From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qk0-x241.google.com (mail-qk0-x241.google.com [IPv6:2607:f8b0:400d:c09::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id A63E580352 for ; Tue, 7 Mar 2017 08:34:30 -0800 (PST) Received: by mail-qk0-x241.google.com with SMTP id o135so2286039qke.2 for ; Tue, 07 Mar 2017 08:34:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=MOl3qvX1Ll/eSSmBRz9KFr7i8ydPh7msyUmZFR+Kkf4=; b=iLtCCUvxIc1nWNlVdbr/EjkWvqCQa8qQU/Sfbe30YOty8pQ4UZY2QXvB5gshtmUYjz pPCpkQE6ONDES+61b5zCOKO6pBVA7ovKXhLmPrEPjmIwVnKxEpbdcZZ+VVqcmCcKkrbR paVjWzD9mabAGHVbAKH7p1SgpNVNBL6JDZhXtbfyU+Wx7dTwSrqgVL3puBukUB+PWK0K 3XPLsUli7RLjKMIFag2VZ16ICltXWMSHiN/W4VDxypQv52SsstR2FAJ2rwMOxX+VBp7J pp+OihC9JEmDvwxosUwPt7+UPbRfwZP23RgQgMPl5QLx6xYAHp6ou/ij37M+LOodwTL2 Tckw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=MOl3qvX1Ll/eSSmBRz9KFr7i8ydPh7msyUmZFR+Kkf4=; b=dfRFKt5NqelsNQ6MIHMGARmKmxMoVXwUrE5b13YdQdSCRHn8uBW20mEL9YWCARtF5d toELI8dnOlGpE5yDvddxDoXqOQNHXj2PdnBC+PL+VKc7VmIraxIzzcBnmeicTmTmhZqb sxbKjtkEYjnV+2llGldinbhdvO+CMKSU1yfe5hKNFJx7f7fKXQrLCDge+X7Y7I4FPBHL /K/3UK05yIY3TAWHmzbVZ8QXxR8mx81ytN/llDxgF2JRiSfLcjCNJRaomZR60sFLspaT MkXP6zVKNMrW9/CC7orPNQBqZ19UtQYQUzURsaNmHOZ+F+wzws0jn2ii/kVIkea/omYq orxw== X-Gm-Message-State: AMke39kgoSC0GaM65OEmi+O2Cv72kgW74nM4yZ+6jdSspJokuKhsPsOId31/6+DnCR7iFnfjBFPQoeBzuZLU6w== X-Received: by 10.55.139.70 with SMTP id n67mr1348249qkd.286.1488904469861; Tue, 07 Mar 2017 08:34:29 -0800 (PST) MIME-Version: 1.0 Received: by 10.12.182.65 with HTTP; Tue, 7 Mar 2017 08:34:29 -0800 (PST) Received: by 10.12.182.65 with HTTP; Tue, 7 Mar 2017 08:34:29 -0800 (PST) In-Reply-To: <3ec1cf2d-952d-97fa-108d-a6c70e613277@amd.com> References: <148884284887.29188.7643544710695103939.stgit@brijesh-build-machine> <148884285589.29188.3336162059588227554.stgit@brijesh-build-machine> <3ec1cf2d-952d-97fa-108d-a6c70e613277@amd.com> From: Brijesh Singh Date: Tue, 7 Mar 2017 10:34:29 -0600 Message-ID: To: Tom Lendacky Cc: edk2-devel@ml01.01.org, lersek@redhat.com, jordan.l.justen@intel.com, leo.duran@amd.com, brijesh.singh@amd.com X-Content-Filtered-By: Mailman/MimeDel 2.1.21 Subject: Re: [RFC PATCH v1 1/5] OvmfPkg/ResetVector: Set memory encryption when SEV is active X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Mar 2017 16:34:31 -0000 Content-Type: text/plain; charset=UTF-8 On Mar 7, 2017 10:25 AM, "Tom Lendacky" wrote: On 3/6/2017 5:27 PM, Brijesh Singh wrote: > SEV guest VMs have the concept of private and shared memory. Private > memory is encrypted with the guest-specific key, while shared memory > may be encrypted with hypervisor key. The C-bit (encryption attribute) > in PTE indicates whether the page is private or shared. > > If SEV is active, set the memory encryption attribute while building > the page table. > > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Brijesh Singh > --- > OvmfPkg/ResetVector/Ia32/PageTables64.asm | 52 > +++++++++++++++++++++++++++++ > 1 file changed, 52 insertions(+) > > diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm > b/OvmfPkg/ResetVector/Ia32/PageTables64.asm > index 6201cad..eaf9732 100644 > --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm > +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm > @@ -26,6 +26,7 @@ BITS 32 > %define PAGE_GLOBAL 0x0100 > %define PAGE_2M_MBO 0x080 > %define PAGE_2M_PAT 0x01000 > +%define KVM_FEATURE_SEV 0x08 > > %define PAGE_2M_PDE_ATTR (PAGE_2M_MBO + \ > PAGE_ACCESSED + \ > @@ -37,6 +38,33 @@ BITS 32 > PAGE_READ_WRITE + \ > PAGE_PRESENT) > > +; Check if Secure Encrypted Virtualization (SEV) feature > +; is enabled in KVM > +; > +; If SEV is enabled, then EAX will contain Memory encryption bit position > +; > +CheckKVMSEVFeature: > + ; Check for SEV feature > + ; CPUID KVM_FEATURE - Bit 8 > + mov eax, 0x40000001 > + cpuid > + bt eax, KVM_FEATURE_SEV > + jnc NoSev > + > + ; Get memory encryption information > + ; CPUID Fn8000_001F[EBX] - Bits 5:0 > + ; > + mov eax, 0x8000001f > + cpuid > + mov eax, ebx > + and eax, 0x3f > + jmp SevExit > + > +NoSev: > + xor eax, eax > + > +SevExit: > + OneTimeCallRet CheckKVMSEVFeature > > ; > ; Modified: EAX, ECX > @@ -60,18 +88,41 @@ clearPageTablesMemoryLoop: > mov dword[ecx * 4 + PT_ADDR (0) - 4], eax > loop clearPageTablesMemoryLoop > > + ; Check if it SEV-enabled Guest > + ; > + OneTimeCall CheckKVMSEVFeature > + xor edx, edx > + test eax, eax > + jz SevNotActive > + > + ; If SEV is enabled, Memory encryption bit is always above 31 > + mov ebx, 32 > + sub ebx, eax > + bts edx, eax > + > +SevNotActive: > + > + ; > ; > ; Top level Page Directory Pointers (1 * 512GB entry) > ; > + ; edx contain the memory encryption bit mask, must be applied > + ; to upper 31 bit on 64-bit address > + ; > mov dword[PT_ADDR (0)], PT_ADDR (0x1000) + PAGE_PDP_ATTR > + mov dword[PT_ADDR (4)], edx > > ; > ; Next level Page Directory Pointers (4 * 1GB entries => 4GB) > ; > mov dword[PT_ADDR (0x1000)], PT_ADDR (0x2000) + PAGE_PDP_ATTR > + mov dword[PT_ADDR (0x1004)], edx > mov dword[PT_ADDR (0x1008)], PT_ADDR (0x3000) + PAGE_PDP_ATTR > + mov dword[PT_ADDR (0x100C)], edx > mov dword[PT_ADDR (0x1010)], PT_ADDR (0x4000) + PAGE_PDP_ATTR > + mov dword[PT_ADDR (0x1004)], edx > Shouldn't this be 0x1014? Agreed will fix it. Seems like my copy/paste error. mov dword[PT_ADDR (0x1018)], PT_ADDR (0x5000) + PAGE_PDP_ATTR > + mov dword[PT_ADDR (0x100C)], edx > Same here, shouldn't this be 0x101C? Agreed will fix it. Thanks, Tom > ; > ; Page Table Entries (2048 * 2MB entries => 4GB) > @@ -83,6 +134,7 @@ pageTableEntriesLoop: > shl eax, 21 > add eax, PAGE_2M_PDE_ATTR > mov [ecx * 8 + PT_ADDR (0x2000 - 8)], eax > + mov [(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], edx > loop pageTableEntriesLoop > > ; > >