From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by mx.groups.io with SMTP id smtpd.web09.3582.1630638234810406300 for ; Thu, 02 Sep 2021 20:03:55 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=A6pzTt5S; spf=pass (domain: intel.com, ip: 192.55.52.43, mailfrom: jiewen.yao@intel.com) X-IronPort-AV: E=McAfee;i="6200,9189,10095"; a="304872985" X-IronPort-AV: E=Sophos;i="5.85,264,1624345200"; d="scan'208";a="304872985" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Sep 2021 20:03:53 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,264,1624345200"; d="scan'208";a="500106988" Received: from fmsmsx603.amr.corp.intel.com ([10.18.126.83]) by fmsmga008.fm.intel.com with ESMTP; 02 Sep 2021 20:03:53 -0700 Received: from fmsmsx608.amr.corp.intel.com (10.18.126.88) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Thu, 2 Sep 2021 20:03:53 -0700 Received: from fmsmsx607.amr.corp.intel.com (10.18.126.87) by fmsmsx608.amr.corp.intel.com (10.18.126.88) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Thu, 2 Sep 2021 20:03:53 -0700 Received: from fmsedg602.ED.cps.intel.com (10.1.192.136) by fmsmsx607.amr.corp.intel.com (10.18.126.87) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12 via Frontend Transport; Thu, 2 Sep 2021 20:03:53 -0700 Received: from NAM02-BN1-obe.outbound.protection.outlook.com (104.47.51.47) by edgegateway.intel.com (192.55.55.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.10; Thu, 2 Sep 2021 20:03:52 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RD9ik49fE9I9cIneELtcwhQejwu9fcwqF/kSdyJ7tEiMHkQtxT+/7XWu4/uDqCLSP4oMxLBmAaxdBmijdHDCKReiTYXrhlVX24anAHYe09kXUHRF5xtq1K6zftGk1D0i2QN919cGmbwCZrhmHCWcWWlFfBmEf53TNrDAnWm5ax1/u7JQTaFXrVnPbD1EcGl7UbNdLXROKrnWBUAYvrLUj2AXqalA3k3K/vq3dgwlspR32y8Q5by9WbpWQIQU1lXV7IgFwk7LRNiWPmsx/I5syP6uHNc9ry37Lo53VM2HkdzHDLvjxU425j2CUsAxwGWJ+YvQ2DgeaTHow0xif1n/bQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=cJl8+jS/aeEDqxsj/FZ+XD5r+SKy/+eJmwQ/33hxM5c=; b=AOX/xt40vWbltxHBhN3J9BUStz8TgZ7H1+JqcDF7+BEKN8rAnLKQ2nfPtmSE1Ssv30CyN+fNt3XDGr+spaB4xWJShQV/MIHY7yLqKBDLsKn2EhEMkexhMdTDAbGx9AQNoPJlXJ2q4q4n6swiFHDzIjoevYtXaerkpHL8pSizzmESqHjmxRAc2gLzlGdbUYQMPQM7cQkLcqiQZv1Xynib1UWPshK3tMzvsP/Ix9WOJWy8jlJToJD58xmox3DKdYktSOEVwFiYl1asppWsmmRY7biqincl4lbOxWZ+WmZDsnOH7V9D3ic6D7Kesst6RSXRd9gflFvqeHwV1Gnx4KfAig== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cJl8+jS/aeEDqxsj/FZ+XD5r+SKy/+eJmwQ/33hxM5c=; b=A6pzTt5S8ooSSE4F2uNe+nVZ/llip6xvS4vs4NUCbfSx0NSeXsmzIoJKFIpJLqPYByy0zXpYT8iJ7egjTGK6MSPlxq3NOHnf57IaZMOtHB/QdS0v/qLlEW/mhJFpmYtC89ANsS4HOkwn0C4du/Y0w410/XMS8hfBkVX8HTHK4u8= Received: from PH0PR11MB4885.namprd11.prod.outlook.com (2603:10b6:510:35::14) by PH0PR11MB4856.namprd11.prod.outlook.com (2603:10b6:510:32::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4478.21; Fri, 3 Sep 2021 03:03:50 +0000 Received: from PH0PR11MB4885.namprd11.prod.outlook.com ([fe80::754e:42e9:16cd:1306]) by PH0PR11MB4885.namprd11.prod.outlook.com ([fe80::754e:42e9:16cd:1306%5]) with mapi id 15.20.4478.022; Fri, 3 Sep 2021 03:03:50 +0000 From: "Yao, Jiewen" To: "Xu, Min M" , "kraxel@redhat.com" CC: "devel@edk2.groups.io" , Ard Biesheuvel , "Justen, Jordan L" , Brijesh Singh , Erdem Aktas , James Bottomley , Tom Lendacky Subject: Re: [edk2-devel] [PATCH V5 2/2] OvmfPkg/ResetVector: Enable Intel TDX in ResetVector of Ovmf Thread-Topic: [edk2-devel] [PATCH V5 2/2] OvmfPkg/ResetVector: Enable Intel TDX in ResetVector of Ovmf Thread-Index: AQHXnUe8zzrXuIpYXkOUxm6qh7dqPauLqi4AgAFGYgCAACjNAIACyKCAgAB41ACAAAi4gIABPVHw Date: Fri, 3 Sep 2021 03:03:50 +0000 Message-ID: References: <81c97a782bbbf83043854ad8a86d14604918d788.1630289827.git.min.m.xu@intel.com> <20210830074058.22gfqmzrha4su6fh@sirius.home.kraxel.org> <20210831053510.ian6sqpefzmrrfi7@sirius.home.kraxel.org> <20210902071812.2qet62x7npu25rht@sirius.home.kraxel.org> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.5.1.3 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 4f9de80d-f4c3-4564-6988-08d96e8774a7 x-ms-traffictypediagnostic: PH0PR11MB4856: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: yKsoco3HKAmpB401jy1N9LVk/OFaLW7NeAU49H7wpOoXhWybCAy0h1R6r2ftK/t5gLKoqmkFtQ8amPC81IGmilJVWww/EvF6rVY0IeoFNlYKw7RdFx33JSZfConNPS5butMG+gLzsr5/dfoaJU1qdyYw9VMWT0gN5AZH5uYq0T65DM8aQhzcppNoKCKOAK8XDwOrNA/3dVUv16IOwd1WxRIayZyb1GtW5Vi2SJyOSBKJLikbQVyfhKZLjwxMvuIsE4b0RGJfCPAa1HkXPoASGVFwe48LHAi+s676Vpfzbn51lbEa5Cc8JY7xl901EiLl08bJCYcPPtBX2ScCW4RANAYM2WTOnbAb8J/avyIhxOYuyx1Nplq/YIjjkvSuMTIjiqDH3SkknZzZ+I9lWqhYGzeQTXIDtCe6gTzN/ZLsrPHqYV8vYBykc47UMrlYG1rBI0c0vJ/+frMNCzJ8Ir7NrgcyNp/mXnX6XCb9f3dYLPUqjLZPOljhzzwpH865xgN80P4E57nceqyzLR63Gf9K+3fTwTU1sUyGatL0M87NSBl+y8C+sFYTsL+5eyiWwScK/bUBIN8zz6p/YuQEXAyCpT6mZ0gllx3iaufQF07Pl99jHwhTJeMWv/58h/7ewCcvI9CHaO5gtCrSB75d6X+aop8XNg2j5tc5GIW8Cps1PKRXzzJ/DnNSMgHWIs78i2P/yzKMYtd3IHNnk9TXmdQQIw== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB4885.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(39850400004)(396003)(136003)(346002)(376002)(8676002)(83380400001)(86362001)(66556008)(66476007)(64756008)(66946007)(66446008)(122000001)(19627235002)(4326008)(33656002)(38070700005)(38100700002)(54906003)(53546011)(6506007)(478600001)(9686003)(71200400001)(186003)(2906002)(5660300002)(8936002)(316002)(55016002)(110136005)(52536014)(7696005)(76116006)(26005);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?KhrGowwClQRXNp4vhsgGf3b9Ki2EFeG0VEMx8oPGCUrIDk795C8moaaHnHLg?= =?us-ascii?Q?UUugzhGTOzfupw0a7jeQwawalpczDh8ZBpD89w+oBk2J7mBn+oebyVBPsBml?= =?us-ascii?Q?o29QbCwEQgzOoCuCfOCVxd3exEmTjhX4x3V4eYThIAW2AMVxjkQgMuP0LITC?= =?us-ascii?Q?WJvwRrrljdjUlfxw+e/2HemhkqGVJ/s0MI8QdkZVj6HdLmFv4tfPczkTGkfy?= =?us-ascii?Q?Eyu3jC5pkwjMBBoeQLVqp+nbhGbGPiqKXE005qyFa11OivyP02zIdbV8XvCD?= =?us-ascii?Q?1OIW3lJiFA+Ip1vTU8+6D2PMmnHhZbWDzwUUe6y7ExiL5ONZH+XXDeY7skju?= =?us-ascii?Q?e1nZv1P+hFmPHHlzBDmoCSJKOEsAaRZeDqoe1QQsLKbnRgN0fjMxxb/9OlQm?= =?us-ascii?Q?6bZFNsqXiOQzpCL2981OG7Di8Rj/TaPzbR3ML/EgYZTT53eeBMNL/6rgUgFm?= =?us-ascii?Q?kL0WR9YhYvcWEcLLzoDgUKtXSCEMzy7sLZyEPYIiRb8IndM7sv1csfJSh1GD?= =?us-ascii?Q?e4/Y2l79tsIh5Ija5iGGdaUOL2mKt6ixB1PDFrJXA0O59XuHQfKjFPw44v3m?= =?us-ascii?Q?nKZDx0/w4hPqxXuv1OHtptL6bvG3gmRpU4k7TnloXpWYSn6c/aBd1wPnlsR9?= =?us-ascii?Q?YofNEoV7BFecA1Iyk+P2gssgLcip27L9FK1rwGLrNuASPL9+g/IWdV3LdUDy?= =?us-ascii?Q?v9mtcCbNuVmMZjsNlf940RqDv0koxLjmYHvNoz73kOw6jWkV8x0AwuU0Wlhd?= =?us-ascii?Q?VLSibBPiCR2hoLjBNSnCaJ+wNNZNiH5QIHp9LEPRUePxc5pwC9d/3LNBArbO?= =?us-ascii?Q?EJ41+mqkbsSeooMNkwoY+0HXTnO89g7rHXkavjgc/wIb4BuUflMZsIYGLJ46?= =?us-ascii?Q?oCq0aHp5BIydMWK3eJk+JfmAazKQCJ2MEPppdViMsmTwda/gHZKsf772Zw3v?= =?us-ascii?Q?0eYz4eechgYqmpwfBnDmytJ09cl2VP0x1EvsXztjRs2qLnz6o2FkgOryudNa?= =?us-ascii?Q?ga4d38SnC/h4rUCdryPTPrMQ+2s7fBZK4Ju4r1PEfK8aArQLLU6yXA9ROYKw?= =?us-ascii?Q?Os9VeZXJ45lm4mcrVHg2tGTpuK1l8htYaEWy9fpOKEhpAXE8clgQ2AcYoBys?= =?us-ascii?Q?IDVGSn22DnDed3V/uH5cVfDRpP+Wj5Fd57ZEZHJDyPw37UOWLJ2EuLlhvP09?= =?us-ascii?Q?uTqYAMbE7gYxGwU1vHTOw71NN9JGD0MMbU+k3yDfV9Uc5ceSrkDDLMLN4/Uf?= =?us-ascii?Q?TGQ0y9WTjELJejMizLMA4CLRRL+1/YPn0hmDuUDhTrvpB7ZpHXfgeRXj8xBD?= =?us-ascii?Q?mySM3oWs37rgqewEvWFUXaVT?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4885.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4f9de80d-f4c3-4564-6988-08d96e8774a7 X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Sep 2021 03:03:50.4921 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: ARADhlL/PNTK4B56H/Ep7ih28tO2iCoAg7+XsDRU9a7JG1P5f+5ybF3e78uX0HEbteMP+APWZ//sIsJyr0grMw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB4856 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable HI Min/Gerd I think we have multiple ways to enable 5 level paging. 1) We do not change to 5 level in initial paging in reset vector. We can switch from 4 level to 5 level later when permanent memory is availa= ble. We don't need change flash layout. 2) We can enable 5 level paging in initial paging. 2.1) We can enable 5 level paging with 1G paging support. We don't need change flash layout. Only 3 pages is needed. (12K) I don't know if we can real case that a CPU support 5 level but without 1G = paging. 2.2) We can still enable 5 level paging with 2M paging. 2.2.1) We can change flash layout to increase 6 pages (24K) memory to 7 pag= es (28K). So the CR3 in 5 level is same as the CR3 in 4 level. 2.2.2) We don't change flash layout but steal another page in somewhere els= e - PcdOvmfPml5Base That means CR3 in 5 level is different with CR4 in 4 level. Personally, I don't like the idea to create PcdOvmfPml5Base/Size Other AP MUST check 5 level and 4 level to get right CR3 location. That is = tricky and unnecessary. In current patch, 2.2.2) is used. I suggest we also evaluate option 1), 2.1) and 2.2.1). If changing layout is NOT a concern then we can do 2.2.1). If we don't want to change layout, we can do 2.1) and fall back to 1). Thank you Yao Jiewen > -----Original Message----- > From: Xu, Min M > Sent: Thursday, September 2, 2021 3:49 PM > To: kraxel@redhat.com > Cc: devel@edk2.groups.io; Ard Biesheuvel ; Jus= ten, > Jordan L ; Brijesh Singh ; > Erdem Aktas ; James Bottomley > ; Yao, Jiewen ; Tom Lendacky > > Subject: RE: [edk2-devel] [PATCH V5 2/2] OvmfPkg/ResetVector: Enable Inte= l > TDX in ResetVector of Ovmf >=20 > On September 2, 2021 3:18 PM, Gerd Hoffmann wrote: > > Hi, > > > > > > Sure. And I think we should add proper 5-level paging support to > > > > the current ovmf implementation instead of adding hacks to the tdx = code. > > > My understanding is that we should first add 5-level paging support i= n > > OVMF, right? > > > > Well, the page table setup should be in common code not tdx code as 5-l= evel > > paging isn't something tdx-specific. > Agree. > > > > I'd suggest to add this to OvmfPkg/ResetVector/Ia32/PageTables64.asm. > > Reserve one more page, setup the tables for 5-level paging by inserting= a > > level 5 page directory. > In the current patch a page (defined by PcdOvmfSecGhcbPageTableBase) > reserved in MEMFD > is used as the 5-level page directory. > Now One new page will be reserved in MEMFD to hold the level 5 page direc= tory. > Like below: > 0x00C000|0x001000 > gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTo > kenSpaceGuid.PcdOvmfSecGhcbBackupSize >=20 > +0x00D000|0x001000 > +gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPml5Base|gUefiOvmfPkgTokenSpace > Guid.PcdOvmfPml5Size > > > > When using 5-level paging let cr3 point to the first page (level 5 page= dir), > > when using 4-level paging let cr3 point to the second page (level 4 pag= edir). > Yes. CPUID.(EAX=3D07H, ECX=3D0):ECX[bit 16] will be used to check if 5-le= vel paging > is supported. > > > > Can be part of this patch series, just make it a separate patch for eas= ier > > review. > Sure. > > > > Whenever we should enable 5-level paging even in non-tdx mode or use 5- > > level paging only with tdx is a separate question. We can continue to = use 4- > > level paging in non-tdx mode for now and discuss that later. > Agree. > > > > I'm not sure which implications this would have for booting older kerne= ls, > > when handing over control to a OS kernel without 5-level paging support= but > > 5-level paging enabled (non-issue for tdx as this requires a new tdx-aw= are > > guest kernel anyway ...). >=20 > Thanks! > Min