From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55])
 by mx.groups.io with SMTP id smtpd.web11.6876.1654086359401259133
 for <devel@edk2.groups.io>;
 Wed, 01 Jun 2022 05:26:00 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@kernel.org header.s=k20201202 header.b=C2h3E0qT;
 spf=pass (domain: kernel.org, ip: 145.40.73.55, mailfrom: ardb@kernel.org)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sin.source.kernel.org (Postfix) with ESMTPS id 554EACE1B35
	for <devel@edk2.groups.io>; Wed,  1 Jun 2022 12:25:56 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id B59CBC36AE2
	for <devel@edk2.groups.io>; Wed,  1 Jun 2022 12:25:54 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1654086354;
	bh=J5bou+NDB4qV/LRaLFotpDplbMTwVqnt4jE5eAx0UBs=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=C2h3E0qTviVji2JlKAlzwSWddEN7rgF8kJF8wcNJHadlKWik6qJphhevI7pHqBQau
	 V7BA9x8n3p4vXISFW4IZJ9ntZPUuLlYEtjhX/HAKQ8Z2M/7lhwsXdiqUmGJUkUYIvB
	 m5pVqhJXbat5eJHQVxn2R+/ljuAOd7W/hh7Wdf1cvMaN4xRUlz8URDgUeydsEetLHs
	 mrU/lSmEmTdROjkscklC+1eBxrrzeB6JXjGWKmIXWM66QZiEuvzDsbBde/QQA0LzKa
	 SVn6U2MMZnMEnzuRvTTi+N2ZwVYgvlvUVXVhKMnu6s5X9WxNMVsZz2l0gbZrtSnEnE
	 xIJTXBc34rVog==
Received: by mail-oi1-f174.google.com with SMTP id w130so2483354oig.0
        for <devel@edk2.groups.io>; Wed, 01 Jun 2022 05:25:54 -0700 (PDT)
X-Gm-Message-State: AOAM532oGMTK/VtZOWbonimzQPopPCrTcCG+v6PdkqsKPfkObIVTaqZn
	GB8rimZLI54thZYarhzkq4xZfrmW50XqvlaEfYI=
X-Google-Smtp-Source: ABdhPJyOwj3iSuzd+mhTg0cPJj2oYtaY2irQyt2CLTKOd+xV6B1yypZ8n54A9Naql+fqN5WL+vpNla5pslhqowvIe/c=
X-Received: by 2002:a05:6808:300e:b0:32c:425e:df34 with SMTP id
 ay14-20020a056808300e00b0032c425edf34mr6001034oib.126.1654086353872; Wed, 01
 Jun 2022 05:25:53 -0700 (PDT)
MIME-Version: 1.0
References: <d8648fafbdbffe4c62dc65f1c2623c0a777c8f64.1642091427.git.pgonda@google.com>
In-Reply-To: <d8648fafbdbffe4c62dc65f1c2623c0a777c8f64.1642091427.git.pgonda@google.com>
From: "Ard Biesheuvel" <ardb@kernel.org>
Date: Wed, 1 Jun 2022 14:25:42 +0200
X-Gmail-Original-Message-ID: <CAMj1kXEtXAprBscOZKERUMoigObUMrFkccWj28o16G7bJnmEDQ@mail.gmail.com>
Message-ID: <CAMj1kXEtXAprBscOZKERUMoigObUMrFkccWj28o16G7bJnmEDQ@mail.gmail.com>
Subject: Re: [PATCH V3] OvmfPkg/ResetVector: Removing SEV-ES CPUID bit check
To: Peter Gonda <pgonda@google.com>
Cc: edk2-devel-groups-io <devel@edk2.groups.io>, James Bottomley <jejb@linux.ibm.com>, 
	Min Xu <min.m.xu@intel.com>, Jiewen Yao <jiewen.yao@intel.com>, 
	Tom Lendacky <thomas.lendacky@amd.com>, Jordan Justen <jordan.l.justen@intel.com>, 
	Laszlo Ersek <lersek@redhat.com>, Erdem Aktas <erdemaktas@google.com>, 
	Brijesh Singh <brijesh.singh@amd.com>, Marc Orr <marcorr@google.com>, 
	Gerd Hoffmann <kraxel@redhat.com>
Content-Type: text/plain; charset="UTF-8"

On Tue, 31 May 2022 at 16:40, Peter Gonda <pgonda@google.com> wrote:
>
> The SEV-ES bit of Fn800-001F[EAX] - Bit 3 is used for a host to
> determine support for running SEV-ES guests. It should not be checked by
> a guest to determine if it is running under SEV-ES. The guest should use
> the SEV_STATUS MSR Bit 1 to determine if SEV-ES is enabled. This check
> was not part of the original SEV-ES support and was added in
> a91b700e38. Removing the check makes this code consistent with the
> Linux kernel
>
> Fixes: a91b700e38 (Ovmf/ResetVector: Simplify and consolidate the SEV features checks)
>
> Cc: James Bottomley <jejb@linux.ibm.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Erdem Aktas <erdemaktas@google.com>
> Cc: Brijesh Singh <brijesh.singh@amd.com>
> Cc: Erdem Aktas <erdemaktas@google.com>
> Cc: Marc Orr <marcorr@google.com>
> Signed-off-by: Peter Gonda <pgonda@google.com>
> Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
>
> ---
>  OvmfPkg/ResetVector/Ia32/AmdSev.asm | 8 --------
>  1 file changed, 8 deletions(-)
>
> diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia32/AmdSev.asm
> index 1f827da3b9..77692db27e 100644
> --- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm
> +++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm
> @@ -265,14 +265,6 @@ CheckSevFeatures:
>      ; Set the work area header to indicate that the SEV is enabled
>      mov     byte[WORK_AREA_GUEST_TYPE], 1
>
> -    ; Check for SEV-ES memory encryption feature:
> -    ; CPUID  Fn8000_001F[EAX] - Bit 3
> -    ;   CPUID raises a #VC exception if running as an SEV-ES guest
> -    mov       eax, 0x8000001f
> -    cpuid
> -    bt        eax, 3
> -    jnc       GetSevEncBit
> -
>      ; Check if SEV-ES is enabled
>      ;  MSR_0xC0010131 - Bit 1 (SEV-ES enabled)
>      mov       ecx, SEV_STATUS_MSR

Thanks Peter, I have queued this up.

I did wonder, though: the only remaining reference to GetSevEncBit is
a conditional branch that just precedes the label itself. This appears
to be a leftover from commit 63c50d3ff2854a76 ("OvmfPkg/ResetVector:
cache the SEV status MSR value in workarea") but it looks a bit dodgy.