public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Andrew Fish" <afish@apple.com>
To: edk2-devel-groups-io <devel@edk2.groups.io>,
	Andrew Fish <afish@apple.com>
Cc: evantass@amd.com, Tom Lendacky <thomas.lendacky@amd.com>,
	Joerg Roedel <joro@8bytes.org>, Borislav Petkov <bp@alien8.de>,
	Laszlo Ersek <lersek@redhat.com>,
	Ard Biesheuvel <ardb+tianocore@kernel.org>,
	Jordan Justen <jordan.l.justen@intel.com>,
	Brijesh Singh <brijesh.singh@amd.com>,
	James Bottomley <jejb@linux.ibm.com>,
	Jiewen Yao <jiewen.yao@intel.com>, Min Xu <min.m.xu@intel.com>
Subject: Re: [edk2-devel] [PATCH 3/3] OvmfPkg/PlatformPei: Mark TPM MMIO range as unencrypted for SEV
Date: Wed, 21 Apr 2021 10:20:48 -0700	[thread overview]
Message-ID: <E1CC4041-3EC6-4495-9FB5-32C68DA06902@apple.com> (raw)
In-Reply-To: <1677E4DA25FD7265.31957@groups.io>

[-- Attachment #1: Type: text/plain, Size: 4054 bytes --]

Tom,

The phases are defined by the UEFI Platform Initialization Specification [1] (PI Spec). Basically the UEFI Specification defines how to write EFI OS Loaders and Option ROMs and EFI is just defined in the context of how EFI services are passed into applications or drivers. The UEFI Platform Initialization Specification is how to write modular bits of the firmware that interoperate. So all PI systems produce UEFI, but not all UEFI systems are built out of PI. There are also some schemes that use the early parts of PI, but not all of it but this is confusing enough without talking about that. 

[1] https://uefi.org/specifications

Thanks,

Andrew Fish


> On Apr 21, 2021, at 7:09 AM, Andrew Fish via groups.io <afish=apple.com@groups.io> wrote:
> 
> https://edk2-docs.gitbook.io/edk-ii-build-specification/2_design_discussion/23_boot_sequence <https://edk2-docs.gitbook.io/edk-ii-build-specification/2_design_discussion/23_boot_sequence>
> 
> 
>> On Apr 20, 2021, at 11:34 PM, Eric van Tassell <evantass@amd.com> wrote:
>> 
>> 
>> 
>> On 4/20/21 5:54 PM, Tom Lendacky wrote:
>>> From: Tom Lendacky <thomas.lendacky@amd.com>
>>> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3345
>>> The TPM support in OVMF performs MMIO accesses during the PEI phase. At
>> 
>> where are the phases defined and how many other are there?
>> 
>>> this point, MMIO ranges have not been marked un-encyrpted, so an SEV-ES
>>> guest will fail attempting to perform MMIO to an encrypted address.
>>> Read the PcdTpmBaseAddress and mark the specification defined range
>>> (0x5000 in length) as un-encrypted, to allow an SEV-ES guest to process
>>> the MMIO requests.
>>> Cc: Laszlo Ersek <lersek@redhat.com>
>>> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
>>> Cc: Jordan Justen <jordan.l.justen@intel.com>
>>> Cc: Brijesh Singh <brijesh.singh@amd.com>
>>> Cc: James Bottomley <jejb@linux.ibm.com>
>>> Cc: Jiewen Yao <jiewen.yao@intel.com>
>>> Cc: Min Xu <min.m.xu@intel.com>
>>> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
>>> ---
>>>  OvmfPkg/PlatformPei/PlatformPei.inf |  1 +
>>>  OvmfPkg/PlatformPei/AmdSev.c        | 19 +++++++++++++++++++
>>>  2 files changed, 20 insertions(+)
>>> diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
>>> index 6ef77ba7bb21..de60332e9390 100644
>>> --- a/OvmfPkg/PlatformPei/PlatformPei.inf
>>> +++ b/OvmfPkg/PlatformPei/PlatformPei.inf
>>> @@ -113,6 +113,7 @@ [Pcd]
>>>    [FixedPcd]
>>>    gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress
>>> +  gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress
>>>    gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIMemoryNVS
>>>    gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIReclaimMemory
>>>    gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiReservedMemoryType
>>> diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
>>> index dddffdebda4b..d524929f9e10 100644
>>> --- a/OvmfPkg/PlatformPei/AmdSev.c
>>> +++ b/OvmfPkg/PlatformPei/AmdSev.c
>>> @@ -141,6 +141,7 @@ AmdSevInitialize (
>>>    )
>>>  {
>>>    UINT64                            EncryptionMask;
>>> +  UINT64                            TpmBaseAddress;
>>>    RETURN_STATUS                     PcdStatus;
>>>      //
>>> @@ -206,6 +207,24 @@ AmdSevInitialize (
>>>      }
>>>    }
>>>  +  //
>>> +  // PEI TPM support will perform MMIO accesses, be sure this range is not
>>> +  // marked encrypted.
>>> +  //
>>> +  TpmBaseAddress = PcdGet64 (PcdTpmBaseAddress);
>>> +  if (TpmBaseAddress != 0) {
>>> +    RETURN_STATUS  DecryptStatus;
>>> +
>>> +    DecryptStatus = MemEncryptSevClearPageEncMask (
>>> +                      0,
>>> +                      TpmBaseAddress,
>>> +                      EFI_SIZE_TO_PAGES (0x5000),
>>> +                      FALSE
>>> +                      );
>>> +
>>> +    ASSERT_RETURN_ERROR (DecryptStatus);
>>> +  }
>>> +
>>>    //
>>>    // Check and perform SEV-ES initialization if required.
>>>    //
>> 
>> 
>> 
>> 
>> 
> 


[-- Attachment #2: Type: text/html, Size: 14266 bytes --]

  parent reply	other threads:[~2021-04-21 17:21 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-20 22:54 [PATCH 0/3] SEV-ES TPM enablement fixes Lendacky, Thomas
2021-04-20 22:54 ` [PATCH 1/3] OvfmPkg/VmgExitLib: Properly decode MMIO MOVZX and MOVSX opcodes Lendacky, Thomas
2021-04-22  5:28   ` [edk2-devel] " Laszlo Ersek
2021-04-22 13:35     ` Lendacky, Thomas
2021-04-23  9:07       ` Laszlo Ersek
2021-04-20 22:54 ` [PATCH 2/3] OvmfPkg/VmgExitLib: Add support for new MMIO MOV opcodes Lendacky, Thomas
2021-04-22  5:50   ` [edk2-devel] " Laszlo Ersek
2021-04-22 14:15     ` Lendacky, Thomas
2021-04-22 15:42       ` Lendacky, Thomas
2021-04-23  9:10         ` Laszlo Ersek
2021-04-23 13:24           ` Lendacky, Thomas
2021-04-20 22:54 ` [PATCH 3/3] OvmfPkg/PlatformPei: Mark TPM MMIO range as unencrypted for SEV Lendacky, Thomas
2021-04-20 23:17   ` Eric van Tassell
2021-04-21 14:09     ` [edk2-devel] " Andrew Fish
     [not found]     ` <1677E4DA25FD7265.31957@groups.io>
2021-04-21 17:20       ` Andrew Fish [this message]
2021-04-21 17:45         ` Lendacky, Thomas
2021-04-21 22:24           ` Andrew Fish
2021-04-22  6:07     ` Laszlo Ersek
2021-04-23 10:26   ` Laszlo Ersek
2021-04-23 13:04     ` [edk2-devel] " Laszlo Ersek
2021-04-23 13:09       ` Laszlo Ersek
2021-04-23 17:41       ` Lendacky, Thomas
2021-04-23 20:02         ` Lendacky, Thomas
2021-04-26 12:07           ` Laszlo Ersek
2021-04-26 14:21             ` Lendacky, Thomas
2021-04-27 14:58               ` Lendacky, Thomas
2021-04-28 16:12                 ` Laszlo Ersek
2021-04-28 19:09                   ` Lendacky, Thomas
2021-04-30 15:39                     ` Laszlo Ersek
2021-04-30 17:37                       ` Lendacky, Thomas
2021-04-26 11:08         ` Laszlo Ersek
     [not found] ` <1677B2EC90F30786.1355@groups.io>
2021-04-20 23:13   ` Lendacky, Thomas
2021-04-22  7:34     ` Laszlo Ersek
2021-04-22  8:31       ` Laszlo Ersek
2021-04-22  8:39       ` Laszlo Ersek
2021-04-22 19:10         ` Lendacky, Thomas
2021-04-23  9:28           ` Laszlo Ersek
2021-04-22 14:51       ` Lendacky, Thomas
2021-04-22 16:04         ` Lendacky, Thomas

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=E1CC4041-3EC6-4495-9FB5-32C68DA06902@apple.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox