From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43])
 by mx.groups.io with SMTP id smtpd.web09.3582.1630638234810406300
 for <devel@edk2.groups.io>;
 Thu, 02 Sep 2021 20:03:55 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=A6pzTt5S;
 spf=pass (domain: intel.com, ip: 192.55.52.43, mailfrom: jiewen.yao@intel.com)
X-IronPort-AV: E=McAfee;i="6200,9189,10095"; a="304872985"
X-IronPort-AV: E=Sophos;i="5.85,264,1624345200"; 
   d="scan'208";a="304872985"
Received: from fmsmga008.fm.intel.com ([10.253.24.58])
  by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Sep 2021 20:03:53 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.85,264,1624345200"; 
   d="scan'208";a="500106988"
Received: from fmsmsx603.amr.corp.intel.com ([10.18.126.83])
  by fmsmga008.fm.intel.com with ESMTP; 02 Sep 2021 20:03:53 -0700
Received: from fmsmsx608.amr.corp.intel.com (10.18.126.88) by
 fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2242.12; Thu, 2 Sep 2021 20:03:53 -0700
Received: from fmsmsx607.amr.corp.intel.com (10.18.126.87) by
 fmsmsx608.amr.corp.intel.com (10.18.126.88) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2242.12; Thu, 2 Sep 2021 20:03:53 -0700
Received: from fmsedg602.ED.cps.intel.com (10.1.192.136) by
 fmsmsx607.amr.corp.intel.com (10.18.126.87) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2242.12 via Frontend Transport; Thu, 2 Sep 2021 20:03:53 -0700
Received: from NAM02-BN1-obe.outbound.protection.outlook.com (104.47.51.47) by
 edgegateway.intel.com (192.55.55.71) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2242.10; Thu, 2 Sep 2021 20:03:52 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=RD9ik49fE9I9cIneELtcwhQejwu9fcwqF/kSdyJ7tEiMHkQtxT+/7XWu4/uDqCLSP4oMxLBmAaxdBmijdHDCKReiTYXrhlVX24anAHYe09kXUHRF5xtq1K6zftGk1D0i2QN919cGmbwCZrhmHCWcWWlFfBmEf53TNrDAnWm5ax1/u7JQTaFXrVnPbD1EcGl7UbNdLXROKrnWBUAYvrLUj2AXqalA3k3K/vq3dgwlspR32y8Q5by9WbpWQIQU1lXV7IgFwk7LRNiWPmsx/I5syP6uHNc9ry37Lo53VM2HkdzHDLvjxU425j2CUsAxwGWJ+YvQ2DgeaTHow0xif1n/bQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=cJl8+jS/aeEDqxsj/FZ+XD5r+SKy/+eJmwQ/33hxM5c=;
 b=AOX/xt40vWbltxHBhN3J9BUStz8TgZ7H1+JqcDF7+BEKN8rAnLKQ2nfPtmSE1Ssv30CyN+fNt3XDGr+spaB4xWJShQV/MIHY7yLqKBDLsKn2EhEMkexhMdTDAbGx9AQNoPJlXJ2q4q4n6swiFHDzIjoevYtXaerkpHL8pSizzmESqHjmxRAc2gLzlGdbUYQMPQM7cQkLcqiQZv1Xynib1UWPshK3tMzvsP/Ix9WOJWy8jlJToJD58xmox3DKdYktSOEVwFiYl1asppWsmmRY7biqincl4lbOxWZ+WmZDsnOH7V9D3ic6D7Kesst6RSXRd9gflFvqeHwV1Gnx4KfAig==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com;
 dkim=pass header.d=intel.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com;
 s=selector2-intel-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=cJl8+jS/aeEDqxsj/FZ+XD5r+SKy/+eJmwQ/33hxM5c=;
 b=A6pzTt5S8ooSSE4F2uNe+nVZ/llip6xvS4vs4NUCbfSx0NSeXsmzIoJKFIpJLqPYByy0zXpYT8iJ7egjTGK6MSPlxq3NOHnf57IaZMOtHB/QdS0v/qLlEW/mhJFpmYtC89ANsS4HOkwn0C4du/Y0w410/XMS8hfBkVX8HTHK4u8=
Received: from PH0PR11MB4885.namprd11.prod.outlook.com (2603:10b6:510:35::14)
 by PH0PR11MB4856.namprd11.prod.outlook.com (2603:10b6:510:32::10) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4478.21; Fri, 3 Sep
 2021 03:03:50 +0000
Received: from PH0PR11MB4885.namprd11.prod.outlook.com
 ([fe80::754e:42e9:16cd:1306]) by PH0PR11MB4885.namprd11.prod.outlook.com
 ([fe80::754e:42e9:16cd:1306%5]) with mapi id 15.20.4478.022; Fri, 3 Sep 2021
 03:03:50 +0000
From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Xu, Min M" <min.m.xu@intel.com>, "kraxel@redhat.com" <kraxel@redhat.com>
CC: "devel@edk2.groups.io" <devel@edk2.groups.io>, Ard Biesheuvel
	<ardb+tianocore@kernel.org>, "Justen, Jordan L" <jordan.l.justen@intel.com>,
	Brijesh Singh <brijesh.singh@amd.com>, Erdem Aktas <erdemaktas@google.com>,
	James Bottomley <jejb@linux.ibm.com>, Tom Lendacky <thomas.lendacky@amd.com>
Subject: Re: [edk2-devel] [PATCH V5 2/2] OvmfPkg/ResetVector: Enable Intel TDX in ResetVector of Ovmf
Thread-Topic: [edk2-devel] [PATCH V5 2/2] OvmfPkg/ResetVector: Enable Intel
 TDX in ResetVector of Ovmf
Thread-Index: AQHXnUe8zzrXuIpYXkOUxm6qh7dqPauLqi4AgAFGYgCAACjNAIACyKCAgAB41ACAAAi4gIABPVHw
Date: Fri, 3 Sep 2021 03:03:50 +0000
Message-ID: <PH0PR11MB48852CB9638254DEBAE2A4CA8CCF9@PH0PR11MB4885.namprd11.prod.outlook.com>
References: <cover.1630289827.git.min.m.xu@intel.com>
 <81c97a782bbbf83043854ad8a86d14604918d788.1630289827.git.min.m.xu@intel.com>
 <20210830074058.22gfqmzrha4su6fh@sirius.home.kraxel.org>
 <PH0PR11MB5064CE64BDCBBFA2654308C7C5CC9@PH0PR11MB5064.namprd11.prod.outlook.com>
 <20210831053510.ian6sqpefzmrrfi7@sirius.home.kraxel.org>
 <PH0PR11MB50647D56131D8449A650FC38C5CE9@PH0PR11MB5064.namprd11.prod.outlook.com>
 <20210902071812.2qet62x7npu25rht@sirius.home.kraxel.org>
 <PH0PR11MB5064D2AC9261BB504CF0257BC5CE9@PH0PR11MB5064.namprd11.prod.outlook.com>
In-Reply-To: <PH0PR11MB5064D2AC9261BB504CF0257BC5CE9@PH0PR11MB5064.namprd11.prod.outlook.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
dlp-version: 11.5.1.3
dlp-product: dlpe-windows
dlp-reaction: no-action
authentication-results: intel.com; dkim=none (message not signed)
 header.d=none;intel.com; dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4f9de80d-f4c3-4564-6988-08d96e8774a7
x-ms-traffictypediagnostic: PH0PR11MB4856:
x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <PH0PR11MB48565DA83AFF2F4C48AFADE38CCF9@PH0PR11MB4856.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: yKsoco3HKAmpB401jy1N9LVk/OFaLW7NeAU49H7wpOoXhWybCAy0h1R6r2ftK/t5gLKoqmkFtQ8amPC81IGmilJVWww/EvF6rVY0IeoFNlYKw7RdFx33JSZfConNPS5butMG+gLzsr5/dfoaJU1qdyYw9VMWT0gN5AZH5uYq0T65DM8aQhzcppNoKCKOAK8XDwOrNA/3dVUv16IOwd1WxRIayZyb1GtW5Vi2SJyOSBKJLikbQVyfhKZLjwxMvuIsE4b0RGJfCPAa1HkXPoASGVFwe48LHAi+s676Vpfzbn51lbEa5Cc8JY7xl901EiLl08bJCYcPPtBX2ScCW4RANAYM2WTOnbAb8J/avyIhxOYuyx1Nplq/YIjjkvSuMTIjiqDH3SkknZzZ+I9lWqhYGzeQTXIDtCe6gTzN/ZLsrPHqYV8vYBykc47UMrlYG1rBI0c0vJ/+frMNCzJ8Ir7NrgcyNp/mXnX6XCb9f3dYLPUqjLZPOljhzzwpH865xgN80P4E57nceqyzLR63Gf9K+3fTwTU1sUyGatL0M87NSBl+y8C+sFYTsL+5eyiWwScK/bUBIN8zz6p/YuQEXAyCpT6mZ0gllx3iaufQF07Pl99jHwhTJeMWv/58h/7ewCcvI9CHaO5gtCrSB75d6X+aop8XNg2j5tc5GIW8Cps1PKRXzzJ/DnNSMgHWIs78i2P/yzKMYtd3IHNnk9TXmdQQIw==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB4885.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(39850400004)(396003)(136003)(346002)(376002)(8676002)(83380400001)(86362001)(66556008)(66476007)(64756008)(66946007)(66446008)(122000001)(19627235002)(4326008)(33656002)(38070700005)(38100700002)(54906003)(53546011)(6506007)(478600001)(9686003)(71200400001)(186003)(2906002)(5660300002)(8936002)(316002)(55016002)(110136005)(52536014)(7696005)(76116006)(26005);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?KhrGowwClQRXNp4vhsgGf3b9Ki2EFeG0VEMx8oPGCUrIDk795C8moaaHnHLg?=
 =?us-ascii?Q?UUugzhGTOzfupw0a7jeQwawalpczDh8ZBpD89w+oBk2J7mBn+oebyVBPsBml?=
 =?us-ascii?Q?o29QbCwEQgzOoCuCfOCVxd3exEmTjhX4x3V4eYThIAW2AMVxjkQgMuP0LITC?=
 =?us-ascii?Q?WJvwRrrljdjUlfxw+e/2HemhkqGVJ/s0MI8QdkZVj6HdLmFv4tfPczkTGkfy?=
 =?us-ascii?Q?Eyu3jC5pkwjMBBoeQLVqp+nbhGbGPiqKXE005qyFa11OivyP02zIdbV8XvCD?=
 =?us-ascii?Q?1OIW3lJiFA+Ip1vTU8+6D2PMmnHhZbWDzwUUe6y7ExiL5ONZH+XXDeY7skju?=
 =?us-ascii?Q?e1nZv1P+hFmPHHlzBDmoCSJKOEsAaRZeDqoe1QQsLKbnRgN0fjMxxb/9OlQm?=
 =?us-ascii?Q?6bZFNsqXiOQzpCL2981OG7Di8Rj/TaPzbR3ML/EgYZTT53eeBMNL/6rgUgFm?=
 =?us-ascii?Q?kL0WR9YhYvcWEcLLzoDgUKtXSCEMzy7sLZyEPYIiRb8IndM7sv1csfJSh1GD?=
 =?us-ascii?Q?e4/Y2l79tsIh5Ija5iGGdaUOL2mKt6ixB1PDFrJXA0O59XuHQfKjFPw44v3m?=
 =?us-ascii?Q?nKZDx0/w4hPqxXuv1OHtptL6bvG3gmRpU4k7TnloXpWYSn6c/aBd1wPnlsR9?=
 =?us-ascii?Q?YofNEoV7BFecA1Iyk+P2gssgLcip27L9FK1rwGLrNuASPL9+g/IWdV3LdUDy?=
 =?us-ascii?Q?v9mtcCbNuVmMZjsNlf940RqDv0koxLjmYHvNoz73kOw6jWkV8x0AwuU0Wlhd?=
 =?us-ascii?Q?VLSibBPiCR2hoLjBNSnCaJ+wNNZNiH5QIHp9LEPRUePxc5pwC9d/3LNBArbO?=
 =?us-ascii?Q?EJ41+mqkbsSeooMNkwoY+0HXTnO89g7rHXkavjgc/wIb4BuUflMZsIYGLJ46?=
 =?us-ascii?Q?oCq0aHp5BIydMWK3eJk+JfmAazKQCJ2MEPppdViMsmTwda/gHZKsf772Zw3v?=
 =?us-ascii?Q?0eYz4eechgYqmpwfBnDmytJ09cl2VP0x1EvsXztjRs2qLnz6o2FkgOryudNa?=
 =?us-ascii?Q?ga4d38SnC/h4rUCdryPTPrMQ+2s7fBZK4Ju4r1PEfK8aArQLLU6yXA9ROYKw?=
 =?us-ascii?Q?Os9VeZXJ45lm4mcrVHg2tGTpuK1l8htYaEWy9fpOKEhpAXE8clgQ2AcYoBys?=
 =?us-ascii?Q?IDVGSn22DnDed3V/uH5cVfDRpP+Wj5Fd57ZEZHJDyPw37UOWLJ2EuLlhvP09?=
 =?us-ascii?Q?uTqYAMbE7gYxGwU1vHTOw71NN9JGD0MMbU+k3yDfV9Uc5ceSrkDDLMLN4/Uf?=
 =?us-ascii?Q?TGQ0y9WTjELJejMizLMA4CLRRL+1/YPn0hmDuUDhTrvpB7ZpHXfgeRXj8xBD?=
 =?us-ascii?Q?mySM3oWs37rgqewEvWFUXaVT?=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4885.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4f9de80d-f4c3-4564-6988-08d96e8774a7
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Sep 2021 03:03:50.4921
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ARADhlL/PNTK4B56H/Ep7ih28tO2iCoAg7+XsDRU9a7JG1P5f+5ybF3e78uX0HEbteMP+APWZ//sIsJyr0grMw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB4856
Return-Path: jiewen.yao@intel.com
X-OriginatorOrg: intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

HI Min/Gerd
I think we have multiple ways to enable 5 level paging.

1) We do not change to 5 level in initial paging in reset vector.
We can switch from 4 level to 5 level later when permanent memory is availa=
ble.
We don't need change flash layout.

2) We can enable 5 level paging in initial paging.
2.1) We can enable 5 level paging with 1G paging support.
We don't need change flash layout. Only 3 pages is needed. (12K)
I don't know if we can real case that a CPU support 5 level but without 1G =
paging.

2.2) We can still enable 5 level paging with 2M paging.
2.2.1) We can change flash layout to increase 6 pages (24K) memory to 7 pag=
es (28K).
So the CR3 in 5 level is same as the CR3 in 4 level.

2.2.2) We don't change flash layout but steal another page in somewhere els=
e - PcdOvmfPml5Base
That means CR3 in 5 level is different with CR4 in 4 level.
Personally, I don't like the idea to create PcdOvmfPml5Base/Size
Other AP MUST check 5 level and 4 level to get right CR3 location. That is =
tricky and unnecessary.

In current patch, 2.2.2) is used.

I suggest we also evaluate option 1), 2.1) and 2.2.1).

If changing layout is NOT a concern then we can do 2.2.1).
If we don't want to change layout, we can do 2.1) and fall back to 1).



Thank you
Yao Jiewen


> -----Original Message-----
> From: Xu, Min M <min.m.xu@intel.com>
> Sent: Thursday, September 2, 2021 3:49 PM
> To: kraxel@redhat.com
> Cc: devel@edk2.groups.io; Ard Biesheuvel <ardb+tianocore@kernel.org>; Jus=
ten,
> Jordan L <jordan.l.justen@intel.com>; Brijesh Singh <brijesh.singh@amd.co=
m>;
> Erdem Aktas <erdemaktas@google.com>; James Bottomley
> <jejb@linux.ibm.com>; Yao, Jiewen <jiewen.yao@intel.com>; Tom Lendacky
> <thomas.lendacky@amd.com>
> Subject: RE: [edk2-devel] [PATCH V5 2/2] OvmfPkg/ResetVector: Enable Inte=
l
> TDX in ResetVector of Ovmf
>=20
> On September 2, 2021 3:18 PM, Gerd Hoffmann wrote:
> >   Hi,
> >
> > > > Sure.  And I think we should add proper 5-level paging support to
> > > > the current ovmf implementation instead of adding hacks to the tdx =
code.
> > > My understanding is that we should first add 5-level paging support i=
n
> > OVMF, right?
> >
> > Well, the page table setup should be in common code not tdx code as 5-l=
evel
> > paging isn't something tdx-specific.
> Agree.
> >
> > I'd suggest to add this to OvmfPkg/ResetVector/Ia32/PageTables64.asm.
> > Reserve one more page, setup the tables for 5-level paging by inserting=
 a
> > level 5 page directory.
> In the current patch a page (defined by PcdOvmfSecGhcbPageTableBase)
> reserved in MEMFD
> is used as the 5-level page directory.
> Now One new page will be reserved in MEMFD to hold the level 5 page direc=
tory.
> Like below:
> 0x00C000|0x001000
> gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTo
> kenSpaceGuid.PcdOvmfSecGhcbBackupSize
>=20
> +0x00D000|0x001000
> +gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPml5Base|gUefiOvmfPkgTokenSpace
> Guid.PcdOvmfPml5Size
> >
> > When using 5-level paging let cr3 point to the first page (level 5 page=
dir),
> > when using 4-level paging let cr3 point to the second page (level 4 pag=
edir).
> Yes. CPUID.(EAX=3D07H, ECX=3D0):ECX[bit 16] will be used to check if 5-le=
vel paging
> is supported.
> >
> > Can be part of this patch series, just make it a separate patch for eas=
ier
> > review.
> Sure.
> >
> > Whenever we should enable 5-level paging even in non-tdx mode or use 5-
> > level paging only with tdx is a separate question.  We can continue to =
use 4-
> > level paging in non-tdx mode for now and discuss that later.
> Agree.
> >
> > I'm not sure which implications this would have for booting older kerne=
ls,
> > when handing over control to a OS kernel without 5-level paging support=
 but
> > 5-level paging enabled (non-issue for tdx as this requires a new tdx-aw=
are
> > guest kernel anyway ...).
>=20
> Thanks!
> Min