On Apr 21, 2021, at 7:09 AM, Andrew Fish via groups.io <afish=apple.com@groups.io> wrote:https://edk2-docs.gitbook.io/edk-ii-build-specification/2_design_discussion/23_boot_sequenceOn Apr 20, 2021, at 11:34 PM, Eric van Tassell <evantass@amd.com> wrote:
On 4/20/21 5:54 PM, Tom Lendacky wrote:From: Tom Lendacky <thomas.lendacky@amd.com>BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3345The TPM support in OVMF performs MMIO accesses during the PEI phase. At
where are the phases defined and how many other are there?this point, MMIO ranges have not been marked un-encyrpted, so an SEV-ESguest will fail attempting to perform MMIO to an encrypted address.Read the PcdTpmBaseAddress and mark the specification defined range(0x5000 in length) as un-encrypted, to allow an SEV-ES guest to processthe MMIO requests.Cc: Laszlo Ersek <lersek@redhat.com>Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>Cc: Jordan Justen <jordan.l.justen@intel.com>Cc: Brijesh Singh <brijesh.singh@amd.com>Cc: James Bottomley <jejb@linux.ibm.com>Cc: Jiewen Yao <jiewen.yao@intel.com>Cc: Min Xu <min.m.xu@intel.com>Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>---OvmfPkg/PlatformPei/PlatformPei.inf | 1 +OvmfPkg/PlatformPei/AmdSev.c | 19 +++++++++++++++++++2 files changed, 20 insertions(+)diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.infindex 6ef77ba7bb21..de60332e9390 100644--- a/OvmfPkg/PlatformPei/PlatformPei.inf+++ b/OvmfPkg/PlatformPei/PlatformPei.inf@@ -113,6 +113,7 @@ [Pcd][FixedPcd]gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress+ gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddressgEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIMemoryNVSgEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIReclaimMemorygEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiReservedMemoryTypediff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.cindex dddffdebda4b..d524929f9e10 100644--- a/OvmfPkg/PlatformPei/AmdSev.c+++ b/OvmfPkg/PlatformPei/AmdSev.c@@ -141,6 +141,7 @@ AmdSevInitialize (){UINT64 EncryptionMask;+ UINT64 TpmBaseAddress;RETURN_STATUS PcdStatus;//@@ -206,6 +207,24 @@ AmdSevInitialize (}}+ //+ // PEI TPM support will perform MMIO accesses, be sure this range is not+ // marked encrypted.+ //+ TpmBaseAddress = PcdGet64 (PcdTpmBaseAddress);+ if (TpmBaseAddress != 0) {+ RETURN_STATUS DecryptStatus;++ DecryptStatus = MemEncryptSevClearPageEncMask (+ 0,+ TpmBaseAddress,+ EFI_SIZE_TO_PAGES (0x5000),+ FALSE+ );++ ASSERT_RETURN_ERROR (DecryptStatus);+ }+//// Check and perform SEV-ES initialization if required.//