From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM04-BN8-obe.outbound.protection.outlook.com (NAM04-BN8-obe.outbound.protection.outlook.com [40.107.100.73]) by mx.groups.io with SMTP id smtpd.web12.1096.1610045421138467024 for ; Thu, 07 Jan 2021 10:50:21 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amdcloud.onmicrosoft.com header.s=selector2-amdcloud-onmicrosoft-com header.b=eXP98xpd; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.100.73, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CP4n+n0VO6uPzNiofOTLDyBUY9dlNRgteckaP6vf9qCyn7Fhx8GHx+2XAW0KG9pGrMj8P0GhUcNxm4emJimgMVbPVZh0/IsBRthRVogNh7CSoRbCcwIX9FpxwHt8DbiI/ev1fmEtlr65o+6GEziKFnDNBGJrQ7KTYPWIhHOjpf4J73fG6E/VzY67jvpNm8AmfUmfce66n1BzDUEP7wZfBKwzddx25MHVzpOls5e5ngZ8r3oO4EE1/tUE8scmR3wgbk0UdT0A5Bzt8JVvMkzW2ktH88OTMdisMvpoCqFU3brCFLklFQXDabRmvO8g5E+ErFmKEaFp4ybFHaj6MwRwew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6TNl7GQ3q3F7ERunQ1xkCM2mvqCoEn9b4IWnzPTXbkw=; b=WGOhHkH0F6ZeWGc8ZBuLNaTwWET06N2XvbBNvOYmtS0bIEqDT9vdYhZWJJKR00/df9L8dEHkbOgd0nWfuVIhOVkzjfugWVWaMy0d2Lc4iELQD/QYm5IpQ4M5Fv0gmKxdUCffS2MYHmKYSrVGihR5u1n7T3mbIeRE9b7ahT971IECk7+7reUuwcmYliWXhZzPjWE9Doq3Be6RExAs2v8qTJnT15OgpbFFmEvvkNsRbL+jywevglzFstY1cDUXZkNuN5D3Xfxm4AtAOyf2LcZWMV8qto6Sby82/FNOwbndZsPiZ82KmR9qbFRUmcAUOEfnx8bnbAm5oZmWYBNUe/MQgg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector2-amdcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6TNl7GQ3q3F7ERunQ1xkCM2mvqCoEn9b4IWnzPTXbkw=; b=eXP98xpd1Ul0l+X+GNtkCRln/3byiuF8di+AFM7ZFAu6fkPjYC1IiA+DsNJEiS3him9K70cX2pdk0dUjhCYpqkaNEitFPVVOiOq1Bydh7Gmu0ReaEGFcB83sUyL2dJ2tWQxa/zHhMZTHTtRCZ9vRquAEgs4ymDO04CEeFyF2V7s= Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com; Received: from DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) by DM5PR1201MB0121.namprd12.prod.outlook.com (2603:10b6:4:56::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3721.23; Thu, 7 Jan 2021 18:50:18 +0000 Received: from DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::d95e:b9d:1d6a:e845]) by DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::d95e:b9d:1d6a:e845%12]) with mapi id 15.20.3721.024; Thu, 7 Jan 2021 18:50:18 +0000 From: "Lendacky, Thomas" To: devel@edk2.groups.io CC: Brijesh Singh , James Bottomley , Jordan Justen , Laszlo Ersek , Ard Biesheuvel , Rebecca Cran , Peter Grehan , Anthony Perard , Julien Grall Subject: [PATCH v3 07/15] OvmfPkg: Obtain SEV encryption mask with the new MemEncryptSevLib API Date: Thu, 7 Jan 2021 12:48:17 -0600 Message-ID: <9de678c0d66443c6cc33e004a4cac0a0223c2ebc.1610045305.git.thomas.lendacky@amd.com> X-Mailer: git-send-email 2.30.0 In-Reply-To: References: X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: DS7PR03CA0020.namprd03.prod.outlook.com (2603:10b6:5:3b8::25) To DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from tlendack-t1.amd.com (165.204.77.1) by DS7PR03CA0020.namprd03.prod.outlook.com (2603:10b6:5:3b8::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3742.6 via Frontend Transport; Thu, 7 Jan 2021 18:50:17 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 925d49d7-00e2-4da0-ecc7-08d8b33d13ef X-MS-TrafficTypeDiagnostic: DM5PR1201MB0121: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 0I5qvrh5O8KS5cEOzgYgSV3DG3F43CzWYwOPzibQTm9wrHEstxZ21DrKj3nSrPvQLnJNQyvwcQ84EgURPuGmyguf7vzVwtlJ1btiKm5D6sCbgktsrHAOKK1sIi2N+uI2YZFb0X/QrgTrbZCMBwuk2InBCxklNmS79p57PNsuI3SWCye9YkgL55XrHerW+iEWdHqfx6i5GxwyIyapSvg0FD5DJqxuaOTct2/3HaVv1pHQJruxbKJmDzL8WQ83lADXOQX8UPRwA4+bgxd9Kg2J81oFN1LW+zVXdnddKGqMdEdTiTlovJjTqo77CBLGVIhAPdF1CR10PwuepdVzKOO8g+eYOfiGFijIuOQXqDGQqPpMqB6GoqXKjR8aRY1Zc0Uur0PyEoQtB7EatLs7ghRy04IBiH2YxAxXLsDrsUkqenzLP8CEwgu5NzFbwG1mFZpVglUcjbpJMpvWM0Wq40UQeQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR12MB1355.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(39860400002)(136003)(366004)(346002)(376002)(396003)(54906003)(36756003)(316002)(52116002)(16526019)(186003)(7696005)(4326008)(83380400001)(66556008)(66946007)(6916009)(956004)(2906002)(8936002)(5660300002)(6486002)(66476007)(8676002)(86362001)(478600001)(966005)(2616005)(26005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?Xb3rjdOrrQ/ioQ4+Bwz0dVLjGCih/AygKcxvEBNfXqpz0TeTF9iyzJy6xk8+?= =?us-ascii?Q?/A1B9jlDIW1+029UjZdiZ3viwhddLfLemI7U2V/6zcPu0HKqJedH7dnlN1sE?= =?us-ascii?Q?PrKHqjOZp4kKVGGqhRlKms6vVxwiZLSnvFudcm/DSV3oAsmWfGH24tAstsWR?= =?us-ascii?Q?IZMdTV84NA5l/74dLSak2PK3iaOgkphTWgRMZ73h66DSRq7kkSAGVrEbzRwz?= =?us-ascii?Q?4PGB1viPdKJBmPvUlFtE8/GwRM2NrywYgH4EZN68tAPjrzxncH+a5e24+71N?= =?us-ascii?Q?DKGfD6qiJ+224W20NP/m/L1maH+GoLV/vcBCbLpnyuThYgaIpTPedZTBy3p2?= =?us-ascii?Q?xllYt7N3M4Z+Iqw4ZifRGrVJ2FGEh6op64UV6ag7Ouh1uA/aPYQFEhsrERsS?= =?us-ascii?Q?T9uedByfdszdk1bG9ddboX/KffcgswPBq5R3rPHKkAwgAq35E+jXD549BBt4?= =?us-ascii?Q?in07H+ENbmKGM/ouPHvcSJkGLQn0pfZXsRg5zTmUuEH51c3OPWDMkS4jT85u?= =?us-ascii?Q?7alqd1Ie2v/O8RfxbCjPEk11+7h3gaUPTGg8M1edgsSb3UPrWs5Iba1vukdH?= =?us-ascii?Q?mRfukAyFUEjbxTY9ZT2e6Py8ozG51O8UzPbK6RzgsjhaFwAZvnOWxXCznO3d?= =?us-ascii?Q?MwOrVIAcQNE5R95clsJZQJ7+bjy3WHnJTU06GuClyYvc5hR7SIn/9NWgIvTz?= =?us-ascii?Q?2J/wCk+D4CIOjugqW36VtcIJTbn+4fw2hvjOWJHL0qRoRl2XEi3MyQve1CbZ?= =?us-ascii?Q?phv+5E8BBCf9p4PrFqNrGe3dQ/gdsnr3OW8ae/wMQdmmzdoJH1YZIWOK/ToS?= =?us-ascii?Q?1C38gO3RiIO/mbL0EWn+uJDwkyR9W3Gis003UBLC1q6X1ud5ACJ3n1zr+eNJ?= =?us-ascii?Q?XeAVZ5H9xtZiU9n0N6nx77XJfISMT+xTkgRp/5J0g9fyhVR2XdRzcIxgpAqz?= =?us-ascii?Q?+/Ux0NmdUoQdi8n5x+EatEUc2dwQLh3JVUelzhgXyEtDTt2d29i1AL0F/CeK?= =?us-ascii?Q?LOZE?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-AuthSource: DM5PR12MB1355.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jan 2021 18:50:18.1293 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-Network-Message-Id: 925d49d7-00e2-4da0-ecc7-08d8b33d13ef X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: oDRvcI1YdT3zyDUp5KOQ6uX+OTFdsbW5N0K+Xdw3lZo8qFqNlgDA5JT3LSZVAI1y3ffKG4exw3XZemHXcJNKxg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1201MB0121 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3108 The early assembler code performs validation for some of the SEV-related information, specifically the encryption bit position. The new MemEncryptSevGetEncryptionMask() interface provides access to this validated value. To ensure that we always use a validated encryption mask for an SEV-ES guest, update all locations that use CPUID to calculate the encryption mask to use the new interface. Also, clean up some call areas where extra masking was being performed and where a function call was being used instead of the local variable that was just set using the function. Cc: Jordan Justen Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Rebecca Cran Cc: Peter Grehan Cc: Brijesh Singh Cc: Anthony Perard Cc: Julien Grall Reviewed-by: Laszlo Ersek Signed-off-by: Tom Lendacky --- OvmfPkg/Bhyve/PlatformPei/AmdSev.c | 12 ++---------- OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c | 15 +++++-------= --- OvmfPkg/PlatformPei/AmdSev.c | 12 ++---------- OvmfPkg/XenPlatformPei/AmdSev.c | 12 ++---------- 4 files changed, 11 insertions(+), 40 deletions(-) diff --git a/OvmfPkg/Bhyve/PlatformPei/AmdSev.c b/OvmfPkg/Bhyve/PlatformPei= /AmdSev.c index e484f4b311fe..e3ed78581c1b 100644 --- a/OvmfPkg/Bhyve/PlatformPei/AmdSev.c +++ b/OvmfPkg/Bhyve/PlatformPei/AmdSev.c @@ -1,7 +1,7 @@ /**@file Initialize Secure Encrypted Virtualization (SEV) support =20 - Copyright (c) 2017, Advanced Micro Devices. All rights reserved.
+ Copyright (c) 2017 - 2020, Advanced Micro Devices. All rights reserved.<= BR> =20 SPDX-License-Identifier: BSD-2-Clause-Patent =20 @@ -15,8 +15,6 @@ #include #include #include -#include -#include #include =20 #include "Platform.h" @@ -32,7 +30,6 @@ AmdSevInitialize ( VOID ) { - CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx; UINT64 EncryptionMask; RETURN_STATUS PcdStatus; =20 @@ -43,15 +40,10 @@ AmdSevInitialize ( return; } =20 - // - // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position) - // - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL); - EncryptionMask =3D LShiftU64 (1, Ebx.Bits.PtePosBits); - // // Set Memory Encryption Mask PCD // + EncryptionMask =3D MemEncryptSevGetEncryptionMask (); PcdStatus =3D PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, Encryption= Mask); ASSERT_RETURN_ERROR (PcdStatus); =20 diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c b/Ovm= fPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c index 5e110c84ff81..6422bc53bd5d 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c @@ -3,7 +3,7 @@ Virtual Memory Management Services to set or clear the memory encryption= bit =20 Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
- Copyright (c) 2017, AMD Incorporated. All rights reserved.
+ Copyright (c) 2017 - 2020, AMD Incorporated. All rights reserved.
=20 SPDX-License-Identifier: BSD-2-Clause-Patent =20 @@ -12,6 +12,7 @@ **/ =20 #include +#include #include #include =20 @@ -39,17 +40,12 @@ GetMemEncryptionAddressMask ( ) { UINT64 EncryptionMask; - CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx; =20 if (mAddressEncMaskChecked) { return mAddressEncMask; } =20 - // - // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position) - // - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL); - EncryptionMask =3D LShiftU64 (1, Ebx.Bits.PtePosBits); + EncryptionMask =3D MemEncryptSevGetEncryptionMask (); =20 mAddressEncMask =3D EncryptionMask & PAGING_1G_ADDRESS_MASK_64; mAddressEncMaskChecked =3D TRUE; @@ -289,8 +285,7 @@ SetPageTablePoolReadOnly ( LevelSize[3] =3D SIZE_1GB; LevelSize[4] =3D SIZE_512GB; =20 - AddressEncMask =3D GetMemEncryptionAddressMask() & - PAGING_1G_ADDRESS_MASK_64; + AddressEncMask =3D GetMemEncryptionAddressMask(); PageTable =3D (UINT64 *)(UINTN)PageTableBase; PoolUnitSize =3D PAGE_TABLE_POOL_UNIT_SIZE; =20 @@ -437,7 +432,7 @@ Split1GPageTo2M ( =20 AddressEncMask =3D GetMemEncryptionAddressMask (); ASSERT (PageDirectoryEntry !=3D NULL); - ASSERT (*PageEntry1G & GetMemEncryptionAddressMask ()); + ASSERT (*PageEntry1G & AddressEncMask); // // Fill in 1G page entry. // diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index 4a515a484720..954d53eba4e8 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -1,7 +1,7 @@ /**@file Initialize Secure Encrypted Virtualization (SEV) support =20 - Copyright (c) 2017, Advanced Micro Devices. All rights reserved.
+ Copyright (c) 2017 - 2020, Advanced Micro Devices. All rights reserved.<= BR> =20 SPDX-License-Identifier: BSD-2-Clause-Patent =20 @@ -17,9 +17,7 @@ #include #include #include -#include #include -#include #include =20 #include "Platform.h" @@ -116,7 +114,6 @@ AmdSevInitialize ( VOID ) { - CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx; UINT64 EncryptionMask; RETURN_STATUS PcdStatus; =20 @@ -127,15 +124,10 @@ AmdSevInitialize ( return; } =20 - // - // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position) - // - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL); - EncryptionMask =3D LShiftU64 (1, Ebx.Bits.PtePosBits); - // // Set Memory Encryption Mask PCD // + EncryptionMask =3D MemEncryptSevGetEncryptionMask (); PcdStatus =3D PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, Encryption= Mask); ASSERT_RETURN_ERROR (PcdStatus); =20 diff --git a/OvmfPkg/XenPlatformPei/AmdSev.c b/OvmfPkg/XenPlatformPei/AmdSe= v.c index 7ebbb5cc1fd2..4ed448632ae2 100644 --- a/OvmfPkg/XenPlatformPei/AmdSev.c +++ b/OvmfPkg/XenPlatformPei/AmdSev.c @@ -1,7 +1,7 @@ /**@file Initialize Secure Encrypted Virtualization (SEV) support =20 - Copyright (c) 2017, Advanced Micro Devices. All rights reserved.
+ Copyright (c) 2017 - 2020, Advanced Micro Devices. All rights reserved.<= BR> Copyright (c) 2019, Citrix Systems, Inc. =20 SPDX-License-Identifier: BSD-2-Clause-Patent @@ -14,8 +14,6 @@ #include #include #include -#include -#include =20 #include "Platform.h" =20 @@ -30,7 +28,6 @@ AmdSevInitialize ( VOID ) { - CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx; UINT64 EncryptionMask; RETURN_STATUS PcdStatus; =20 @@ -41,15 +38,10 @@ AmdSevInitialize ( return; } =20 - // - // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position) - // - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL); - EncryptionMask =3D LShiftU64 (1, Ebx.Bits.PtePosBits); - // // Set Memory Encryption Mask PCD // + EncryptionMask =3D MemEncryptSevGetEncryptionMask (); PcdStatus =3D PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, Encryption= Mask); ASSERT_RETURN_ERROR (PcdStatus); =20 --=20 2.30.0