I think I've acked all patches in UefiCpuPkg.
Please let me know if any other patches need my review.

Thanks,
Ray
From: devel@edk2.groups.io <devel@edk2.groups.io> on behalf of Lendacky, Thomas via groups.io <thomas.lendacky=amd.com@groups.io>
Sent: Wednesday, April 3, 2024 2:16
To: devel@edk2.groups.io <devel@edk2.groups.io>; Yao, Jiewen <jiewen.yao@intel.com>; Liming Gao <gaoliming@byosoft.com.cn>; Ni, Ray <ray.ni@intel.com>; Liu, Zhiguang <zhiguang.liu@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Guo, Gua <gua.guo@intel.com>; Dong, Guo <guo.dong@intel.com>; Lu, James <james.lu@intel.com>; Rhodes, Sean <sean@starlabs.systems>; Kumar, Rahul R <rahul.r.kumar@intel.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>; Aktas, Erdem <erdemaktas@google.com>; Gerd Hoffmann <kraxel@redhat.com>; Xu, Min M <min.m.xu@intel.com>; Michael Roth <michael.roth@amd.com>; Anatol Belski <anbelski@linux.microsoft.com>; Anthony Perard <anthony.perard@citrix.com>; Corvin Köhne <corvink@freebsd.org>; Jianyong Wu <jianyong.wu@arm.com>; Rebecca Cran <rebecca@bsdio.com>
Subject: Re: [edk2-devel] [PATCH v3 00/24] Provide SEV-SNP support for running under an SVSM
 
Re-pinging the list/maintainers. Still awaiting feedback/reviews/acks on
the changes.

Thanks,
Tom

On 3/26/24 13:34, Tom Lendacky wrote:
> Any issues with this version of the series? Still looking for
> Reviewed-by's for the MdePkg, UefiCpuPkg and UefiPayloadPkg related
> patches.
>
> Once I get those, I'll submit the edk2-platform patches to support the
> new library as a response to these patches for a quick review.
>
> Thanks,
> Tom
>
> On 3/8/24 09:29, Tom Lendacky wrote:
>>
>> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4654
>>
>> This series adds SEV-SNP support for running OVMF under an Secure VM
>> Service Module (SVSM) at a less privileged VM Privilege Level (VMPL).
>> By running at a less priviledged VMPL, the SVSM can be used to provide
>> services, e.g. a virtual TPM, for the guest OS within the SEV-SNP
>> confidential VM (CVM) rather than trust such services from the
>> hypervisor.
>>
>> Currently, OVMF expects to run at the highest VMPL, VMPL0, and there are
>> certain SNP related operations that require that VMPL level.
>> Specifically,
>> the PVALIDATE instruction and the RMPADJUST instruction when setting the
>> the VMSA attribute of a page (used when starting APs).
>>
>> If OVMF is to run at a less privileged VMPL, e.g. VMPL2, then it must
>> use an SVSM (which is running at VMPL0) to perform the operations that
>> it is no longer able to perform.
>>
>> When running under an SVSM, OVMF must know the APIC IDs of the vCPUs that
>> it will be starting. As a result, the GHCB APIC ID retrieval action must
>> be performed. Since this service can also work with SEV-SNP running at
>> VMPL0, the patches to make use of this feature are near the beginning of
>> the series.
>>
>> How OVMF interacts with and uses the SVSM is documented in the SVSM
>> specification [1] and the GHCB specification [2].
>>
>> This support creates a new AmdSvsmLib library that is used by MpInitLib.
>> The edk2-platforms repo requires updates/patches to add the new library
>> requirement. To accomodate that, this series could be split between:
>>
>> patch number 12:
>>    UefiCpuPkg/AmdSvsmLib: Create the AmdSvsmLib library to support an
>> SVSM
>>
>> and patch number 13:
>>    UefiPayloadPkg: Prepare UefiPayloadPkg to use the AmdSvsmLib library
>>
>> The updates to edk2-platforms can be applied at the split.
>>
>> This series introduces support to run OVMF under an SVSM. It consists
>> of:
>>    - Retrieving the list of vCPU APIC IDs and starting up all APs without
>>      performing a broadcast SIPI
>>    - Reorganizing the page state change support to not directly use the
>>      GHCB buffer since an SVSM will use the calling area buffer, instead
>>    - Detecting the presence of an SVSM
>>    - When not running at VMPL0, invoking the SVSM for page validation and
>>      VMSA page creation/deletion
>>    - Detecting and allowing OVMF to run in a VMPL other than 0 when an
>>      SVSM is present
>>
>> The series is based off of commit:
>>
>>    e60529df58e4 ("UefiPayloadPkg: Make Dsc accomodative of other archs")
>>
>> [1]
>> https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/58019.pdf
>> [2]
>> https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56421.pdf
>>
>> Cc: Anatol Belski <anbelski@linux.microsoft.com>
>> Cc: Anthony Perard <anthony.perard@citrix.com>
>> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
>> Cc: Corvin Köhne <corvink@freebsd.org>
>> Cc: Erdem Aktas <erdemaktas@google.com>
>> Cc: Gerd Hoffmann <kraxel@redhat.com>
>> Cc: Gua Guo <gua.guo@intel.com>
>> Cc: Guo Dong <guo.dong@intel.com>
>> Cc: James Lu <james.lu@intel.com>
>> Cc: Jianyong Wu <jianyong.wu@arm.com>
>> Cc: Jiewen Yao <jiewen.yao@intel.com>
>> Cc: Laszlo Ersek <lersek@redhat.com>
>> Cc: Liming Gao <gaoliming@byosoft.com.cn>
>> Cc: Michael D Kinney <michael.d.kinney@intel.com>
>> Cc: Michael Roth <michael.roth@amd.com>
>> Cc: Min Xu <min.m.xu@intel.com>
>> Cc: Rahul Kumar <rahul1.kumar@intel.com>
>> Cc: Ray Ni <ray.ni@intel.com>
>> Cc: Rebecca Cran <rebecca@bsdio.com>
>> Cc: Sean Rhodes <sean@starlabs.systems>
>> Cc: Zhiguang Liu <zhiguang.liu@intel.com>
>>
>> ---
>>
>> Changes in v3:
>> - Renamed CcSvsmLib to a more AMD-specific AmdSvsmLib with corresponding
>>    function name changes
>> - Moved the GHCB APIC ID list GUID definition from MdePkg to UefiCpuPkg
>>    and change the name from gEfiApicIdsGuid to gGhcbApicIdsGuid
>> - Separated the OvmfPkg changes for the AmdSvsmLib into two patches:
>>    - First patch adds usage of the AmdSvsmLib NULL library
>>    - Second patch adds the OVMF AmdSvsmLib implementation
>> - Updated the commit message for the OVMF AmdSvsmLib implementation to
>>    indicate that the base functionality for PVALIDATE and RMPADJUST was
>>    copied from the original locations in prep for converting those sites
>>    to using the library API.
>>
>> Changes in v2:
>> - Move the APIC IDs retrieval support to the beginning of the patch
>> series
>>      - Use a GUIDed HOB to hold the APIC ID list instead of a PCD
>> - Split up Page State Change reorganization into multiple patches
>> - Created CcSvsmLib library instead of extending CcExitLib
>>      - This will require a corresponding update to edk2-platform DSC
>> files
>>      - Removed Ray Ni's Acked-by since it is not a minor change
>> - Variable name changes and other misc changes
>>
>> Tom Lendacky (24):
>>    OvmfPkg/BaseMemEncryptLib: Fix error check from AsmRmpAdjust()
>>    MdePkg: GHCB APIC ID retrieval support definitions
>>    UefiCpuPkg/MpInitLib: Always use AP Create if GhcbApicIds HOB is
>>      present
>>    OvmfPkg/PlatformPei: Retrieve APIC IDs from the hypervisor
>>    OvmfPkg/BaseMemEncryptSevLib: Fix uncrustify errors
>>    OvmfPkg/BaseMemEncryptSevLib: Calculate memory size for Page State
>>      Change
>>    MdePkg: Avoid hardcoded value for number of Page State Change entries
>>    OvmfPkg/BaseMemEncryptSevLib: Re-organize page state change support
>>    OvmfPkg/BaseMemEncryptSevLib: Maximize Page State Change efficiency
>>    MdePkg/Register/Amd: Define the SVSM related information
>>    MdePkg/BaseLib: Add a new VMGEXIT instruction invocation for SVSM
>>    UefiCpuPkg/AmdSvsmLib: Create the AmdSvsmLib library to support an
>>      SVSM
>>    UefiPayloadPkg: Prepare UefiPayloadPkg to use the AmdSvsmLib library
>>    Ovmfpkg: Prepare OvmfPkg to use the AmdSvsmLib library
>>    Ovmfpkg/AmdSvsmLib: Create AmdSvsmLib to handle SVSM related services
>>    UefiCpuPkg/MpInitLib: Use AmdSvsmSnpVmsaRmpAdjust() to set/clear VMSA
>>    OvmfPkg/BaseMemEncryptSevLib: Use AmdSvsmSnpPvalidate() to validate
>>      pages
>>    OvmfPkg: Create a calling area used to communicate with the SVSM
>>    OvmfPkg/AmdSvsmLib: Add support for the SVSM_CORE_PVALIDATE call
>>    OvmfPkg/BaseMemEncryptSevLib: Maximize Page State Change efficiency
>>    OvmfPkg/AmdSvsmLib: Add support for the SVSM create/delete vCPU calls
>>    UefiCpuPkg/MpInitLib: AP creation support under an SVSM
>>    Ovmfpkg/CcExitLib: Provide SVSM discovery support
>>    OvmfPkg/BaseMemEncryptLib: Check for presence of an SVSM when not at
>>      VMPL0
>>
>>  
>> OvmfPkg/OvmfPkg.dec                                                  
>> |   4 +
>>  
>> UefiCpuPkg/UefiCpuPkg.dec                                            
>> |   8 +-
>>  
>> OvmfPkg/AmdSev/AmdSevX64.dsc                                         
>> |   1 +
>>  
>> OvmfPkg/Bhyve/BhyveX64.dsc                                           
>> |   1 +
>>  
>> OvmfPkg/CloudHv/CloudHvX64.dsc                                       
>> |   1 +
>>  
>> OvmfPkg/IntelTdx/IntelTdxX64.dsc                                     
>> |   1 +
>>  
>> OvmfPkg/Microvm/MicrovmX64.dsc                                       
>> |   1 +
>>  
>> OvmfPkg/OvmfPkgIa32.dsc                                              
>> |   1 +
>>  
>> OvmfPkg/OvmfPkgIa32X64.dsc                                           
>> |   3 +-
>>  
>> OvmfPkg/OvmfPkgX64.dsc                                               
>> |   1 +
>>  
>> OvmfPkg/OvmfXen.dsc                                                  
>> |   1 +
>>  
>> UefiCpuPkg/UefiCpuPkg.dsc                                            
>> |   4 +-
>>  
>> UefiPayloadPkg/UefiPayloadPkg.dsc                                    
>> |   1 +
>>  
>> OvmfPkg/AmdSev/AmdSevX64.fdf                                         
>> |   9 +-
>>  
>> OvmfPkg/OvmfPkgX64.fdf                                               
>> |   3 +
>>  
>> MdePkg/Library/BaseLib/BaseLib.inf                                   
>> |   2 +
>>  
>> OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.inf                            
>> |  38 ++
>>  
>> OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf         
>> |   3 +-
>>  
>> OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf         
>> |   3 +-
>>  
>> OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf         
>> |   3 +-
>>  
>> OvmfPkg/Library/CcExitLib/CcExitLib.inf                              
>> |   3 +-
>>  
>> OvmfPkg/Library/CcExitLib/SecCcExitLib.inf                           
>> |   3 +-
>>  
>> OvmfPkg/PlatformPei/PlatformPei.inf                                  
>> |   3 +
>>  
>> OvmfPkg/ResetVector/ResetVector.inf                                  
>> |   2 +
>>  
>> UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.inf                 
>> |  27 ++
>>  
>> UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf                        
>> |   2 +
>>  
>> UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf                        
>> |   2 +
>>  
>> MdePkg/Include/Library/BaseLib.h                                     
>> |  39 ++
>>  
>> MdePkg/Include/Register/Amd/Fam17Msr.h                               
>> |  19 +-
>>  
>> MdePkg/Include/Register/Amd/Ghcb.h                                   
>> |  19 +-
>>  
>> MdePkg/Include/Register/Amd/Msr.h                                    
>> |   3 +-
>>  
>> MdePkg/Include/Register/Amd/Svsm.h                                   
>> | 101 ++++
>>  
>> MdePkg/Include/Register/Amd/SvsmMsr.h                                
>> |  35 ++
>>  
>> OvmfPkg/Include/WorkArea.h                                           
>> |   9 +-
>>  
>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h        
>> |   6 +-
>>  
>> UefiCpuPkg/Include/Guid/GhcbApicIds.h                                
>> |  17 +
>>  
>> UefiCpuPkg/Include/Library/AmdSvsmLib.h                              
>> | 101 ++++
>>  
>> UefiCpuPkg/Library/MpInitLib/MpLib.h                                 
>> |  29 +-
>>  
>> OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c                              
>> | 500 ++++++++++++++++++++
>>  
>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRamValidate.c   
>> |  11 +-
>>  
>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c       
>> |  27 +-
>>  
>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c   
>> |  22 +-
>>  
>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c   
>> |  31 +-
>>  
>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c
>> | 206 ++++----
>>  
>> OvmfPkg/Library/CcExitLib/CcExitVcHandler.c                          
>> |  29 +-
>>  
>> OvmfPkg/PlatformPei/AmdSev.c                                         
>> | 103 +++-
>>  
>> UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.c                   
>> | 108 +++++
>>  
>> UefiCpuPkg/Library/MpInitLib/Ia32/AmdSev.c                           
>> |  21 +-
>>  
>> UefiCpuPkg/Library/MpInitLib/MpLib.c                                 
>> |   9 +-
>>  
>> UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c                            
>> | 134 ++++--
>>  
>> MdePkg/Library/BaseLib/Ia32/VmgExitSvsm.nasm                         
>> |  39 ++
>>  
>> MdePkg/Library/BaseLib/X64/VmgExitSvsm.nasm                          
>> |  94 ++++
>>  
>> OvmfPkg/ResetVector/ResetVector.nasmb                                
>> |   6 +-
>>  
>> OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm                          
>> |  11 +-
>>  
>> UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.uni                 
>> |  13 +
>>   55 files changed, 1641 insertions(+), 232 deletions(-)
>>   create mode 100644 OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.inf
>>   create mode 100644 UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.inf
>>   create mode 100644 MdePkg/Include/Register/Amd/Svsm.h
>>   create mode 100644 MdePkg/Include/Register/Amd/SvsmMsr.h
>>   create mode 100644 UefiCpuPkg/Include/Guid/GhcbApicIds.h
>>   create mode 100644 UefiCpuPkg/Include/Library/AmdSvsmLib.h
>>   create mode 100644 OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c
>>   create mode 100644 UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.c
>>   create mode 100644 MdePkg/Library/BaseLib/Ia32/VmgExitSvsm.nasm
>>   create mode 100644 MdePkg/Library/BaseLib/X64/VmgExitSvsm.nasm
>>   create mode 100644 UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.uni
>>





_._,_._,_
Groups.io Links:

You receive all messages sent to this group.

View/Reply Online (#117346) | | Mute This Topic | New Topic
Your Subscription | Contact Group Owner | Unsubscribe [rebecca@openfw.io]

_._,_._,_