From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+116084+7686176+12367111@groups.io>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108])
	by spool.mail.gandi.net (Postfix) with ESMTPS id E9673740039
	for <rebecca@openfw.io>; Wed, 28 Feb 2024 04:51:14 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=VxsfCje7O6E/Pi5jNyL0Su6HGGyt11tde+1IyChAkPs=;
 c=relaxed/simple; d=groups.io;
 h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding;
 s=20140610; t=1709095873; v=1;
 b=YsrzomyoaCuQnBw/hIgrlTGiMJ0LyJ7lBuxZRxWAPn8uz+9PDNdPgY8dXk+1yI3xQJnFq1E1
 sMahWjw7/a3Z6J6Mi/+JwzBs7luLaVOnU4AHyMymZs98wgQPuCNX35D5pPuYiOdY0G4rt4U3n6l
 5bCCDkXNbb4DrORlM1mJnJc4=
X-Received: by 127.0.0.2 with SMTP id Y0v6YY7687511xjTV98ZrUTt; Tue, 27 Feb 2024 20:51:13 -0800
X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by mx.groups.io with SMTP id smtpd.web10.6483.1709095872688410337
 for <devel@edk2.groups.io>;
 Tue, 27 Feb 2024 20:51:12 -0800
X-Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73])
 by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-224-zPSJmEmLN8ewq1seM0hJkw-1; Tue,
 27 Feb 2024 23:51:08 -0500
X-MC-Unique: zPSJmEmLN8ewq1seM0hJkw-1
X-Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D3580381258D;
	Wed, 28 Feb 2024 04:51:07 +0000 (UTC)
X-Received: from [10.39.192.46] (unknown [10.39.192.46])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id ACCE8492BC6;
	Wed, 28 Feb 2024 04:51:05 +0000 (UTC)
Message-ID: <92bec1c1-08d6-73a9-a2e8-d458e12a51c7@redhat.com>
Date: Wed, 28 Feb 2024 05:51:04 +0100
MIME-Version: 1.0
Subject: Re: [edk2-devel] [PATCH 05/10] OvmfPkg/ResetVector: split SEV and non-CoCo workflows
To: devel@edk2.groups.io, kraxel@redhat.com
Cc: Tom Lendacky <thomas.lendacky@amd.com>, Jiewen Yao
 <jiewen.yao@intel.com>, Oliver Steffen <osteffen@redhat.com>,
 Erdem Aktas <erdemaktas@google.com>, Michael Roth <michael.roth@amd.com>,
 Ard Biesheuvel <ardb+tianocore@kernel.org>, Min Xu <min.m.xu@intel.com>
References: <20240222115435.85794-1-kraxel@redhat.com>
 <20240222115435.85794-6-kraxel@redhat.com>
From: "Laszlo Ersek" <lersek@redhat.com>
In-Reply-To: <20240222115435.85794-6-kraxel@redhat.com>
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.9
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,lersek@redhat.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
X-Gm-Message-State: HwIBi8TvO2iO29utxzT6Yachx7686176AA=
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20140610 header.b=Ysrzomyo;
	dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=redhat.com (policy=none);
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io

On 2/22/24 12:54, Gerd Hoffmann wrote:
> Use separate control flows for SEV and non-CoCo cases.
>=20
> SevClearPageEncMaskForGhcbPage and GetSevCBitMaskAbove31 will now only
> be called when running in SEV mode, so the SEV check in these functions
> is not needed any more.
>=20
> No functional change.
>=20
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
>  OvmfPkg/ResetVector/Ia32/AmdSev.asm       | 16 ++--------------
>  OvmfPkg/ResetVector/Ia32/PageTables64.asm | 17 ++++++++++++++---
>  2 files changed, 16 insertions(+), 17 deletions(-)
>=20
> diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia=
32/AmdSev.asm
> index 043c88a7abbe..ed94f1dc668f 100644
> --- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm
> +++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm
> @@ -152,12 +152,8 @@ SevEsUnexpectedRespTerminate:
> =20
>  %ifdef ARCH_X64
> =20
> -; If SEV-ES is enabled then initialize and make the GHCB page shared
> +; initialize and make the GHCB page shared

(1) This comment update is unjustified, I suggest reverting it.

(The SEV check is indeed superfluous below, but you -- correctly -- keep
the SEV-ES check, and the comment here is about SEV-ES, not SEV. Because
the check stays, the comment should stay too.)

>  SevClearPageEncMaskForGhcbPage:
> -    ; Check if SEV is enabled
> -    cmp       byte[WORK_AREA_GUEST_TYPE], 1
> -    jnz       SevClearPageEncMaskForGhcbPageExit
> -
>      ; Check if SEV-ES is enabled
>      mov       ecx, 1
>      bt        [SEV_ES_WORK_AREA_STATUS_MSR], ecx
> @@ -195,20 +191,12 @@ pageTableEntries4kLoop:
>  SevClearPageEncMaskForGhcbPageExit:
>      OneTimeCallRet SevClearPageEncMaskForGhcbPage
> =20
> -; Check if SEV is enabled, and get the C-bit mask above 31.
> +; Get the C-bit mask above 31.
>  ; Modified: EDX
>  ;
>  ; The value is returned in the EDX
>  GetSevCBitMaskAbove31:
> -    xor       edx, edx
> -
> -    ; Check if SEV is enabled
> -    cmp       byte[WORK_AREA_GUEST_TYPE], 1
> -    jnz       GetSevCBitMaskAbove31Exit
> -
>      mov       edx, dword[SEV_ES_WORK_AREA_ENC_MASK + 4]
> -
> -GetSevCBitMaskAbove31Exit:
>      OneTimeCallRet GetSevCBitMaskAbove31
> =20
>  %endif
> diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVec=
tor/Ia32/PageTables64.asm
> index 166e80293c89..84a7b4efc019 100644
> --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> @@ -118,15 +118,26 @@ SetCr3ForPageTables64:
> =20
>      ; Check whether the SEV is active and populate the SevEsWorkArea
>      OneTimeCall   CheckSevFeatures
> +    cmp       byte[WORK_AREA_GUEST_TYPE], 1
> +    jz        SevInit
> =20
> +    ;
> +    ; normal (non-CoCo) workflow
> +    ;
> +    ClearOvmfPageTables
> +    CreatePageTables4Level 0
> +    jmp SetCr3
> +
> +SevInit:
> +    ;
> +    ; SEV workflow
> +    ;
> +    ClearOvmfPageTables
>      ; If SEV is enabled, the C-bit position is always above 31.
>      ; The mask will be saved in the EDX and applied during the
>      ; the page table build below.
>      OneTimeCall   GetSevCBitMaskAbove31
> -
> -    ClearOvmfPageTables
>      CreatePageTables4Level edx
> -
>      ; Clear the C-bit from the GHCB page if the SEV-ES is enabled.
>      OneTimeCall   SevClearPageEncMaskForGhcbPage
>      jmp SetCr3

Nice.

The patch also sneakily reorders ClearOvmfPageTables against
GetSevCBitMaskAbove31 -- but that's an improvement: this way we no
longer depend on ClearOvmfPageTables not modifying EDX; instead, EDX
directly passes from GetSevCBitMaskAbove31 to CreatePageTables4Level.

With (1) undone:

Reviewed-by: Laszlo Ersek <lersek@redhat.com>



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#116084): https://edk2.groups.io/g/devel/message/116084
Mute This Topic: https://groups.io/mt/104506794/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-