From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44])
 by mx.groups.io with SMTP id smtpd.web12.33229.1620047139179000711
 for <devel@edk2.groups.io>;
 Mon, 03 May 2021 06:05:39 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@google.com header.s=20161025 header.b=HON3ISBX;
 spf=pass (domain: google.com, ip: 209.85.216.44, mailfrom: erdemaktas@google.com)
Received: by mail-pj1-f44.google.com with SMTP id j6-20020a17090adc86b02900cbfe6f2c96so3260756pjv.1
        for <devel@edk2.groups.io>; Mon, 03 May 2021 06:05:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=Iy0g/5GoaujAL/i4jSPi+UChy/6GxZWZSDO1o5k6n8c=;
        b=HON3ISBXxdH+KcpSUwiqn1sudScRC1wrv6zbtTqUpbD9/AiTJ6za73wpH0JZV4tGnP
         nUMbiNYXe9bA1s1++1AxF7UlN0y9qzaT2GzIQuWeOyaXVrVdB/jKfN1iOinM2EIhdrGF
         8aNb7C/ffuvkrwnKjt7Q7kt9aNdK+oVctmV2T9ptsxNeuOjXVsqFozg7vYOUI8ZklRFd
         /Ux4vt18c8oOVNtBgN0M1uaYWA8uUzn0fvStMsub3PV1tYOCeTFDgF5z+6505r8e7LcQ
         d2cUvpcAY1MckUXT6vx/auBIxfiHyOuDjNrVEb+mbkvi8uZMbqdUk3M8BeoGq8B7tDXL
         L/fA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=Iy0g/5GoaujAL/i4jSPi+UChy/6GxZWZSDO1o5k6n8c=;
        b=ZH/lmKfRQHRLKiagoRn1MEt3dk8f+sIxICb5X2GKExqLPLzb57je9R8jfaIlkvYPEy
         rglhnP21JPIpGME58c6etXZ8+NRtH7kI1xa8ejdY8flNNsl4x2jxS4NBSoNeV3deoDvK
         9by8uB4foXVwINkUR/n91+4nh7IXDjS1n7o2aBSYImsp64Av8H0Vw0l8aQpKXGuFHQNC
         Ei8QP11JjuDBVgjADYhHBYk9G+RnsFAELcO8NsFyk1v19sWEvdi6mKyy3s9egLL3XtoO
         yRpkpa96I4MDXBQCC4TGUvX1e6RDobYQbtVTldN+e+YeXAJG19yPkX9vHKcEOHvZlT6r
         vlwQ==
X-Gm-Message-State: AOAM530KxawZiaOJR2MDA3WsaZrhOCENsHHwWQFdrKBEzuCUhpRdHpXw
	wm6x9HXe3fsXaeaQTMiMYBZ9qYpVCA7jSpPQZj0rSg==
X-Google-Smtp-Source: ABdhPJybhJYN9Kz3WcU57z0tI36SsseJQWcwp//rJ+pSqlxr9Mk+use4a2nJ4wt0z6gmzFJT0RGEi6bqBXrSdZzv2Wo=
X-Received: by 2002:a17:903:208b:b029:ed:74ad:4c15 with SMTP id
 d11-20020a170903208bb02900ed74ad4c15mr20285844plc.6.1620047138377; Mon, 03
 May 2021 06:05:38 -0700 (PDT)
MIME-Version: 1.0
References: <20210430115148.22267-1-brijesh.singh@amd.com> <20210430115148.22267-18-brijesh.singh@amd.com>
In-Reply-To: <20210430115148.22267-18-brijesh.singh@amd.com>
From: "Erdem Aktas" <erdemaktas@google.com>
Date: Mon, 3 May 2021 06:05:26 -0700
Message-ID: <CAAYXXYwzJen_BqrENK7-2efw_X=0zoFfotxntqjgSLeXHhq_vA@mail.gmail.com>
Subject: Re: [PATCH RFC v2 17/28] OvmfPkg/ResetVector: Invalidate the GHCB page
To: Brijesh Singh <brijesh.singh@amd.com>
Cc: devel@edk2.groups.io, James Bottomley <jejb@linux.ibm.com>, Min Xu <min.m.xu@intel.com>, 
	Jiewen Yao <jiewen.yao@intel.com>, Tom Lendacky <thomas.lendacky@amd.com>, 
	Jordan Justen <jordan.l.justen@intel.com>, Ard Biesheuvel <ardb+tianocore@kernel.org>, 
	Laszlo Ersek <lersek@redhat.com>
Content-Type: text/plain; charset="UTF-8"

Hi Brijesh,
I have few naive questions inlined:

On Fri, Apr 30, 2021 at 4:52 AM Brijesh Singh <brijesh.singh@amd.com> wrote:
> +    ; Use PVALIDATE instruction to invalidate the page
> +    mov     eax, GHCB_BASE
> +    mov     ecx, 0
> +    mov     edx, 0
> +    DB      0xF2, 0x0F, 0x01, 0xFF
> +    cmp     eax, 0
> +    jnz     TerminateSevGuestLaunch
Any reason why the PVALIDATE return value (EFLAGS.CF) is not checked
here? IMO, this might lead some page replay attacks.

>
> +    ;
> +    ; The page table built above cleared the memory encryption mask from the
> +    ; GHCB_BASE (aka made it shared). When SEV-SNP is enabled, to maintain
> +    ; the security guarantees, the page state transition from private to
> +    ; shared must go through the page invalidation steps. Invalidate the
> +    ; memory range before loading the page table below.
> +    ;
> +    ; NOTE: the invalidation must happen after zeroing the GHCB memory. This
> +    ;       is because, in the 32-bit mode all the access are considered private.
> +    ;       The invalidation before the zero'ing will cause a #VC.
> +    ;
> +    OneTimeCall  InvalidateGHCBPage
I am not sure if this is a great idea.
1. Zeroing page content before paging is enabled. We are actually
writing 0s encrypted with a guest key.
2. invalidating the page and making it shared.
Doesn't this reveal a mapping of what 0's look like when a specific
page is encrypted?  And when the page is marked as shared, from the
guest and host perspective, it is not zeroed but filled with some data
that looks random. So what is the purpose of zeroing the page before
invalidation?

Thanks
-Erdem