33 @@ BITS 32 >> PAGE_READ_WRITE + \ >> PAGE_PRESENT) >> >> +; Check if Secure Encrypted Virtualization (SEV) feature >> +; is enabled in KVM >> +; >> +; If SEV is enabled, then EAX will contain Memory encryption bit >> position >> +; >> +CheckKVMSEVFeature: >> + ; Check for SEV feature >> + ; CPUID KVM_FEATURE - Bit 8 >> + mov eax, 0x40000001 >> + cpuid >> + bt eax, KVM_FEATURE_SEV >> + jnc NoSev >> + >> + ; Get memory encryption information >> + ; CPUID Fn8000_001F[EBX] - Bits 5:0 >> + ; >> + mov eax, 0x8000001f >> + cpuid >> + mov eax, ebx >> + and eax, 0x3f >> + jmp SevExit >> + >> +NoSev: >> + xor eax, eax >> + >> +SevExit: >> + OneTimeCallRet CheckKVMSEVFeature >> >> ; >> ; Modified: EAX, ECX >> @@ -60,18 +88,41 @@ clearPageTablesMemoryLoop: >> mov dword[ecx * 4 + PT_ADDR (0) - 4], eax >> loop clearPageTablesMemoryLoop >> >> + ; Check if it SEV-enabled Guest >> + ; >> + OneTimeCall CheckKVMSEVFeature >> + xor edx, edx >> + test eax, eax >> + jz SevNotActive >> + >> + ; If SEV is enabled, Memory encryption bit is always above 31 >> + mov ebx, 32 >> + sub ebx, eax >> + bts edx, eax >> + >> +SevNotActive: >> + >> + ; >> ; >> ; Top level Page Directory Pointers (1 * 512GB entry) >> ; >> + ; edx contain the memory encryption bit mask, must be applied >> + ; to upper 31 bit on 64-bit address >> + ; >> mov dword[PT_ADDR (0)], PT_ADDR (0x1000) + PAGE_PDP_ATTR >> + mov dword[PT_ADDR (4)], edx >> >> ; >> ; Next level Page Directory Pointers (4 * 1GB entries => 4GB) >> ; >> mov dword[PT_ADDR (0x1000)], PT_ADDR (0x2000) + PAGE_PDP_ATTR >> + mov dword[PT_ADDR (0x1004)], edx >> mov dword[PT_ADDR (0x1008)], PT_ADDR (0x3000) + PAGE_PDP_ATTR >> + mov dword[PT_ADDR (0x100C)], edx >> mov dword[PT_ADDR (0x1010)], PT_ADDR (0x4000) + PAGE_PDP_ATTR >> + mov dword[PT_ADDR (0x1004)], edx > > Shouldn't this be 0x1014? > >> mov dword[PT_ADDR (0x1018)], PT_ADDR (0x5000) + PAGE_PDP_ATTR >> + mov dword[PT_ADDR (0x100C)], edx > > Same here, shouldn't this be 0x101C? Right. Other than that, it looks sane to me. Thanks Laszlo > > Thanks, > Tom > >> >> ; >> ; Page Table Entries (2048 * 2MB entries => 4GB) >> @@ -83,6 +134,7 @@ pageTableEntriesLoop: >> shl eax, 21 >> add eax, PAGE_2M_PDE_ATTR >> mov [ecx * 8 + PT_ADDR (0x2000 - 8)], eax >> + mov [(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], edx >> loop pageTableEntriesLoop >> >> ; >>