From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web11.8356.1639031467672129461 for ; Wed, 08 Dec 2021 22:31:08 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@intel.com header.s=intel header.b=JBCYNy4U; spf=pass (domain: intel.com, ip: 192.55.52.115, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1639031467; x=1670567467; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=t+OAE/xu+IWYK5/sFjbMpy1w9zyS8ryAXHBeK0SdTU8=; b=JBCYNy4UfFlOCpVGmtsekdULNhB8ZAEYHJ8wRDcebM7gM8Vtl/zTkV6T masrqaxDcaoXAwAgCbK38CPbxeEWNsw1zOevkCu0Qdiueodh+QC+EA588 altYVHIV48OGn6PS4WeU+zAqCR7h4Ww/hHtyuWwPfgqvsrxIUgWNtFljA 2Daw4hgOZgAsXtJVv6zvJycROWvZbO7Zc/pLO26swcrhJkqaJ3V19WZZL oi+rOhoVXYjCcWZD9qmubRqU4hUtqEFw+MN3mdlNLDgwf9gWUVb9u47Cw Rpe7+rMN5HFYTQCl6wVwblDgsPkvQe10TaGGEdVWxKwqeWBfJjPKemlPe g==; X-IronPort-AV: E=McAfee;i="6200,9189,10192"; a="238255434" X-IronPort-AV: E=Sophos;i="5.88,191,1635231600"; d="scan'208";a="238255434" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Dec 2021 22:31:06 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.88,191,1635231600"; d="scan'208";a="463098112" Received: from fmsmsx604.amr.corp.intel.com ([10.18.126.84]) by orsmga006.jf.intel.com with ESMTP; 08 Dec 2021 22:31:05 -0800 Received: from fmsmsx611.amr.corp.intel.com (10.18.126.91) by fmsmsx604.amr.corp.intel.com (10.18.126.84) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Wed, 8 Dec 2021 22:31:05 -0800 Received: from fmsmsx605.amr.corp.intel.com (10.18.126.85) by fmsmsx611.amr.corp.intel.com (10.18.126.91) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Wed, 8 Dec 2021 22:31:05 -0800 Received: from fmsedg602.ED.cps.intel.com (10.1.192.136) by fmsmsx605.amr.corp.intel.com (10.18.126.85) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20 via Frontend Transport; Wed, 8 Dec 2021 22:31:05 -0800 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (104.47.59.173) by edgegateway.intel.com (192.55.55.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.20; Wed, 8 Dec 2021 22:31:03 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IJCraVXT30Dnho5Go7J+x+Fu/EnwZ2mngH10LxYTpRRuv3EyDP24xf8W3MCDPPif2+CQ9/nTOEmnf9JaAQO3bqcke/lZALvKMPM4SSXVBs9GfiSr3ZGA/bial9Fzsyh/7zsxBdtwR7XDH1SRJzW92YStdU70M5qtUR4ZcFdcTezqmOVKsINn7Rilr0ghtDicf1Rw49qEQBDr9jUZzczXSWRTKgxi1iW2TYzFTB1WYoWo6jJ++nDvDrveQG38EOMhtwIT3x0HxCFSKTwYWlaIVo43M8xK1E2I/I9u/9eTi9kqG5QpTVntF0twJ1qyOJMIRNgydqQS75KhbHHs2mMPSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rOEXlLpgLifCnu/4Q4kOmUst6zPZecB80wqHvBmc9bI=; b=aLV7U1gl4/6sftZUKx+GrtM0uJxfmlB+tbeKmWRUjiLUuRkRN9arvIk7W7wsnzMEfAotGEug+iJDx3+6ytbhESoQCJgoyI6EKjn/ZfJ+Yg8SSb/Vrm8+4lESNDQZl1mB95JqaEePYkytvCANmdVHxnQtMFsPQx9F5ZV4WUEZ8u8tqSCBCd0r6YtY/SLNkYOr2KE1OD/u84AccTBDJ/pDWEA0Epkl5KepAW38MQ3G7G+sZN4/IX0Yx9ILv1ZzFzwHnNDQPRy1uJCOUVz1qD8qQ0E8l4ndWzECwb8VHVKsj6vVwPSfYLVPbPWUHmQ9WsFjVCBQ9KVnyhE/GjtrLao4rg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rOEXlLpgLifCnu/4Q4kOmUst6zPZecB80wqHvBmc9bI=; b=W3NB3Lzt1ntz2hXioBYrhf6qEpECDPbxSKR66dYFrLVi9TnwbGG/RPQgNjoFDhnTauCBE44FXlXpga6JRJhWlZikAUVvyozY5IBqE0VFZ4IDimw1d1ZYJyRA2yYihSdTL25deuyLOgF62ef/hvwqg/Nbza+WwqgbKD5Vorua4dQ= Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by CO1PR11MB4852.namprd11.prod.outlook.com (2603:10b6:303:9f::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.21; Thu, 9 Dec 2021 06:30:59 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::447f:7fbc:72f5:fbae]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::447f:7fbc:72f5:fbae%5]) with mapi id 15.20.4778.012; Thu, 9 Dec 2021 06:30:59 +0000 From: "Yao, Jiewen" To: "devel@edk2.groups.io" , "brijesh.singh@amd.com" CC: James Bottomley , "Xu, Min M" , Tom Lendacky , "Justen, Jordan L" , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , "Kinney, Michael D" , Liming Gao , "Liu, Zhiguang" , "Ni, Ray" , "Kumar, Rahul1" , "Dong, Eric" Subject: Re: [edk2-devel] [PATCH v14 00/32] Add AMD Secure Nested Paging (SEV-SNP) support Thread-Topic: [edk2-devel] [PATCH v14 00/32] Add AMD Secure Nested Paging (SEV-SNP) support Thread-Index: AQHX7KzVVTFY+wjdrkqj1BAn5Unu7Kwpsx/w Date: Thu, 9 Dec 2021 06:30:59 +0000 Message-ID: References: <20211209032800.3802995-1-brijesh.singh@amd.com> In-Reply-To: <20211209032800.3802995-1-brijesh.singh@amd.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.6.200.16 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 22a79f53-1c97-4d26-889f-08d9badd7708 x-ms-traffictypediagnostic: CO1PR11MB4852:EE_ x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8273; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: yuN2aPKMxKESB8FBtuQ9TV11LWfXbu0L8NA2o2ND0MtiMWC2jAR9z/Yv21fosxzUdxickEFWo88lW5Y5jPCJagEtLu0vbVtnVIRVxtJo9il2P8ERk10rR8CEgfgUVh/7yGtcqcYBk49FZ83IqzieIrucSyOTflr4cV/JnngCVu+CeaCr0d/nyxMNh+FpGDFfxU77dtFuyiBa+u20zguztUZSmIX61QqHEUPbONSGcHlzT2zLWNgr73bsys/wtagrlqOSEBkYLryna7PynZLg5VTOjRvsYC9Vl93hG9vggrJGXvXnize7UL674zruBN92srbDFICfZCy/0zYCe87YkdGxO+7VoWhZW50lySYEhQZI+DB6eqSYczwm+ZzKP/yNhP2u1uZt09ctXp4BvFOw4gop4ZvuQoDKORtaxwbcudHbkNQr7l9PohOtNJjUT9ukVz6kQcy1oVw1B3kOd+bqLGlO7lIOtYKfWZpD6hUy2gIUr3TfJWiMLNE0nQF9tliyjxWV0bvnd8Sl0QshWz3BvOKNr04fHnStgicd3g4TX8JzX0oCrmqwYvHRcmoz9nut/Q9EmxkTVGvVZi54dEZyjBh5ZtDpf3cR9XB7bYFhGvRkfg6HBM03XD6k6TI0WWwDmhwoW//tPpkl2IiViRV9ubpWYWHq20SAph67l4tZ97TbY/ctOW+b98utjCxPialtKwyGEpD600EbyKgDOuTg1NNwTYFBGavvQ+5lgIHlNItWJhuqdyAU3tp3iNWTOBr8M2jQbyor/Wpnm3lD0EJecx2XYWEacKvfMdcLJiFMZPjTGNQ1xVIsCZXVJIrrgmf2iozwu5xzm/0c8uLNedULrw== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(52536014)(110136005)(5660300002)(54906003)(8676002)(33656002)(66946007)(66446008)(55016003)(64756008)(66556008)(86362001)(19627235002)(82960400001)(66476007)(186003)(7696005)(122000001)(71200400001)(38070700005)(38100700002)(966005)(8936002)(30864003)(4326008)(83380400001)(76116006)(9686003)(2906002)(6506007)(508600001)(316002)(53546011)(26005)(107886003);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?muZKr0JrPhzIFFxe6WfSCct3GF7ZX5CFS63qpCWVEItGwnHr12r6THRu1pKW?= =?us-ascii?Q?0y54QPaVBj4w/oNMFjqD9pC8Ahs0DEdwqjidBBIkcJWs/NMCXlixSE+oZ0R5?= =?us-ascii?Q?Z1esXColOgp+GDwgPOOS9PnjvBg6zZKDUvG1d4+mKMpYPx0sYcS+QfzkusWJ?= =?us-ascii?Q?PyFeJVazDyVizcPEFXRfEMMxpuQiRq1X6FEw8915HSLPIjPLpUa0tmswbE5P?= =?us-ascii?Q?Fxw6wRRB9Q19RTCDetUXdO8X4ZzzkO7uTOgjO70fpxyRPAkONJkrDlLXn1Cr?= =?us-ascii?Q?greip+oXjnnswlvpstWsvGUH2TdElYymBHWannkO0/5vOgjUL9DjWijjmFu7?= =?us-ascii?Q?hCK81GzP5fy0ZNO4PzajeLPugDanKB5LQFeJ9UAr8ruiNBD16BoC9tgEjkL6?= =?us-ascii?Q?ZOrKF8AOA80kobH5B8+evWwL71b/JPjgWUygCKpSUfEWuSXKF0cWX5auoZ0h?= =?us-ascii?Q?RUfD77OShdbtxVizgbPmNDzHQWv3EGf+65SUbr8x75e+ereCv2ZwOp5oDnbS?= =?us-ascii?Q?Vy8YOHQvNBnXz5PtjWIeTh0PmJt7bThKu56f/wZH5oTZ3m84Uagbh58kap+i?= =?us-ascii?Q?L4J1a11mmi4wF1905FS/lHtQ/6a92vm5BcyZt0u5wvWfK4qmrMrk+ZXKoY+r?= =?us-ascii?Q?hZAc46XcCtH0RSqAslVmR1jM5yKn/Wx3jl1xlhPdxorRzVZzszAsQ+a5LjlR?= =?us-ascii?Q?p7gvC0MZ7HjjiHZTVO/B8meOQ3SOCn724/YYxggPlcubJgha7ytY9bCdHi7H?= =?us-ascii?Q?8LkUa32fXkhLN+vJcNiOZvb0lihtjQCerOk9wwtcrs1ny5DuUbzezFoGpObr?= =?us-ascii?Q?nLNCdY/h5pBKzG1p6uL78CqfG1PW9+MRyHbFYycv/31ystIXwB++TlEhsc/R?= =?us-ascii?Q?CjAQpDL8cJZdhHNM0oAXzp+PWYf+X1kepSi909yZapunSc74C2BBuGP4qhpo?= =?us-ascii?Q?df7fMETj1oJCax6XqmvMho/fBSIRJnvl3m7zmHNJAu9RlpIZimEEqrOZOXAT?= =?us-ascii?Q?lBYhXQB2vGTuS0+BU3dpr/ClLV5jaEF/GUQyv+eX/uv2hegdOiYlb07HIOy9?= =?us-ascii?Q?GRtsrjXJNlbTHOVrR7itgksbqXSy67aY4zrhfMriH4ZHQfftwifgwnBtnn6O?= =?us-ascii?Q?LERUjckYogDBk1yyyw/CG9HxWDqmAfXhen/R2QnP1ZndFwJeX7wjAqd41PS3?= =?us-ascii?Q?ASk4rUNonKQTQMYIjQA5TUXFogCrQ+4NxJAZ2sJIhng6dyzPISb2mlRp4Pth?= =?us-ascii?Q?zsgfdINFjrR8dNyeqNlQdDUdJKADLw/5ouRZtKf/WspSzVq4OUun0nAXv30r?= =?us-ascii?Q?+mFRuP9WZuI3zAWCBnergQ1FkgER08HvDx14nxQupu0LR9v+zqvJzqqxBU3c?= =?us-ascii?Q?IUgdH6JCIr/G2+rsAliCWAdXfBXvnuOsF1zQPV0W5wJLlMAwEPBd4LFcBFxc?= =?us-ascii?Q?TLvAF8fpGIY2YTYkGL/1suTJ5OByqi7bxMCDKeksYGPRu36/EJJlid7cLlZ0?= =?us-ascii?Q?YAhsNVEGdyXB+mcy7qL28RG8AWGrWxG1ohvJffJ190FO2cVfxzFJ11vk7OmA?= =?us-ascii?Q?kpoGfsenB5fFWpZvVBNyym5/xwhyesL0qm6iCg4urUdRAA5doHhjjIf5WIgR?= =?us-ascii?Q?lOF0ICxOohAuujJPzgawihE=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 22a79f53-1c97-4d26-889f-08d9badd7708 X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Dec 2021 06:30:59.5035 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: igZWGPWGwvfNtXIH2obHRlOSyoTMbrmrA+HU/V6ajOA501lWcEII8jy+dypKQfrxWZTEXSE3RIBIs6znlSB1wQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB4852 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable This patch has been merged - https://github.com/tianocore/edk2/pull/2269 > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Brijesh > Singh via groups.io > Sent: Thursday, December 9, 2021 11:27 AM > To: devel@edk2.groups.io > Cc: James Bottomley ; Xu, Min M ; > Yao, Jiewen ; Tom Lendacky > ; Justen, Jordan L ; > Ard Biesheuvel ; Erdem Aktas > ; Michael Roth ; Gerd > Hoffmann ; Kinney, Michael D > ; Liming Gao ; Liu, > Zhiguang ; Ni, Ray ; Kumar, Rah= ul1 > ; Dong, Eric ; Brijesh Singh > > Subject: [edk2-devel] [PATCH v14 00/32] Add AMD Secure Nested Paging (SEV= - > SNP) support >=20 > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 >=20 > SEV-SNP builds upon existing SEV and SEV-ES functionality while adding > new hardware-based memory protections. SEV-SNP adds strong memory > integrity > protection to help prevent malicious hypervisor-based attacks like data > replay, memory re-mapping and more in order to create an isolated memory > encryption environment. >=20 > This series provides the basic building blocks to support booting the SEV= -SNP > VMs, it does not cover all the security enhancement introduced by the SEV= -SNP > such as interrupt protection. >=20 > Many of the integrity guarantees of SEV-SNP are enforced through a new > structure called the Reverse Map Table (RMP). Adding a new page to SEV-SN= P > VM requires a 2-step process. First, the hypervisor assigns a page to the > guest using the new RMPUPDATE instruction. This transitions the page to > guest-invalid. Second, the guest validates the page using the new PVALIDA= TE > instruction. The SEV-SNP VMs can use the new "Page State Change Request > NAE" > defined in the GHCB specification to ask hypervisor to add or remove page > from the RMP table. >=20 > Each page assigned to the SEV-SNP VM can either be validated or unvalidat= ed, > as indicated by the Validated flag in the page's RMP entry. There are two > approaches that can be taken for the page validation: Pre-validation and > Lazy Validation. >=20 > Under pre-validation, the pages are validated prior to first use. And und= er > lazy validation, pages are validated when first accessed. An access to a > unvalidated page results in a #VC exception, at which time the exception > handler may validate the page. Lazy validation requires careful tracking = of > the validated pages to avoid validating the same GPA more than once. The > recently introduced "Unaccepted" memory type can be used to communicate > the > unvalidated memory ranges to the Guest OS. >=20 > At this time we only support the pre-validation. OVMF detects all the ava= ilable > system RAM in the PEI phase. When SEV-SNP is enabled, the memory is valid= ated > before it is made available to the EDK2 core. >=20 > Now that series contains all the basic support required to launch SEV-SNP > guest. We are still missing the Interrupt security feature provided by th= e > SNP. The feature will be added after the base support is accepted. >=20 > Additional resources > --------------------- > SEV-SNP whitepaper > https://www.amd.com/system/files/TechDocs/SEV-SNP-strengthening-vm- > isolation-with-integrity-protection-and-more.pdf >=20 > APM 2: https://www.amd.com/system/files/TechDocs/24593.pdf (section 15.36= ) >=20 > The complete source is available at > https://github.com/AMDESE/ovmf/tree/snp-v14 >=20 > GHCB spec: > https://developer.amd.com/wp-content/resources/56421.pdf >=20 > SEV-SNP firmware specification: > https://www.amd.com/system/files/TechDocs/56860.pdf >=20 > Change since v13: > * Added Ack's. > * Rebased to recent master >=20 > Change since v12: > * MpLib: Add comment to clarify that SEV-SNP enabled implicitly means SE= V and > SEV-ES are active. > * MpLib: Move the extended topology initialization in AmdSev.c >=20 > Change since v11: > * rebase to the latest > * fix the UefiCpuPkg PCD definition patch header. >=20 > Change since v10: > * fix 'unresolved external symbol __allshl' link error when building I32= for > VS2017. >=20 > Changes since v9: > * Move CCAttrs Pcd define in MdePkg > * Add comment to indicate that allocating the identity map PT is tempora= ry until > we get lazy validation >=20 > Changes since v8: > * drop the generic metadata and make it specific to SEV. >=20 > Changes since v7: > * Move SEV specific changes in MpLib in AmdSev file > * Update the GHCB register function to not restore the GHCB MSR because > we were already in the MSR protocol mode. > * Drop the SNP name from PcdSnpSecPreValidate. > * Add new section for GHCB memory in the OVMF metadata. >=20 > Change since v6: > * Drop the SNP boot block GUID and switch to using the Metadata guided > structure > proposed by Min in TDX series. > * Exclude the GHCB page from the pre-validated region. It simplifies the= reset > vector code where we do not need to unvalidate the GHCB page. > * Now that GHCB page is not validated so move the VMPL check from reset > vector > code to the MemEncryptSevLib on the first page validation. > * Introduce the ConfidentialComputingGuestAttr PCD to communicate which > memory encryption is active so that MpInitLib can make use of it. > * Drop the SEVES specific PCD as the information can be communicated via > the ConfidentialComputingGuestAttr. > * Move the SNP specific AP creation function in AmdSev.c. > * Define the SNP Blob GUID in a new file. >=20 > Change since v5: > * When possible use the CPUID value from CPUID page > * Move the SEV specific functions from SecMain.c in AmdSev.c > * Rebase to the latest code > * Add the review feedback from Yao. >=20 > Change since v4: > * Use the correct MSR for the SEV_STATUS > * Add VMPL-0 check >=20 > Change since v3: > * ResetVector: move all SEV specific code in AmdSev.asm and add macros t= o > keep > the code readable. > * Drop extending the EsWorkArea to contain SNP specific state. > * Drop the GhcbGpa library and call the VmgExit directly to register GHC= B GPA. > * Install the CC blob config table from AmdSevDxe instead of extending t= he > AmdSev/SecretsDxe for it. > * Add the separate PCDs for the SNP Secrets. >=20 > Changes since v2: > * Add support for the AP creation. > * Use the module-scoping override to make AmdSevDxe use the IO port for = PCI > reads. > * Use the reserved memory type for CPUID and Secrets page. > * > Changes since v1: > * Drop the interval tree support to detect the pre-validated overlap reg= ion. > * Use an array to keep track of pre-validated regions. > * Add support to query the Hypervisor feature and verify that SNP featur= e is > supported. > * Introduce MemEncryptSevClearMmioPageEncMask() to clear the C-bit from > MMIO ranges. > * Pull the SevSecretDxe and SevSecretPei into OVMF package build. > * Extend the SevSecretDxe to expose confidential computing blob location > through > EFI configuration table. >=20 > Brijesh Singh (28): > OvmfPkg/SecMain: move SEV specific routines in AmdSev.c > UefiCpuPkg/MpInitLib: move SEV specific routines in AmdSev.c > OvmfPkg/ResetVector: move clearing GHCB in SecMain > OvmfPkg/ResetVector: introduce SEV metadata descriptor for VMM use > OvmfPkg: reserve SNP secrets page > OvmfPkg: reserve CPUID page > OvmfPkg/ResetVector: pre-validate the data pages used in SEC phase > OvmfPkg/MemEncryptSevLib: add MemEncryptSevSnpEnabled() > OvmfPkg/SecMain: register GHCB gpa for the SEV-SNP guest > OvmfPkg/PlatformPei: register GHCB gpa for the SEV-SNP guest > OvmfPkg/AmdSevDxe: do not use extended PCI config space > OvmfPkg/MemEncryptSevLib: add support to validate system RAM > OvmfPkg/MemEncryptSevLib: add function to check the VMPL0 > OvmfPkg/BaseMemEncryptSevLib: skip the pre-validated system RAM > OvmfPkg/MemEncryptSevLib: add support to validate > 4GB memory in PEI > phase > OvmfPkg/SecMain: validate the memory used for decompressing Fv > OvmfPkg/PlatformPei: validate the system RAM when SNP is active > MdePkg: Define ConfidentialComputingGuestAttr > OvmfPkg/PlatformPei: set PcdConfidentialComputingAttr when SEV is > active > UefiCpuPkg/MpInitLib: use PcdConfidentialComputingAttr to check SEV > status > UefiCpuPkg: add PcdGhcbHypervisorFeatures > OvmfPkg/PlatformPei: set the Hypervisor Features PCD > MdePkg/GHCB: increase the GHCB protocol max version > UefiCpuPkg/MpLib: add support to register GHCB GPA when SEV-SNP is > enabled > OvmfPkg/MemEncryptSevLib: change the page state in the RMP table > OvmfPkg/MemEncryptSevLib: skip page state change for Mmio address > OvmfPkg/PlatformPei: mark cpuid and secrets memory reserved in EFI map > OvmfPkg/AmdSev: expose the SNP reserved pages through configuration > table >=20 > Michael Roth (3): > OvmfPkg/ResetVector: use SEV-SNP-validated CPUID values > OvmfPkg/VmgExitLib: use SEV-SNP-validated CPUID values > UefiCpuPkg/MpInitLib: use BSP to do extended topology check >=20 > Tom Lendacky (1): > UefiCpuPkg/MpInitLib: Use SEV-SNP AP Creation NAE event to launch APs >=20 > MdePkg/MdePkg.dec | 4 + > OvmfPkg/OvmfPkg.dec | 19 + > UefiCpuPkg/UefiCpuPkg.dec | 5 + > OvmfPkg/AmdSev/AmdSevX64.dsc | 8 +- > OvmfPkg/Bhyve/BhyveX64.dsc | 5 +- > OvmfPkg/OvmfPkgIa32.dsc | 4 + > OvmfPkg/OvmfPkgIa32X64.dsc | 9 +- > OvmfPkg/OvmfPkgX64.dsc | 8 +- > OvmfPkg/OvmfXen.dsc | 5 +- > OvmfPkg/OvmfPkgX64.fdf | 6 + > OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 7 + > .../DxeMemEncryptSevLib.inf | 3 + > .../PeiMemEncryptSevLib.inf | 7 + > .../SecMemEncryptSevLib.inf | 3 + > OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf | 2 + > OvmfPkg/Library/VmgExitLib/VmgExitLib.inf | 3 + > OvmfPkg/PlatformPei/PlatformPei.inf | 7 + > OvmfPkg/ResetVector/ResetVector.inf | 5 + > OvmfPkg/Sec/SecMain.inf | 5 + > UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 6 +- > UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 6 +- > .../Include/ConfidentialComputingGuestAttr.h | 25 + > MdePkg/Include/Register/Amd/Ghcb.h | 2 +- > .../Guid/ConfidentialComputingSevSnpBlob.h | 33 ++ > OvmfPkg/Include/Library/MemEncryptSevLib.h | 26 + > .../X64/SnpPageStateChange.h | 35 ++ > .../BaseMemEncryptSevLib/X64/VirtualMemory.h | 24 + > OvmfPkg/PlatformPei/Platform.h | 5 + > OvmfPkg/Sec/AmdSev.h | 94 ++++ > UefiCpuPkg/Library/MpInitLib/MpLib.h | 107 +++- > OvmfPkg/AmdSevDxe/AmdSevDxe.c | 23 + > .../DxeMemEncryptSevLibInternal.c | 27 + > .../Ia32/MemEncryptSevLib.c | 17 + > .../PeiMemEncryptSevLibInternal.c | 27 + > .../SecMemEncryptSevLibInternal.c | 19 + > .../X64/DxeSnpSystemRamValidate.c | 40 ++ > .../X64/PeiDxeVirtualMemory.c | 166 +++++- > .../X64/PeiSnpSystemRamValidate.c | 128 +++++ > .../X64/SecSnpSystemRamValidate.c | 82 +++ > .../X64/SnpPageStateChangeInternal.c | 300 +++++++++++ > OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 499 +++++++++++++++++- > OvmfPkg/PlatformPei/AmdSev.c | 231 ++++++++ > OvmfPkg/PlatformPei/MemDetect.c | 2 + > OvmfPkg/Sec/AmdSev.c | 303 +++++++++++ > OvmfPkg/Sec/SecMain.c | 161 +----- > UefiCpuPkg/Library/MpInitLib/AmdSev.c | 266 ++++++++++ > UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 17 +- > UefiCpuPkg/Library/MpInitLib/Ia32/AmdSev.c | 70 +++ > UefiCpuPkg/Library/MpInitLib/MpLib.c | 361 +++++-------- > UefiCpuPkg/Library/MpInitLib/PeiMpLib.c | 4 +- > UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c | 263 +++++++++ > OvmfPkg/FvmainCompactScratchEnd.fdf.inc | 5 + > OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 14 + > OvmfPkg/ResetVector/Ia32/AmdSev.asm | 86 ++- > OvmfPkg/ResetVector/ResetVector.nasmb | 18 + > OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm | 74 +++ > UefiCpuPkg/Library/MpInitLib/MpEqu.inc | 2 + > UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm | 200 +++++++ > UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm | 100 +--- > 59 files changed, 3448 insertions(+), 535 deletions(-) > create mode 100644 MdePkg/Include/ConfidentialComputingGuestAttr.h > create mode 100644 > OvmfPkg/Include/Guid/ConfidentialComputingSevSnpBlob.h > create mode 100644 > OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h > create mode 100644 OvmfPkg/Sec/AmdSev.h > create mode 100644 > OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRamValidate.c > create mode 100644 > OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c > create mode 100644 > OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c > create mode 100644 > OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c > create mode 100644 OvmfPkg/Sec/AmdSev.c > create mode 100644 UefiCpuPkg/Library/MpInitLib/AmdSev.c > create mode 100644 UefiCpuPkg/Library/MpInitLib/Ia32/AmdSev.c > create mode 100644 UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c > create mode 100644 OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm > create mode 100644 UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm >=20 > -- > 2.25.1 >=20 >=20 >=20 >=20 >=20