From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <brijesh.ksingh@gmail.com>
Received: from mail-qk0-x241.google.com (mail-qk0-x241.google.com
 [IPv6:2607:f8b0:400d:c09::241])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id A63E580352
 for <edk2-devel@ml01.01.org>; Tue,  7 Mar 2017 08:34:30 -0800 (PST)
Received: by mail-qk0-x241.google.com with SMTP id o135so2286039qke.2
 for <edk2-devel@ml01.01.org>; Tue, 07 Mar 2017 08:34:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=MOl3qvX1Ll/eSSmBRz9KFr7i8ydPh7msyUmZFR+Kkf4=;
 b=iLtCCUvxIc1nWNlVdbr/EjkWvqCQa8qQU/Sfbe30YOty8pQ4UZY2QXvB5gshtmUYjz
 pPCpkQE6ONDES+61b5zCOKO6pBVA7ovKXhLmPrEPjmIwVnKxEpbdcZZ+VVqcmCcKkrbR
 paVjWzD9mabAGHVbAKH7p1SgpNVNBL6JDZhXtbfyU+Wx7dTwSrqgVL3puBukUB+PWK0K
 3XPLsUli7RLjKMIFag2VZ16ICltXWMSHiN/W4VDxypQv52SsstR2FAJ2rwMOxX+VBp7J
 pp+OihC9JEmDvwxosUwPt7+UPbRfwZP23RgQgMPl5QLx6xYAHp6ou/ij37M+LOodwTL2
 Tckw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=MOl3qvX1Ll/eSSmBRz9KFr7i8ydPh7msyUmZFR+Kkf4=;
 b=dfRFKt5NqelsNQ6MIHMGARmKmxMoVXwUrE5b13YdQdSCRHn8uBW20mEL9YWCARtF5d
 toELI8dnOlGpE5yDvddxDoXqOQNHXj2PdnBC+PL+VKc7VmIraxIzzcBnmeicTmTmhZqb
 sxbKjtkEYjnV+2llGldinbhdvO+CMKSU1yfe5hKNFJx7f7fKXQrLCDge+X7Y7I4FPBHL
 /K/3UK05yIY3TAWHmzbVZ8QXxR8mx81ytN/llDxgF2JRiSfLcjCNJRaomZR60sFLspaT
 MkXP6zVKNMrW9/CC7orPNQBqZ19UtQYQUzURsaNmHOZ+F+wzws0jn2ii/kVIkea/omYq
 orxw==
X-Gm-Message-State: AMke39kgoSC0GaM65OEmi+O2Cv72kgW74nM4yZ+6jdSspJokuKhsPsOId31/6+DnCR7iFnfjBFPQoeBzuZLU6w==
X-Received: by 10.55.139.70 with SMTP id n67mr1348249qkd.286.1488904469861;
 Tue, 07 Mar 2017 08:34:29 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.182.65 with HTTP; Tue, 7 Mar 2017 08:34:29 -0800 (PST)
Received: by 10.12.182.65 with HTTP; Tue, 7 Mar 2017 08:34:29 -0800 (PST)
In-Reply-To: <3ec1cf2d-952d-97fa-108d-a6c70e613277@amd.com>
References: <148884284887.29188.7643544710695103939.stgit@brijesh-build-machine>
 <148884285589.29188.3336162059588227554.stgit@brijesh-build-machine>
 <3ec1cf2d-952d-97fa-108d-a6c70e613277@amd.com>
From: Brijesh Singh <brijesh.ksingh@gmail.com>
Date: Tue, 7 Mar 2017 10:34:29 -0600
Message-ID: <CA+HCGMbKuRtOBEikurj+0JRHDvtGGe7O=G6KFNa_GE1uEidZ7Q@mail.gmail.com>
To: Tom Lendacky <thomas.lendacky@amd.com>
Cc: edk2-devel@ml01.01.org, lersek@redhat.com, jordan.l.justen@intel.com, 
 leo.duran@amd.com, brijesh.singh@amd.com
X-Content-Filtered-By: Mailman/MimeDel 2.1.21
Subject: Re: [RFC PATCH v1 1/5] OvmfPkg/ResetVector: Set memory encryption when SEV is active
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 16:34:31 -0000
Content-Type: text/plain; charset=UTF-8

On Mar 7, 2017 10:25 AM, "Tom Lendacky" <thomas.lendacky@amd.com> wrote:

On 3/6/2017 5:27 PM, Brijesh Singh wrote:

> SEV guest VMs have the concept of private and shared memory. Private
> memory is encrypted with the guest-specific key, while shared memory
> may be encrypted with hypervisor key. The C-bit (encryption attribute)
> in PTE indicates whether the page is private or shared.
>
> If SEV is active, set the memory encryption attribute while building
> the page table.
>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
> ---
>  OvmfPkg/ResetVector/Ia32/PageTables64.asm |   52
> +++++++++++++++++++++++++++++
>  1 file changed, 52 insertions(+)
>
> diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> index 6201cad..eaf9732 100644
> --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> @@ -26,6 +26,7 @@ BITS    32
>  %define PAGE_GLOBAL           0x0100
>  %define PAGE_2M_MBO            0x080
>  %define PAGE_2M_PAT          0x01000
> +%define KVM_FEATURE_SEV         0x08
>
>  %define PAGE_2M_PDE_ATTR (PAGE_2M_MBO + \
>                            PAGE_ACCESSED + \
> @@ -37,6 +38,33 @@ BITS    32
>                         PAGE_READ_WRITE + \
>                         PAGE_PRESENT)
>
> +; Check if Secure Encrypted Virtualization (SEV) feature
> +; is enabled in KVM
> +;
> +;  If SEV is enabled, then EAX will contain Memory encryption bit position
> +;
> +CheckKVMSEVFeature:
> +    ; Check for SEV feature
> +    ;  CPUID KVM_FEATURE - Bit 8
> +    mov       eax, 0x40000001
> +    cpuid
> +    bt        eax, KVM_FEATURE_SEV
> +    jnc       NoSev
> +
> +    ; Get memory encryption information
> +    ; CPUID Fn8000_001F[EBX] - Bits 5:0
> +    ;
> +    mov       eax,  0x8000001f
> +    cpuid
> +    mov       eax, ebx
> +    and       eax, 0x3f
> +    jmp       SevExit
> +
> +NoSev:
> +    xor       eax, eax
> +
> +SevExit:
> +    OneTimeCallRet CheckKVMSEVFeature
>
>  ;
>  ; Modified:  EAX, ECX
> @@ -60,18 +88,41 @@ clearPageTablesMemoryLoop:
>      mov     dword[ecx * 4 + PT_ADDR (0) - 4], eax
>      loop    clearPageTablesMemoryLoop
>
> +    ; Check if it SEV-enabled Guest
> +    ;
> +    OneTimeCall   CheckKVMSEVFeature
> +    xor     edx, edx
> +    test    eax, eax
> +    jz      SevNotActive
> +
> +    ; If SEV is enabled, Memory encryption bit is always above 31
> +    mov     ebx, 32
> +    sub     ebx, eax
> +    bts     edx, eax
> +
> +SevNotActive:
> +
> +    ;
>      ;
>      ; Top level Page Directory Pointers (1 * 512GB entry)
>      ;
> +    ; edx contain the memory encryption bit mask, must be applied
> +    ; to upper 31 bit on 64-bit address
> +    ;
>      mov     dword[PT_ADDR (0)], PT_ADDR (0x1000) + PAGE_PDP_ATTR
> +    mov     dword[PT_ADDR (4)], edx
>
>      ;
>      ; Next level Page Directory Pointers (4 * 1GB entries => 4GB)
>      ;
>      mov     dword[PT_ADDR (0x1000)], PT_ADDR (0x2000) + PAGE_PDP_ATTR
> +    mov     dword[PT_ADDR (0x1004)], edx
>      mov     dword[PT_ADDR (0x1008)], PT_ADDR (0x3000) + PAGE_PDP_ATTR
> +    mov     dword[PT_ADDR (0x100C)], edx
>      mov     dword[PT_ADDR (0x1010)], PT_ADDR (0x4000) + PAGE_PDP_ATTR
> +    mov     dword[PT_ADDR (0x1004)], edx
>

Shouldn't this be 0x1014?


Agreed will fix it. Seems like my copy/paste error.



     mov     dword[PT_ADDR (0x1018)], PT_ADDR (0x5000) + PAGE_PDP_ATTR
> +    mov     dword[PT_ADDR (0x100C)], edx
>

Same here, shouldn't this be 0x101C?


Agreed will fix it.


Thanks,
Tom



>      ;
>      ; Page Table Entries (2048 * 2MB entries => 4GB)
> @@ -83,6 +134,7 @@ pageTableEntriesLoop:
>      shl     eax, 21
>      add     eax, PAGE_2M_PDE_ATTR
>      mov     [ecx * 8 + PT_ADDR (0x2000 - 8)], eax
> +    mov     [(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], edx
>      loop    pageTableEntriesLoop
>
>      ;
>
>