From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by mx.groups.io with SMTP id smtpd.web08.39740.1636337646017347748 for ; Sun, 07 Nov 2021 18:14:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=mZiMZh7b; spf=pass (domain: intel.com, ip: 192.55.52.43, mailfrom: jiewen.yao@intel.com) X-IronPort-AV: E=McAfee;i="6200,9189,10161"; a="318347915" X-IronPort-AV: E=Sophos;i="5.87,217,1631602800"; d="scan'208,217";a="318347915" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Nov 2021 18:14:05 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.87,217,1631602800"; d="scan'208,217";a="502814328" Received: from orsmsx604.amr.corp.intel.com ([10.22.229.17]) by orsmga008.jf.intel.com with ESMTP; 07 Nov 2021 18:14:04 -0800 Received: from orsmsx611.amr.corp.intel.com (10.22.229.24) by ORSMSX604.amr.corp.intel.com (10.22.229.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Sun, 7 Nov 2021 18:14:04 -0800 Received: from orsmsx605.amr.corp.intel.com (10.22.229.18) by ORSMSX611.amr.corp.intel.com (10.22.229.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Sun, 7 Nov 2021 18:14:04 -0800 Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx605.amr.corp.intel.com (10.22.229.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12 via Frontend Transport; Sun, 7 Nov 2021 18:14:04 -0800 Received: from NAM10-DM6-obe.outbound.protection.outlook.com (104.47.58.103) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.12; Sun, 7 Nov 2021 18:14:03 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=n2rbkYV6t4vqa6bAlD7gTuevkSuXV9PGCBhdGNxAk2ruZMoYMafcbslgZ1jP0HYe9AHIQ2HT2fbm4K9IpM/Ot4UKhPWtkjY0JtbU1fGVF4jSBgz34p7CHMoQ500D4Tau5siwqrqynE48z76lP/9/R//NUUiuwrH8LZjgFGyhJ6Y7mJewzpU4P5FKIrtQpqkZeo2UF5dhfOSpXAUMbf+jPgsDc/uhq/kILoE+bxJKvhDkr2Ip47F5cKmh94NSMx3O4k8HkpbqXOAxGdebW0yLKRm+OG7fG7AFa2UOjxwdY6XEJ38Sn1miyoyxbhHdT9YBcqIrQ906lAARJf3bF/PGHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HhZf71kitCFJCUq4aFkWKysP+G0st1JTKufXZ9awwag=; b=EFTA0hVDMBZXrkcvSmnILuAMA/iplYm3dBZMkcR1jDu0Bz+G6B2ATKmzplAaZdIgw/QGZJMXnn1tyyS2OY4y4KUPUzy51mQ/lSIegHRC402DYLjTp2L/K4Rby8S4VNiYHfAhzVObwjgdQ4XYiCb1LHo+GyVpXxFkUyS67xL6Pz0lp7b5EpCIdeqcmOFmHuUT8pc1J0Rh9b5kcPiBKXGUs1FLtZohi5x70XJ/ntAFiO4xX+6kSmAVV/D51xat1uwiJs74vuYr8xKdchEJPYPX206p+eAGTxcTVogB2bp3lnW0h7b28SQkQalHXhaPUUhErqBFeXKQ+aYDIQTl1+iwvQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HhZf71kitCFJCUq4aFkWKysP+G0st1JTKufXZ9awwag=; b=mZiMZh7b22zrnRCrBBkbo1O3mPnyh4IGlvlmDVM+oA1evjLGyWhkSh5vOTNs3x2gAMI0Av3jKrmQUMQhKsQzU4vTqDT9uyyHQwWu1/gLk2wxdDwRX9J/I97KiTOFd3BXbAjyIx3YNcGsTYy+1VqcXmdy7rF/EflBG29N03Ira1U= Received: from PH0PR11MB4885.namprd11.prod.outlook.com (2603:10b6:510:35::14) by PH7PR11MB5768.namprd11.prod.outlook.com (2603:10b6:510:131::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.13; Mon, 8 Nov 2021 02:14:01 +0000 Received: from PH0PR11MB4885.namprd11.prod.outlook.com ([fe80::c5cb:e37a:9f3:8f80]) by PH0PR11MB4885.namprd11.prod.outlook.com ([fe80::c5cb:e37a:9f3:8f80%6]) with mapi id 15.20.4669.016; Mon, 8 Nov 2021 02:14:01 +0000 From: "Yao, Jiewen" To: "Singh, Brijesh" , "devel@edk2.groups.io" CC: James Bottomley , "Xu, Min M" , "Lendacky, Thomas" , "Justen, Jordan L" , Ard Biesheuvel , Erdem Aktas , "Roth, Michael" , Gerd Hoffmann , "Ni, Ray" , "Kumar, Rahul1" , "Yao, Jiewen" Subject: Re: [edk2-devel] [PATCH v11 00/32] Add AMD Secure Nested Paging (SEV-SNP) support Thread-Topic: [edk2-devel] [PATCH v11 00/32] Add AMD Secure Nested Paging (SEV-SNP) support Thread-Index: AQHXx8R5gNrzOTeuKE+0XLgU7+meBqvhYnYAgAFy6wCABxt7gIAAKLAAgAOW4oCAC0o954AAAc7g Date: Mon, 8 Nov 2021 02:14:01 +0000 Message-ID: References: <20211023041349.1263726-1-brijesh.singh@amd.com> <7c252991-d51a-461e-da8e-8f1de6fe41ba@amd.com> <16B33B74BAC60F9D.13000@groups.io> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_88914ebd-7e6c-4e12-a031-a9906be2db14_Enabled=True; MSIP_Label_88914ebd-7e6c-4e12-a031-a9906be2db14_SiteId=3dd8961f-e488-4e60-8e11-a82d994e183d; MSIP_Label_88914ebd-7e6c-4e12-a031-a9906be2db14_SetDate=2021-11-08T02:10:54.944Z; MSIP_Label_88914ebd-7e6c-4e12-a031-a9906be2db14_Name=AMD Official Use Only; MSIP_Label_88914ebd-7e6c-4e12-a031-a9906be2db14_ContentBits=0; MSIP_Label_88914ebd-7e6c-4e12-a031-a9906be2db14_Method=Standard dlp-version: 11.6.200.16 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: amd.com; dkim=none (message not signed) header.d=none;amd.com; dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: b40956de-499d-414d-55d6-08d9a25d6e2d x-ms-traffictypediagnostic: PH7PR11MB5768: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 2POpaR0OSmxNY/grZuY/P1w4QdQGG4ZG8k85plCaeOoEO2FhFy0fR8Gt9nIgoAEU4nVkS/sJlh4uXdvHE1laQhJ6MqAkDJSnoT3Oa0s/++D85feHPhaE272W6G6nIdT9jc7mYjxobM7mLP9MnyavcSGAJAoNngOPyGXyYg07rMWZps+OUtsCvEMdDu8t2CuW8chh4JpQuxPVu1NPOfzOprFha4jy+IKmMdL1I//663uDyy9yIUaDOZyj2R2pQ72O6yE1tl6KUAUGIr5f7eipSWvrzv9gGq4jEYqhQb+OXGD5v0Gsnm2HOz2VU9JkGsW49sJat4UV0fR6QfBdxIV4k4wfD5ENmRfP8jFgTVvHTQjJ0Kkt/j6cqq6SGR8XKItWhg3QKT1yGQDKA42oRvGNpvY2tBoOvLTzs98PwNYwgs9TBO/QR3PjA8RtqesAfEmV18Ta5HRUWqMeRe4nM9dx/7FGN6yNbrv/JcxAFkJbyD8P7eEsF+cr7E7OZBKBR11rjV1xF5we15qC925WyjKtEWZ1J44laeteTL6qZRZ622eQg9zkOgCT4gi80H0j7tAK//4OwNiW3NZjLcLsdPnXbX1V8wVCOXCuQT9snURgzxXfVPGqnVQhe647Q1enTaRDELuDMgZTQx+dnB6wT/sF6G5FGmy0itU3pmqvF6kRiPaOecmpXpVP0akVz/aln6XDw3vEiNnLlmTxlzRR7/Qr5OH1ts3LM8AWdLHgPNJW8HhjgpBleAVDvh7eHgfx/LXyWpxYzWylSwxMLGJu4Gpp3plC5lOdalpfP3vLHbiAUaE2nq1EaVqMJ6zBSZhkpRDz70iku05mRECvh7t4ZH9cLQ== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB4885.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(7696005)(33656002)(82960400001)(86362001)(110136005)(52536014)(8676002)(38070700005)(71200400001)(83380400001)(26005)(66446008)(55016002)(38100700002)(64756008)(76116006)(53546011)(66476007)(122000001)(66946007)(186003)(6506007)(9686003)(54906003)(66556008)(166002)(107886003)(508600001)(316002)(966005)(30864003)(45080400002)(5660300002)(4326008)(8936002)(19627235002)(2906002)(579004);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?RHsGkI+4FBrT6atcpAvowl1vWJ06SXbiy2nkBI93bFkYIj2A4tTDJWjvv27Q?= =?us-ascii?Q?oTVKkq7TFWP22CqS4LE9eGyJYgDuvb2RD/cu9xBB20QX1+482Py7uxr8HqbC?= =?us-ascii?Q?8vhPMvT7WZR6dXMs3Vs3TGN5w+E5iDbQFOiE+hUVNBwFUYq27NpNfXbv3feX?= =?us-ascii?Q?Yl8Wutj7xMosPEhe4B4nn0ZRuox1P/1DVe96J32Vx41L1iFhhrDMcC3Eb5vP?= =?us-ascii?Q?9bI0C0LcNlVqBrw/Yw43qRtXBDMc/+LFCiLWCZrAwai0a3AmfaKDtjMsMhD+?= =?us-ascii?Q?bi5c8g2Ri/dbdSApUfh7nqv/35DlU3iSY9GNGSj8FNiIPucfNj7U9P8USCiw?= =?us-ascii?Q?nsCc5SiZQaOVibBZkyn8TFkhWx5J4ATets2EmAY7afngu9wzpGrWYbXfdur0?= =?us-ascii?Q?yuJCRDSkZQmzjUCrRcbU+Oou/248ojSX4wvE5lIFdu8DFAbeP8WYMeArkzc2?= =?us-ascii?Q?DXnC/JGLZwiIrwBLLPHOz8b6Rz9W74Fpu53cYV5L7K5G23u519m1qGu83gfh?= =?us-ascii?Q?umXXJw7FowdUyFBmgyikFLS9YgAc1CZmKMidONN9h9Tmk8xC2QL5+Wm+vwml?= =?us-ascii?Q?iJ+lysu7b8Gkh4INPaPC3Ob507BeSt0C1SV/Hf2yyPt/QNs5Rt1KCIgeDmnc?= =?us-ascii?Q?M/wu5imcYy4zvrKvKGc5UlhXppovPoHRC+kRD8nkdAYp0RxayDD499pPyK23?= =?us-ascii?Q?npqZaAOZm4Bmy6f33tytdogjzCuViJev6SXm2oVCeL5KvYo6Bxu4gGeQYPJH?= =?us-ascii?Q?ZGKTeilqoybCZ1D20zs8+pus4MHN521UFM76BNYGmZDhW+cvypmYc5+LTzlf?= =?us-ascii?Q?r6oODQvop8ZQ7/hYbzoog6K0VU+yQpUg30SO7ea5bntiHXqOxOicAHno4M28?= =?us-ascii?Q?cYKcwc0ryRwxPW9fxlZYz4/Nd57eJWjtAhEdXT4en764mXNLtyQVe7RYu0g9?= =?us-ascii?Q?hbjq9yQbTS8pCZIhlQdUToUe9R9+XweV3NfioLfkw31gpGhDndKtk9E9oCk+?= =?us-ascii?Q?nf7YejhO3uzIKStMHpbfleP01r0Lwvayc30f54HzvbQkQfZGwqcm+SVrkJLL?= =?us-ascii?Q?Gx0fb5JMKI0KQJ/NHw722gY73R6OG0K7jPB8sqb4ODlIwLQH2amOjsoSY0Rq?= =?us-ascii?Q?FFIZ15/z66OTSlT4VJTLukTLLmzRJjuTUNbgKchu4ueBaMrtucWUBDgmVoCt?= =?us-ascii?Q?8E1DZmXhWhPVAjxRKbtlma7hRzy7TeRpK240U6fKgjT3GwJnbX4MGUX1wTM0?= =?us-ascii?Q?4xJiX2vjpShwqe8iDXKTOGyWzOxgXHNKSVshdbqQhiA98/ZJU/Zt5cVZgjuf?= =?us-ascii?Q?TiUX/Q1+H6SXMQAxrtZEDZMjj5GPGY9fGA/wRJhjTC+HuSOwlShXqX90J7Hv?= =?us-ascii?Q?c0P5rA/oxTnRVxjIZfXbOv/EQ1sfDc0XyYGCSqzywoJm/p06uW0jMRIybNat?= =?us-ascii?Q?HHfByO7YHFQZFp4eejzYMH32/u9Q1YC2dbDj8333zYFdNk4naaM88wkYqhiL?= =?us-ascii?Q?ESgQ106u2OeQX5gxHW2nw+d0yOBil3n3Uwxs8KMZIJPZG92vGuh4cKVtruoV?= =?us-ascii?Q?1ZTs4x6dHHZROVLt8bDOkn+SSlYH8mF4ZX/AqPCvLHAiewQoMkQ5hvQk3T0e?= =?us-ascii?Q?XQ0Go4/CpNSlEOP3O9Mggug=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4885.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: b40956de-499d-414d-55d6-08d9a25d6e2d X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Nov 2021 02:14:01.2633 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: yxdxcoIOOWXxJCo3SbYeTNZlRw2MC03s/QUnv88kYifr2L/Db4oBNAya48+9GrUYcNV+a70sl85DZREFw2zMRw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR11MB5768 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_PH0PR11MB4885B448A5B85FB93EDAAA908C919PH0PR11MB4885namp_" --_000_PH0PR11MB4885B448A5B85FB93EDAAA908C919PH0PR11MB4885namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I recommend you split the patch set to OvmfPkg update and UefiPkg update, u= nless there is strong reason that you have to mix them together. With that, I can merge the OvmfPkg at first and we can move forward there, = while waiting UefiPkg review. If you agree, please rebase and resubmit. Thank you Yao Jiewen From: Singh, Brijesh Sent: Monday, November 8, 2021 10:11 AM To: Yao, Jiewen ; devel@edk2.groups.io; Singh, Brijes= h Cc: James Bottomley ; Xu, Min M ; L= endacky, Thomas ; Justen, Jordan L ; Ard Biesheuvel ; Erdem Aktas ; Roth, Michael ; Gerd Hoffmann ; Ni, Ray ; Kumar, Rahul1 Subject: Re: [edk2-devel] [PATCH v11 00/32] Add AMD Secure Nested Paging (S= EV-SNP) support [AMD Official Use Only] Hi, I am not getting any response from the UefiCpuPkg maintainers, I am not su= re if the Ray/Rahul are on vacation or need more information. Jiewen and Gerd, Any recommendations how we proceed further ? I can send the rebased version= and we can go ahead and commit it. If UefiCpuPkg maintainer does not like = something, then I am always happy to rework the stuff after the commit. I w= ould like to send some cleanup patches post SNP series that will simplify s= ome of the MemEncryptIs{Sev,Es,Snp}Enabled() based on our recent workarea p= atches. It will also help/align with the TDX series. -Brijesh ________________________________ From: devel@edk2.groups.io > on behalf of Brijesh Singh via groups.io <= brijesh.singh=3Damd.com@groups.io= > Sent: Sunday, October 31, 2021 4:40 PM To: Yao, Jiewen >; devel@= edk2.groups.io > Cc: Singh, Brijesh >; J= ames Bottomley >; Xu, Min M <= min.m.xu@intel.com>; Lendacky, Thomas >; Justen, Jordan L >; Ard Biesheuvel >; Erdem Aktas >; Roth, Michael >; Gerd Hoffmann >; Ray Ni >; Rahul Kumar > Subject: Re: [edk2-devel] [PATCH v11 00/32] Add AMD Secure Nested Paging (S= EV-SNP) support Hi Ray and Rahul, Gentle ping. Could you please Ack or R-b the files touched in UefiCpuPkg? -Brijesh On 10/29/21 9:52 AM, Brijesh Singh wrote: > Hi Jiewen, > > I have not heard anything back from UefiCpuPkg maintainer yet, I will > send another gentle ping on Monday again and hope maintainer get to it. > > -Brijesh > > On 10/29/21 7:26 AM, Yao, Jiewen wrote: >> Hi Brijesh >> Have you got R-B from UefiCpuPkg maintainer? >> >> >> >>> -----Original Message----- >>> From: Brijesh Singh > >>> Sent: Monday, October 25, 2021 7:54 AM >>> To: devel@edk2.groups.io; Yao, Jiewen > >>> Cc: brijesh.singh@amd.com; James Bottomle= y >; Xu, Min M >>> >; Tom Lendacky >; Justen, >>> Jordan L >;= Ard Biesheuvel >>> >; Erdem Ak= tas >; >>> Michael Roth >; Gerd = Hoffmann > >>> Subject: Re: [edk2-devel] [PATCH v11 00/32] Add AMD Secure Nested Pagin= g >>> (SEV-SNP) support >>> >>> Thank Jiewen, >>> >>> I have ping'ed UefiCpuPkg maintainer (Ray and Rahul) on every patch >>> which touches the UefiCpuPkg. If maintainer wants me to rework on >>> something then I will work accordingly. If they are okay with v11 then >>> now the merge will create a conflict (due to the TDX patches merge >>> commit). I have rebased my series to the recent master and have pushed >>> it here: https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A= %2F%2Fgithub.com%2FAMDESE%2Fovmf%2Ftree%2Fsnp-v12&data=3D04%7C01%7Cbrij= esh.singh%40amd.com%7C400c84b654c6423f739e08d99cb72382%7C3dd8961fe4884e608e= 11a82d994e183d%7C0%7C0%7C637713132658929026%7CUnknown%7CTWFpbGZsb3d8eyJWIjo= iMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdat= a=3DloCp%2FptHiWgvAtdp6zjDH5jDeq9mKLYBwedNU%2FT0IzM%3D&reserved=3D0. I = can post the >>> series if you prefer it. >>> >>> thanks >>> >>> On 10/23/21 8:46 PM, Yao, Jiewen via groups.io wrote: >>>> Yes. I will try my best to merge. >>>> >>>> I checked the patch set but I did not find the "R-B" from UefiCpuPkg >>> maintainer. Neither from email nor from you v11. >>>> Did I miss something? >>>> >>>> Thank you >>>> Yao Jiewen >>>> >>>> >>>>> -----Original Message----- >>>>> From: Brijesh Singh > >>>>> Sent: Saturday, October 23, 2021 12:13 PM >>>>> To: devel@edk2.groups.io >>>>> Cc: James Bottomley >; = Xu, Min M >>> >; >>>>> Yao, Jiewen >; Tom = Lendacky >>>>> >; Justen, Jo= rdan L >; >>>>> Ard Biesheuvel >; Erdem Aktas >>>>> >; Michael Roth <= Michael.Roth@amd.com>; Gerd >>>>> Hoffmann >; Brijesh Singh= > >>>>> Subject: [PATCH v11 00/32] Add AMD Secure Nested Paging (SEV-SNP) >>> support >>>>> Hi Gerd and Jiewen, >>>>> >>>>> CI was a bit unstable during my v10 submission, so, I was not able to >>>>> run it to the completion. Finally, I managed to get the CI going, >>>>> and it reported few Windows 32-bit build errors. The v11 fixes those = build >>>>> errors. Please consider this for the merge. >>>>> >>>>> Thank you so much for all your support in reviewing the series. >>>>> >>>>> ---------------------------------------------------------------------= -------- >>>>> BZ: >>> https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fbug= zilla. >>> tianocore.org%2Fshow_bug.cgi%3Fid%3D3275&data=3D04%7C01%7Cbrijesh. >>> singh%40amd.com%7Cddc5570780ff4a91d0da08d9969026e2%7C3dd8961fe488 >>> 4e608e11a82d994e183d%7C0%7C0%7C637706369230826414%7CUnknown%7 >>> CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJ >>> XVCI6Mn0%3D%7C3000&sdata=3DL41krO6G221HaIsG92FloIzgCDqMLAAsU26 >>> jaEMF7yw%3D&reserved=3D0 >>>>> SEV-SNP builds upon existing SEV and SEV-ES functionality while addin= g >>>>> new hardware-based memory protections. SEV-SNP adds strong memory >>>>> integrity >>>>> protection to help prevent malicious hypervisor-based attacks like da= ta >>>>> replay, memory re-mapping and more in order to create an isolated mem= ory >>>>> encryption environment. >>>>> >>>>> This series provides the basic building blocks to support booting the= SEV-SNP >>>>> VMs, it does not cover all the security enhancement introduced by the= SEV- >>> SNP >>>>> such as interrupt protection. >>>>> >>>>> Many of the integrity guarantees of SEV-SNP are enforced through a ne= w >>>>> structure called the Reverse Map Table (RMP). Adding a new page to SE= V-SNP >>>>> VM requires a 2-step process. First, the hypervisor assigns a page to= the >>>>> guest using the new RMPUPDATE instruction. This transitions the page = to >>>>> guest-invalid. Second, the guest validates the page using the new PVA= LIDATE >>>>> instruction. The SEV-SNP VMs can use the new "Page State Change Reque= st >>>>> NAE" >>>>> defined in the GHCB specification to ask hypervisor to add or remove = page >>>>> from the RMP table. >>>>> >>>>> Each page assigned to the SEV-SNP VM can either be validated or unval= idated, >>>>> as indicated by the Validated flag in the page's RMP entry. There are= two >>>>> approaches that can be taken for the page validation: Pre-validation = and >>>>> Lazy Validation. >>>>> >>>>> Under pre-validation, the pages are validated prior to first use. And= under >>>>> lazy validation, pages are validated when first accessed. An access t= o a >>>>> unvalidated page results in a #VC exception, at which time the except= ion >>>>> handler may validate the page. Lazy validation requires careful track= ing of >>>>> the validated pages to avoid validating the same GPA more than once. = The >>>>> recently introduced "Unaccepted" memory type can be used to communica= te >>>>> the >>>>> unvalidated memory ranges to the Guest OS. >>>>> >>>>> At this time we only support the pre-validation. OVMF detects all the >>> available >>>>> system RAM in the PEI phase. When SEV-SNP is enabled, the memory is >>> validated >>>>> before it is made available to the EDK2 core. >>>>> >>>>> Now that series contains all the basic support required to launch SEV= -SNP >>>>> guest. We are still missing the Interrupt security feature provided b= y the >>>>> SNP. The feature will be added after the base support is accepted. >>>>> >>>>> Additional resources >>>>> --------------------- >>>>> SEV-SNP whitepaper >>>>> >>> https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww= .a%2F&data=3D04%7C01%7Cbrijesh.singh%40amd.com%7C400c84b654c6423f739e08= d99cb72382%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637713132658929026%= 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWw= iLCJXVCI6Mn0%3D%7C1000&sdata=3DWznkScyKwwPKfde08y%2Fb1KTmUgVt2al9%2Bupz= %2FATGOHE%3D&reserved=3D0 >>> md.com%2Fsystem%2Ffiles%2FTechDocs%2FSEV-SNP-strengthening-vm- >>> &data=3D04%7C01%7Cbrijesh.singh%40amd.com%7Cddc5570780ff4a91d0da >>> 08d9969026e2%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C63770 >>> 6369230826414%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQ >>> IjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=3DnVMSG% >>> 2FvSS2Wa21lu1lGrHr9OYX8hL7FoAcQXBBiCztc%3D&reserved=3D0 >>>>> isolation-with-integrity-protection-and-more.pdf >>>>> >>>>> APM 2: >>> https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww= .a%2F&data=3D04%7C01%7Cbrijesh.singh%40amd.com%7C400c84b654c6423f739e08= d99cb72382%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637713132658929026%= 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWw= iLCJXVCI6Mn0%3D%7C1000&sdata=3DWznkScyKwwPKfde08y%2Fb1KTmUgVt2al9%2Bupz= %2FATGOHE%3D&reserved=3D0 >>> md.com%2Fsystem%2Ffiles%2FTechDocs%2F24593.pdf&data=3D04%7C01%7 >>> Cbrijesh.singh%40amd.com%7Cddc5570780ff4a91d0da08d9969026e2%7C3dd8 >>> 961fe4884e608e11a82d994e183d%7C0%7C0%7C637706369230826414%7CUnk >>> nown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1h >>> aWwiLCJXVCI6Mn0%3D%7C3000&sdata=3DG8Xg2glOGY2EjHpeQ3WM4gZCh >>> uI0k8QcLDTbpJiTplg%3D&reserved=3D0 (section 15.36) >>>>> The complete source is available at >>>>> >>> https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fgit= hub.c%2F&data=3D04%7C01%7Cbrijesh.singh%40amd.com%7C400c84b654c6423f739= e08d99cb72382%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C6377131326589290= 26%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1h= aWwiLCJXVCI6Mn0%3D%7C1000&sdata=3DWx6h8FQ0289ZBQJa3iTk3Sb7zkmQO6D6VZFvR= X5lEeM%3D&reserved=3D0 >>> om%2FAMDESE%2Fovmf%2Ftree%2Fsnp- >>> v11&data=3D04%7C01%7Cbrijesh.singh%40amd.com%7Cddc5570780ff4a91d >>> 0da08d9969026e2%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C63 >>> 7706369230826414%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiL >>> CJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=3DHMH >>> Fq8G%2FPqdhzNW3Ashmc4%2Bmv1RcDULD4vniofhiS54%3D&reserved=3D0 >>>>> GHCB spec: >>>>> >>> https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fdev= elop >>> er.amd.com%2Fwp- >>> content%2Fresources%2F56421.pdf&data=3D04%7C01%7Cbrijesh.singh%40a >>> md.com%7Cddc5570780ff4a91d0da08d9969026e2%7C3dd8961fe4884e608e11 >>> a82d994e183d%7C0%7C0%7C637706369230826414%7CUnknown%7CTWFpbGZ >>> sb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0 >>> %3D%7C3000&sdata=3DYiPgZU87fdnl5rJpD0E2ue9aTKbqUwizuBrKxom0FiU% >>> 3D&reserved=3D0 >>>>> SEV-SNP firmware specification: >>>>> >>> https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww= .a%2F&data=3D04%7C01%7Cbrijesh.singh%40amd.com%7C400c84b654c6423f739e08= d99cb72382%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637713132658939021%= 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWw= iLCJXVCI6Mn0%3D%7C1000&sdata=3DHs%2BB9e%2FrZ0aYV3XPtJ9ZegaaIAMURuH1Dc9C= 1CeBauU%3D&reserved=3D0 >>> md.com%2Fsystem%2Ffiles%2FTechDocs%2F56860.pdf&data=3D04%7C01%7 >>> Cbrijesh.singh%40amd.com%7Cddc5570780ff4a91d0da08d9969026e2%7C3dd8 >>> 961fe4884e608e11a82d994e183d%7C0%7C0%7C637706369230826414%7CUnk >>> nown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1h >>> aWwiLCJXVCI6Mn0%3D%7C3000&sdata=3DbfQsY4%2BRnlFGuD3Bg%2BFPb3l >>> RgSGgpomNocXswHqkm%2F4%3D&reserved=3D0 >>>>> Change since v10: >>>>> * fix 'unresolved external symbol __allshl' link error when building= I32 for >>>>> VS2017. >>>>> >>>>> Changes since v9: >>>>> * Move CCAttrs Pcd define in MdePkg >>>>> * Add comment to indicate that allocating the identity map PT is tem= porary >>> until >>>>> we get lazy validation >>>>> >>>>> Changes since v8: >>>>> * drop the generic metadata and make it specific to SEV. >>>>> >>>>> Changes since v7: >>>>> * Move SEV specific changes in MpLib in AmdSev file >>>>> * Update the GHCB register function to not restore the GHCB MSR beca= use >>>>> we were already in the MSR protocol mode. >>>>> * Drop the SNP name from PcdSnpSecPreValidate. >>>>> * Add new section for GHCB memory in the OVMF metadata. >>>>> >>>>> Change since v6: >>>>> * Drop the SNP boot block GUID and switch to using the Metadata guid= ed >>>>> structure >>>>> proposed by Min in TDX series. >>>>> * Exclude the GHCB page from the pre-validated region. It simplifies= the >>> reset >>>>> vector code where we do not need to unvalidate the GHCB page. >>>>> * Now that GHCB page is not validated so move the VMPL check from re= set >>>>> vector >>>>> code to the MemEncryptSevLib on the first page validation. >>>>> * Introduce the ConfidentialComputingGuestAttr PCD to communicate wh= ich >>>>> memory encryption is active so that MpInitLib can make use of it. >>>>> * Drop the SEVES specific PCD as the information can be communicated= via >>>>> the ConfidentialComputingGuestAttr. >>>>> * Move the SNP specific AP creation function in AmdSev.c. >>>>> * Define the SNP Blob GUID in a new file. >>>>> >>>>> Change since v5: >>>>> * When possible use the CPUID value from CPUID page >>>>> * Move the SEV specific functions from SecMain.c in AmdSev.c >>>>> * Rebase to the latest code >>>>> * Add the review feedback from Yao. >>>>> >>>>> Change since v4: >>>>> * Use the correct MSR for the SEV_STATUS >>>>> * Add VMPL-0 check >>>>> >>>>> Change since v3: >>>>> * ResetVector: move all SEV specific code in AmdSev.asm and add macr= os to >>>>> keep >>>>> the code readable. >>>>> * Drop extending the EsWorkArea to contain SNP specific state. >>>>> * Drop the GhcbGpa library and call the VmgExit directly to register= GHCB >>> GPA. >>>>> * Install the CC blob config table from AmdSevDxe instead of extendi= ng the >>>>> AmdSev/SecretsDxe for it. >>>>> * Add the separate PCDs for the SNP Secrets. >>>>> >>>>> Changes since v2: >>>>> * Add support for the AP creation. >>>>> * Use the module-scoping override to make AmdSevDxe use the IO port = for >>> PCI >>>>> reads. >>>>> * Use the reserved memory type for CPUID and Secrets page. >>>>> * >>>>> Changes since v1: >>>>> * Drop the interval tree support to detect the pre-validated overlap= region. >>>>> * Use an array to keep track of pre-validated regions. >>>>> * Add support to query the Hypervisor feature and verify that SNP fe= ature is >>>>> supported. >>>>> * Introduce MemEncryptSevClearMmioPageEncMask() to clear the C-bit >>> from >>>>> MMIO ranges. >>>>> * Pull the SevSecretDxe and SevSecretPei into OVMF package build. >>>>> * Extend the SevSecretDxe to expose confidential computing blob loca= tion >>>>> through >>>>> EFI configuration table. >>>>> >>>>> Brijesh Singh (28): >>>>> OvmfPkg/SecMain: move SEV specific routines in AmdSev.c >>>>> UefiCpuPkg/MpInitLib: move SEV specific routines in AmdSev.c >>>>> OvmfPkg/ResetVector: move clearing GHCB in SecMain >>>>> OvmfPkg/ResetVector: introduce SEV metadata descriptor for VMM use >>>>> OvmfPkg: reserve SNP secrets page >>>>> OvmfPkg: reserve CPUID page >>>>> OvmfPkg/ResetVector: pre-validate the data pages used in SEC phase >>>>> OvmfPkg/MemEncryptSevLib: add MemEncryptSevSnpEnabled() >>>>> OvmfPkg/SecMain: register GHCB gpa for the SEV-SNP guest >>>>> OvmfPkg/PlatformPei: register GHCB gpa for the SEV-SNP guest >>>>> OvmfPkg/AmdSevDxe: do not use extended PCI config space >>>>> OvmfPkg/MemEncryptSevLib: add support to validate system RAM >>>>> OvmfPkg/MemEncryptSevLib: add function to check the VMPL0 >>>>> OvmfPkg/BaseMemEncryptSevLib: skip the pre-validated system RAM >>>>> OvmfPkg/MemEncryptSevLib: add support to validate > 4GB memory in P= EI >>>>> phase >>>>> OvmfPkg/SecMain: validate the memory used for decompressing Fv >>>>> OvmfPkg/PlatformPei: validate the system RAM when SNP is active >>>>> UefiCpuPkg: Define ConfidentialComputingGuestAttr >>>>> OvmfPkg/PlatformPei: set PcdConfidentialComputingAttr when SEV is >>>>> active >>>>> UefiCpuPkg/MpInitLib: use PcdConfidentialComputingAttr to check SEV >>>>> status >>>>> UefiCpuPkg: add PcdGhcbHypervisorFeatures >>>>> OvmfPkg/PlatformPei: set the Hypervisor Features PCD >>>>> MdePkg/GHCB: increase the GHCB protocol max version >>>>> UefiCpuPkg/MpLib: add support to register GHCB GPA when SEV-SNP is >>>>> enabled >>>>> OvmfPkg/MemEncryptSevLib: change the page state in the RMP table >>>>> OvmfPkg/MemEncryptSevLib: skip page state change for Mmio address >>>>> OvmfPkg/PlatformPei: mark cpuid and secrets memory reserved in EFI = map >>>>> OvmfPkg/AmdSev: expose the SNP reserved pages through configuration >>>>> table >>>>> >>>>> Michael Roth (3): >>>>> OvmfPkg/ResetVector: use SEV-SNP-validated CPUID values >>>>> OvmfPkg/VmgExitLib: use SEV-SNP-validated CPUID values >>>>> UefiCpuPkg/MpInitLib: use BSP to do extended topology check >>>>> >>>>> Tom Lendacky (1): >>>>> UefiCpuPkg/MpInitLib: Use SEV-SNP AP Creation NAE event to launch A= Ps >>>>> >>>>> MdePkg/MdePkg.dec | 4 + >>>>> OvmfPkg/OvmfPkg.dec | 18 + >>>>> UefiCpuPkg/UefiCpuPkg.dec | 5 + >>>>> OvmfPkg/AmdSev/AmdSevX64.dsc | 8 +- >>>>> OvmfPkg/Bhyve/BhyveX64.dsc | 5 +- >>>>> OvmfPkg/OvmfPkgIa32.dsc | 4 + >>>>> OvmfPkg/OvmfPkgIa32X64.dsc | 9 +- >>>>> OvmfPkg/OvmfPkgX64.dsc | 8 +- >>>>> OvmfPkg/OvmfXen.dsc | 5 +- >>>>> OvmfPkg/OvmfPkgX64.fdf | 6 + >>>>> OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 7 + >>>>> .../DxeMemEncryptSevLib.inf | 3 + >>>>> .../PeiMemEncryptSevLib.inf | 7 + >>>>> .../SecMemEncryptSevLib.inf | 3 + >>>>> OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf | 2 + >>>>> OvmfPkg/Library/VmgExitLib/VmgExitLib.inf | 3 + >>>>> OvmfPkg/PlatformPei/PlatformPei.inf | 7 + >>>>> OvmfPkg/ResetVector/ResetVector.inf | 5 + >>>>> OvmfPkg/Sec/SecMain.inf | 4 + >>>>> UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 6 +- >>>>> UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 6 +- >>>>> .../Include/ConfidentialComputingGuestAttr.h | 25 + >>>>> MdePkg/Include/Register/Amd/Ghcb.h | 2 +- >>>>> .../Guid/ConfidentialComputingSevSnpBlob.h | 33 ++ >>>>> OvmfPkg/Include/Library/MemEncryptSevLib.h | 26 + >>>>> .../X64/SnpPageStateChange.h | 36 ++ >>>>> .../BaseMemEncryptSevLib/X64/VirtualMemory.h | 24 + >>>>> OvmfPkg/PlatformPei/Platform.h | 5 + >>>>> OvmfPkg/Sec/AmdSev.h | 95 ++++ >>>>> UefiCpuPkg/Library/MpInitLib/MpLib.h | 93 ++++ >>>>> OvmfPkg/AmdSevDxe/AmdSevDxe.c | 23 + >>>>> .../DxeMemEncryptSevLibInternal.c | 27 ++ >>>>> .../Ia32/MemEncryptSevLib.c | 17 + >>>>> .../PeiMemEncryptSevLibInternal.c | 27 ++ >>>>> .../SecMemEncryptSevLibInternal.c | 19 + >>>>> .../X64/DxeSnpSystemRamValidate.c | 40 ++ >>>>> .../X64/PeiDxeVirtualMemory.c | 167 ++++++- >>>>> .../X64/PeiSnpSystemRamValidate.c | 127 +++++ >>>>> .../X64/SecSnpSystemRamValidate.c | 82 ++++ >>>>> .../X64/SnpPageStateChangeInternal.c | 294 ++++++++++++ >>>>> OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 444 >>> ++++++++++++++++-- >>>>> OvmfPkg/PlatformPei/AmdSev.c | 231 +++++++++ >>>>> OvmfPkg/PlatformPei/MemDetect.c | 2 + >>>>> OvmfPkg/Sec/AmdSev.c | 298 ++++++++++++ >>>>> OvmfPkg/Sec/SecMain.c | 158 +------ >>>>> UefiCpuPkg/Library/MpInitLib/AmdSev.c | 239 ++++++++++ >>>>> UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 16 +- >>>>> UefiCpuPkg/Library/MpInitLib/Ia32/AmdSev.c | 70 +++ >>>>> UefiCpuPkg/Library/MpInitLib/MpLib.c | 345 +++++--------- >>>>> UefiCpuPkg/Library/MpInitLib/PeiMpLib.c | 4 +- >>>>> UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c | 261 ++++++++++ >>>>> OvmfPkg/FvmainCompactScratchEnd.fdf.inc | 5 + >>>>> OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 17 + >>>>> OvmfPkg/ResetVector/Ia32/AmdSev.asm | 86 +++- >>>>> OvmfPkg/ResetVector/ResetVector.nasmb | 18 + >>>>> OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm | 74 +++ >>>>> UefiCpuPkg/Library/MpInitLib/MpEqu.inc | 2 + >>>>> UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm | 200 ++++++++ >>>>> UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm | 100 +--- >>>>> 59 files changed, 3329 insertions(+), 528 deletions(-) >>>>> create mode 100644 MdePkg/Include/ConfidentialComputingGuestAttr.h >>>>> create mode 100644 >>>>> OvmfPkg/Include/Guid/ConfidentialComputingSevSnpBlob.h >>>>> create mode 100644 >>>>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h >>>>> create mode 100644 OvmfPkg/Sec/AmdSev.h >>>>> create mode 100644 >>>>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRamValidate.c >>>>> create mode 100644 >>>>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c >>>>> create mode 100644 >>>>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c >>>>> create mode 100644 >>>>> >>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c >>>>> create mode 100644 OvmfPkg/Sec/AmdSev.c >>>>> create mode 100644 UefiCpuPkg/Library/MpInitLib/AmdSev.c >>>>> create mode 100644 UefiCpuPkg/Library/MpInitLib/Ia32/AmdSev.c >>>>> create mode 100644 UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c >>>>> create mode 100644 OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm >>>>> create mode 100644 UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm >>>>> >>>>> -- >>>>> 2.25.1 >>>> >>>> >>>> --_000_PH0PR11MB4885B448A5B85FB93EDAAA908C919PH0PR11MB4885namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I recommend you split the patch set to OvmfPkg updat= e and UefiPkg update, unless there is strong reason that you have to mix th= em together.

 

With that, I can merge the OvmfPkg at first and we c= an move forward there, while waiting UefiPkg review.

 

If you agree, please rebase and resubmit.=

 

Thank you

Yao Jiewen

 

From: Singh, Brijesh <brijesh.singh@amd.co= m>
Sent: Monday, November 8, 2021 10:11 AM
To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io; = Singh, Brijesh <brijesh.singh@amd.com>
Cc: James Bottomley <jejb@linux.ibm.com>; Xu, Min M <min.m.= xu@intel.com>; Lendacky, Thomas <Thomas.Lendacky@amd.com>; Justen,= Jordan L <jordan.l.justen@intel.com>; Ard Biesheuvel <ardb+tianoc= ore@kernel.org>; Erdem Aktas <erdemaktas@google.com>; Roth, Michael <Michael.Roth@amd.com>; Gerd Hoffmann <kraxel@redhat.com&= gt;; Ni, Ray <ray.ni@intel.com>; Kumar, Rahul1 <rahul1.kumar@intel= .com>
Subject: Re: [edk2-devel] [PATCH v11 00/32] Add AMD Secure Nested Pa= ging (SEV-SNP) support

 

[AMD Official Use Only]

 

Hi,

&n= bsp;

I am no= t getting any response from the UefiCpuPkg maintainers,  I am not sure= if the Ray/Rahul are on vacation or need more information.=

&n= bsp;

Jiewen = and Gerd,

&n= bsp;

Any rec= ommendations how we proceed further ? I can send the rebased version and we= can go ahead and commit it. If UefiCpuPkg maintainer does not like somethi= ng, then I am always happy to rework the stuff after the commit. I would like to send some cleanup patches post= SNP series that will simplify some of the MemEncryptIs{Sev,Es,Snp}Enabled(= ) based on our recent workarea patches. It will also help/align with the TD= X series.

&n= bsp;

-Brijes= h

From: devel@edk2.groups.io <devel@edk2.groups.io> on behalf of= Brijesh Singh via groups.io <brijesh.singh=3Damd.com@groups.io>
Sent: Sunday, October 31, 2021 4:40 PM
To: Yao, Jiewen <jiewen.y= ao@intel.com>; devel@edk2.groups.io <devel@edk2.groups.io>
Cc: Singh, Brijesh <brij= esh.singh@amd.com>; James Bottomley <jejb@linux.ibm.com>; Xu, Min M <min.m.xu@intel.com>; Lendacky, Thomas <Thomas.Lendacky@amd.com= >; Justen, Jordan L <jor= dan.l.justen@intel.com>; Ard Biesheuvel <ardb+tianocore@kernel.org>; Erdem Aktas <erdemaktas@google= .com>; Roth, Michael <Mic= hael.Roth@amd.com>; Gerd Hoffmann <kraxel@redhat.com>; Ray Ni <ray.ni@intel.com>; Rahul Kumar <rahul1.kumar@int= el.com>
Subject: Re: [edk2-devel] [PATCH v11 00/32] Add AMD Secure Nested Pa= ging (SEV-SNP) support

 

Hi Ray and Rahul,

Gentle ping. Could you please Ack or R-b the files touched in UefiCpuPkg?
-Brijesh

On 10/29/21 9:52 AM, Brijesh Singh wrote:
> Hi Jiewen,
>
> I have not heard anything back from UefiCpuPkg maintainer yet, I will<= br> > send another gentle ping on Monday again and hope maintainer get to it= .
>
> -Brijesh
>
> On 10/29/21 7:26 AM, Yao, Jiewen wrote:
>> Hi Brijesh
>> Have you got R-B from UefiCpuPkg maintainer?
>>
>>
>>
>>> -----Original Message-----
>>> From: Brijesh Singh <brijesh.singh@amd.com>
>>> Sent: Monday, October 25, 2021 7:54 AM
>>> To: devel@edk2.groups.= io; Yao, Jiewen <jiewen.yao@= intel.com>
>>> Cc: brijesh.singh@amd= .com; James Bottomley <jejb@li= nux.ibm.com>; Xu, Min M
>>> <min.m.xu@intel.com>; Tom Lendacky <thomas.= lendacky@amd.com>; Justen,
>>> Jordan L <jord= an.l.justen@intel.com>; Ard Biesheuvel
>>> <ardb+tianocor= e@kernel.org>; Erdem Aktas <erdemaktas@google.com>;
>>> Michael Roth <Micha= el.Roth@amd.com>; Gerd Hoffmann <kraxel@redhat.com>
>>> Subject: Re: [edk2-devel] [PATCH v11 00/32] Add AMD Secure Nes= ted Paging
>>> (SEV-SNP) support
>>>
>>> Thank Jiewen,
>>>
>>> I have ping'ed UefiCpuPkg maintainer (Ray and Rahul) on every = patch
>>> which touches the UefiCpuPkg. If maintainer wants me to rework= on
>>> something then I will work accordingly. If they are okay with = v11 then
>>> now the merge will create a conflict (due to the TDX patches m= erge
>>> commit). I have rebased my series to the recent master and hav= e pushed
>>> it here: https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fgithub.= com%2FAMDESE%2Fovmf%2Ftree%2Fsnp-v12&amp;data=3D04%7C01%7Cbrijesh.singh= %40amd.com%7C400c84b654c6423f739e08d99cb72382%7C3dd8961fe4884e608e11a82d994= e183d%7C0%7C0%7C637713132658929026%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAw= MDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=3Dl= oCp%2FptHiWgvAtdp6zjDH5jDeq9mKLYBwedNU%2FT0IzM%3D&amp;reserved=3D0. I can post the
>>> series if you prefer it.
>>>
>>> thanks
>>>
>>> On 10/23/21 8:46 PM, Yao, Jiewen via groups.io wrote:
>>>> Yes. I will try my best to merge.
>>>>
>>>> I checked the patch set but I did not find the "R-B&q= uot; from UefiCpuPkg
>>> maintainer. Neither from email nor from you v11.
>>>> Did I miss something?
>>>>
>>>> Thank you
>>>> Yao Jiewen
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: Brijesh Singh <brijesh.singh@amd.com>
>>>>> Sent: Saturday, October 23, 2021 12:13 PM
>>>>> To: devel@edk2= .groups.io
>>>>> Cc: James Bottomley <jejb@linux.ibm.com>; Xu, Min M
>>> <min.m.xu@intel.com>;
>>>>> Yao, Jiewen <jiewen.yao@intel.com>; Tom Lendacky
>>>>> <thomas.= lendacky@amd.com>; Justen, Jordan L <jordan.l.justen@intel.com>;
>>>>> Ard Biesheuvel <ardb+tianocore@kernel.org>; Erdem Aktas
>>>>> <erdemakta= s@google.com>; Michael Roth <Michael.Roth@amd.com>; Gerd
>>>>> Hoffmann <krax= el@redhat.com>; Brijesh Singh <brijesh.singh@amd.com>
>>>>> Subject: [PATCH v11 00/32] Add AMD Secure Nested Pagin= g (SEV-SNP)
>>> support
>>>>> Hi Gerd and Jiewen,
>>>>>
>>>>> CI was a bit unstable during my v10 submission, so, I = was not able to
>>>>> run it to the completion. Finally, I managed to get th= e CI going,
>>>>> and it reported few Windows 32-bit build errors. The v= 11 fixes those build
>>>>> errors. Please consider this for the merge.
>>>>>
>>>>> Thank you so much for all your support in reviewing th= e series.
>>>>>
>>>>> ------------------------------------------------------= -----------------------
>>>>> BZ:
>>> https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fbugzill= a.
>>> tianocore.org%2Fshow_bug.cgi%3Fid%3D3275&amp;data=3D04%7C0= 1%7Cbrijesh.
>>> singh%40amd.com%7Cddc5570780ff4a91d0da08d9969026e2%7C3dd8961fe= 488
>>> 4e608e11a82d994e183d%7C0%7C0%7C637706369230826414%7CUnknown%7<= br> >>> CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1ha= WwiLCJ
>>> XVCI6Mn0%3D%7C3000&amp;sdata=3DL41krO6G221HaIsG92FloIzgCDq= MLAAsU26
>>> jaEMF7yw%3D&amp;reserved=3D0
>>>>> SEV-SNP builds upon existing SEV and SEV-ES functional= ity while adding
>>>>> new hardware-based memory protections. SEV-SNP adds st= rong memory
>>>>> integrity
>>>>> protection to help prevent malicious hypervisor-based = attacks like data
>>>>> replay, memory re-mapping and more in order to create = an isolated memory
>>>>> encryption environment.
>>>>>
>>>>> This series provides the basic building blocks to supp= ort booting the SEV-SNP
>>>>> VMs, it does not cover all the security enhancement in= troduced by the SEV-
>>> SNP
>>>>> such as interrupt protection.
>>>>>
>>>>> Many of the integrity guarantees of SEV-SNP are enforc= ed through a new
>>>>> structure called the Reverse Map Table (RMP). Adding a= new page to SEV-SNP
>>>>> VM requires a 2-step process. First, the hypervisor as= signs a page to the
>>>>> guest using the new RMPUPDATE instruction. This transi= tions the page to
>>>>> guest-invalid. Second, the guest validates the page us= ing the new PVALIDATE
>>>>> instruction. The SEV-SNP VMs can use the new "Pag= e State Change Request
>>>>> NAE"
>>>>> defined in the GHCB specification to ask hypervisor to= add or remove page
>>>>> from the RMP table.
>>>>>
>>>>> Each page assigned to the SEV-SNP VM can either be val= idated or unvalidated,
>>>>> as indicated by the Validated flag in the page's RMP e= ntry. There are two
>>>>> approaches that can be taken for the page validation: = Pre-validation and
>>>>> Lazy Validation.
>>>>>
>>>>> Under pre-validation, the pages are validated prior to= first use. And under
>>>>> lazy validation, pages are validated when first access= ed. An access to a
>>>>> unvalidated page results in a #VC exception, at which = time the exception
>>>>> handler may validate the page. Lazy validation require= s careful tracking of
>>>>> the validated pages to avoid validating the same GPA m= ore than once. The
>>>>> recently introduced "Unaccepted" memory type= can be used to communicate
>>>>> the
>>>>> unvalidated memory ranges to the Guest OS.
>>>>>
>>>>> At this time we only support the pre-validation. OVMF = detects all the
>>> available
>>>>> system RAM in the PEI phase. When SEV-SNP is enabled, = the memory is
>>> validated
>>>>> before it is made available to the EDK2 core.
>>>>>
>>>>> Now that series contains all the basic support require= d to launch SEV-SNP
>>>>> guest. We are still missing the Interrupt security fea= ture provided by the
>>>>> SNP. The feature will be added after the base support = is accepted.
>>>>>
>>>>> Additional resources
>>>>> ---------------------
>>>>> SEV-SNP whitepaper
>>>>>
>>> https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.a%2= F&amp;data=3D04%7C01%7Cbrijesh.singh%40amd.com%7C400c84b654c6423f739e08= d99cb72382%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637713132658929026%= 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWw= iLCJXVCI6Mn0%3D%7C1000&amp;sdata=3DWznkScyKwwPKfde08y%2Fb1KTmUgVt2al9%2= Bupz%2FATGOHE%3D&amp;reserved=3D0
>>> md.com%2Fsystem%2Ffiles%2FTechDocs%2FSEV-SNP-strengthening-vm-=
>>> &amp;data=3D04%7C01%7Cbrijesh.singh%40amd.com%7Cddc5570780= ff4a91d0da
>>> 08d9969026e2%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C6377= 0
>>> 6369230826414%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQ=
>>> IjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdat= a=3DnVMSG%
>>> 2FvSS2Wa21lu1lGrHr9OYX8hL7FoAcQXBBiCztc%3D&amp;reserved=3D= 0
>>>>> isolation-with-integrity-protection-and-more.pdf
>>>>>
>>>>> APM 2:
>>> https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.a%2= F&amp;data=3D04%7C01%7Cbrijesh.singh%40amd.com%7C400c84b654c6423f739e08= d99cb72382%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637713132658929026%= 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWw= iLCJXVCI6Mn0%3D%7C1000&amp;sdata=3DWznkScyKwwPKfde08y%2Fb1KTmUgVt2al9%2= Bupz%2FATGOHE%3D&amp;reserved=3D0
>>> md.com%2Fsystem%2Ffiles%2FTechDocs%2F24593.pdf&amp;data=3D= 04%7C01%7
>>> Cbrijesh.singh%40amd.com%7Cddc5570780ff4a91d0da08d9969026e2%7C= 3dd8
>>> 961fe4884e608e11a82d994e183d%7C0%7C0%7C637706369230826414%7CUn= k
>>> nown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI= 6Ik1h
>>> aWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=3DG8Xg2glOGY2EjHpeQ3WM= 4gZCh
>>> uI0k8QcLDTbpJiTplg%3D&amp;reserved=3D0 (section 15.36)
>>>>> The complete source is available at
>>>>>
>>> https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fgithub.= c%2F&amp;data=3D04%7C01%7Cbrijesh.singh%40amd.com%7C400c84b654c6423f739= e08d99cb72382%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C6377131326589290= 26%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1h= aWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=3DWx6h8FQ0289ZBQJa3iTk3Sb7zkmQO6D6V= ZFvRX5lEeM%3D&amp;reserved=3D0
>>> om%2FAMDESE%2Fovmf%2Ftree%2Fsnp-
>>> v11&amp;data=3D04%7C01%7Cbrijesh.singh%40amd.com%7Cddc5570= 780ff4a91d
>>> 0da08d9969026e2%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C6= 3
>>> 7706369230826414%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiL=
>>> CJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;s= data=3DHMH
>>> Fq8G%2FPqdhzNW3Ashmc4%2Bmv1RcDULD4vniofhiS54%3D&amp;reserv= ed=3D0
>>>>> GHCB spec:
>>>>>
>>> https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fdevelop=
>>> er.amd.com%2Fwp-
>>> content%2Fresources%2F56421.pdf&amp;data=3D04%7C01%7Cbrije= sh.singh%40a
>>> md.com%7Cddc5570780ff4a91d0da08d9969026e2%7C3dd8961fe4884e608e= 11
>>> a82d994e183d%7C0%7C0%7C637706369230826414%7CUnknown%7CTWFpbGZ<= br> >>> sb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXV= CI6Mn0
>>> %3D%7C3000&amp;sdata=3DYiPgZU87fdnl5rJpD0E2ue9aTKbqUwizuBr= Kxom0FiU%
>>> 3D&amp;reserved=3D0
>>>>> SEV-SNP firmware specification:
>>>>>
>>> https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.a%2= F&amp;data=3D04%7C01%7Cbrijesh.singh%40amd.com%7C400c84b654c6423f739e08= d99cb72382%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637713132658939021%= 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWw= iLCJXVCI6Mn0%3D%7C1000&amp;sdata=3DHs%2BB9e%2FrZ0aYV3XPtJ9ZegaaIAMURuH1= Dc9C1CeBauU%3D&amp;reserved=3D0
>>> md.com%2Fsystem%2Ffiles%2FTechDocs%2F56860.pdf&amp;data=3D= 04%7C01%7
>>> Cbrijesh.singh%40amd.com%7Cddc5570780ff4a91d0da08d9969026e2%7C= 3dd8
>>> 961fe4884e608e11a82d994e183d%7C0%7C0%7C637706369230826414%7CUn= k
>>> nown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI= 6Ik1h
>>> aWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=3DbfQsY4%2BRnlFGuD3Bg%= 2BFPb3l
>>> RgSGgpomNocXswHqkm%2F4%3D&amp;reserved=3D0
>>>>> Change since v10:
>>>>>  * fix 'unresolved external symbol __allshl' link= error when building I32 for
>>>>> VS2017.
>>>>>
>>>>> Changes since v9:
>>>>>  * Move CCAttrs Pcd define in MdePkg
>>>>>  * Add comment to indicate that allocating the id= entity map PT is temporary
>>> until
>>>>> we get lazy validation
>>>>>
>>>>> Changes since v8:
>>>>>  * drop the generic metadata and make it specific= to SEV.
>>>>>
>>>>> Changes since v7:
>>>>>  * Move SEV specific changes in MpLib in AmdSev f= ile
>>>>>  * Update the GHCB register function to not resto= re the GHCB MSR because
>>>>>    we were already in the MSR protocol = mode.
>>>>>  * Drop the SNP name from PcdSnpSecPreValidate. >>>>>  * Add new section for GHCB memory in the OVMF me= tadata.
>>>>>
>>>>> Change since v6:
>>>>>  * Drop the SNP boot block GUID and switch to usi= ng the Metadata guided
>>>>> structure
>>>>>    proposed by Min in TDX series.
>>>>>  * Exclude the GHCB page from the pre-validated r= egion. It simplifies the
>>> reset
>>>>>    vector code where we do not need to = unvalidate the GHCB page.
>>>>>  * Now that GHCB page is not validated so move th= e VMPL check from reset
>>>>> vector
>>>>>    code to the MemEncryptSevLib on the = first page validation.
>>>>>  * Introduce the ConfidentialComputingGuestAttr P= CD to communicate which
>>>>>    memory encryption is active so that = MpInitLib can make use of it.
>>>>>  * Drop the SEVES specific PCD as the information= can be communicated via
>>>>>    the ConfidentialComputingGuestAttr.<= br> >>>>>  * Move the SNP specific AP creation function in = AmdSev.c.
>>>>>  * Define the SNP Blob GUID in a new file.
>>>>>
>>>>> Change since v5:
>>>>>  * When possible use the CPUID value from CPUID p= age
>>>>>  * Move the SEV specific functions from SecMain.c= in AmdSev.c
>>>>>  * Rebase to the latest code
>>>>>  * Add the review feedback from Yao.
>>>>>
>>>>> Change since v4:
>>>>>  * Use the correct MSR for the SEV_STATUS
>>>>>  * Add VMPL-0 check
>>>>>
>>>>> Change since v3:
>>>>>  * ResetVector: move all SEV specific code in Amd= Sev.asm and add macros to
>>>>> keep
>>>>>    the code readable.
>>>>>  * Drop extending the EsWorkArea to contain SNP s= pecific state.
>>>>>  * Drop the GhcbGpa library and call the VmgExit = directly to register GHCB
>>> GPA.
>>>>>  * Install the CC blob config table from AmdSevDx= e instead of extending the
>>>>>    AmdSev/SecretsDxe for it.
>>>>>  * Add the separate PCDs for the SNP Secrets.
>>>>>
>>>>> Changes since v2:
>>>>>  * Add support for the AP creation.
>>>>>  * Use the module-scoping override to make AmdSev= Dxe use the IO port for
>>> PCI
>>>>> reads.
>>>>>  * Use the reserved memory type for CPUID and Sec= rets page.
>>>>>  *
>>>>> Changes since v1:
>>>>>  * Drop the interval tree support to detect the p= re-validated overlap region.
>>>>>  * Use an array to keep track of pre-validated re= gions.
>>>>>  * Add support to query the Hypervisor feature an= d verify that SNP feature is
>>>>> supported.
>>>>>  * Introduce MemEncryptSevClearMmioPageEncMask() = to clear the C-bit
>>> from
>>>>> MMIO ranges.
>>>>>  * Pull the SevSecretDxe and SevSecretPei into OV= MF package build.
>>>>>  * Extend the SevSecretDxe to expose confidential= computing blob location
>>>>> through
>>>>>    EFI configuration table.
>>>>>
>>>>> Brijesh Singh (28):
>>>>>   OvmfPkg/SecMain: move SEV specific routine= s in AmdSev.c
>>>>>   UefiCpuPkg/MpInitLib: move SEV specific ro= utines in AmdSev.c
>>>>>   OvmfPkg/ResetVector: move clearing GHCB in= SecMain
>>>>>   OvmfPkg/ResetVector: introduce SEV metadat= a descriptor for VMM use
>>>>>   OvmfPkg: reserve SNP secrets page
>>>>>   OvmfPkg: reserve CPUID page
>>>>>   OvmfPkg/ResetVector: pre-validate the data= pages used in SEC phase
>>>>>   OvmfPkg/MemEncryptSevLib: add MemEncryptSe= vSnpEnabled()
>>>>>   OvmfPkg/SecMain: register GHCB gpa for the= SEV-SNP guest
>>>>>   OvmfPkg/PlatformPei: register GHCB gpa for= the SEV-SNP guest
>>>>>   OvmfPkg/AmdSevDxe: do not use extended PCI= config space
>>>>>   OvmfPkg/MemEncryptSevLib: add support to v= alidate system RAM
>>>>>   OvmfPkg/MemEncryptSevLib: add function to = check the VMPL0
>>>>>   OvmfPkg/BaseMemEncryptSevLib: skip the pre= -validated system RAM
>>>>>   OvmfPkg/MemEncryptSevLib: add support to v= alidate > 4GB memory in PEI
>>>>>     phase
>>>>>   OvmfPkg/SecMain: validate the memory used = for decompressing Fv
>>>>>   OvmfPkg/PlatformPei: validate the system R= AM when SNP is active
>>>>>   UefiCpuPkg: Define ConfidentialComputingGu= estAttr
>>>>>   OvmfPkg/PlatformPei: set PcdConfidentialCo= mputingAttr when SEV is
>>>>>     active
>>>>>   UefiCpuPkg/MpInitLib: use PcdConfidentialC= omputingAttr to check SEV
>>>>>     status
>>>>>   UefiCpuPkg: add PcdGhcbHypervisorFeatures<= br> >>>>>   OvmfPkg/PlatformPei: set the Hypervisor Fe= atures PCD
>>>>>   MdePkg/GHCB: increase the GHCB protocol ma= x version
>>>>>   UefiCpuPkg/MpLib: add support to register = GHCB GPA when SEV-SNP is
>>>>>     enabled
>>>>>   OvmfPkg/MemEncryptSevLib: change the page = state in the RMP table
>>>>>   OvmfPkg/MemEncryptSevLib: skip page state = change for Mmio address
>>>>>   OvmfPkg/PlatformPei: mark cpuid and secret= s memory reserved in EFI map
>>>>>   OvmfPkg/AmdSev: expose the SNP reserved pa= ges through configuration
>>>>>     table
>>>>>
>>>>> Michael Roth (3):
>>>>>   OvmfPkg/ResetVector: use SEV-SNP-validated= CPUID values
>>>>>   OvmfPkg/VmgExitLib: use SEV-SNP-validated = CPUID values
>>>>>   UefiCpuPkg/MpInitLib: use BSP to do extend= ed topology check
>>>>>
>>>>> Tom Lendacky (1):
>>>>>   UefiCpuPkg/MpInitLib: Use SEV-SNP AP Creat= ion NAE event to launch APs
>>>>>
>>>>>  MdePkg/MdePkg.dec     &= nbsp;           &nbs= p;           |  = ; 4 +
>>>>>  OvmfPkg/OvmfPkg.dec     = ;            &n= bsp;         |  18 +
>>>>>  UefiCpuPkg/UefiCpuPkg.dec    = ;            &n= bsp;    |   5 +
>>>>>  OvmfPkg/AmdSev/AmdSevX64.dsc   &n= bsp;            = ;  |   8 +-
>>>>>  OvmfPkg/Bhyve/BhyveX64.dsc   &nbs= p;            &= nbsp;   |   5 +-
>>>>>  OvmfPkg/OvmfPkgIa32.dsc    &= nbsp;           &nbs= p;      |   4 +
>>>>>  OvmfPkg/OvmfPkgIa32X64.dsc   &nbs= p;            &= nbsp;   |   9 +-
>>>>>  OvmfPkg/OvmfPkgX64.dsc    &n= bsp;            = ;       |   8 +-
>>>>>  OvmfPkg/OvmfXen.dsc     = ;            &n= bsp;         |   5 +-
>>>>>  OvmfPkg/OvmfPkgX64.fdf    &n= bsp;            = ;       |   6 +
>>>>>  OvmfPkg/AmdSevDxe/AmdSevDxe.inf   = ;            | =   7 +
>>>>>  .../DxeMemEncryptSevLib.inf   &nb= sp;            =    |   3 +
>>>>>  .../PeiMemEncryptSevLib.inf   &nb= sp;            =    |   7 +
>>>>>  .../SecMemEncryptSevLib.inf   &nb= sp;            =    |   3 +
>>>>>  OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf&nbs= p; |   2 +
>>>>>  OvmfPkg/Library/VmgExitLib/VmgExitLib.inf &= nbsp;   |   3 +
>>>>>  OvmfPkg/PlatformPei/PlatformPei.inf  &= nbsp;        |   7 +
>>>>>  OvmfPkg/ResetVector/ResetVector.inf  &= nbsp;        |   5 +
>>>>>  OvmfPkg/Sec/SecMain.inf    &= nbsp;           &nbs= p;      |   4 +
>>>>>  UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf |&= nbsp;  6 +-
>>>>>  UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf |&= nbsp;  6 +-
>>>>>  .../Include/ConfidentialComputingGuestAttr.h&nbs= p; |  25 +
>>>>>  MdePkg/Include/Register/Amd/Ghcb.h  &n= bsp;         |   2 +-
>>>>>  .../Guid/ConfidentialComputingSevSnpBlob.h =    |  33 ++
>>>>>  OvmfPkg/Include/Library/MemEncryptSevLib.h =    |  26 +
>>>>>  .../X64/SnpPageStateChange.h   &n= bsp;            = ;  |  36 ++
>>>>>  .../BaseMemEncryptSevLib/X64/VirtualMemory.h&nbs= p; |  24 +
>>>>>  OvmfPkg/PlatformPei/Platform.h   =              |&= nbsp;  5 +
>>>>>  OvmfPkg/Sec/AmdSev.h    &nbs= p;            &= nbsp;        |  95 ++++
>>>>>  UefiCpuPkg/Library/MpInitLib/MpLib.h  =         |  93 ++++
>>>>>  OvmfPkg/AmdSevDxe/AmdSevDxe.c   &= nbsp;           &nbs= p; |  23 +
>>>>>  .../DxeMemEncryptSevLibInternal.c  &nb= sp;          |  27 ++
>>>>>  .../Ia32/MemEncryptSevLib.c   &nb= sp;            =    |  17 +
>>>>>  .../PeiMemEncryptSevLibInternal.c  &nb= sp;          |  27 ++
>>>>>  .../SecMemEncryptSevLibInternal.c  &nb= sp;          |  19 +
>>>>>  .../X64/DxeSnpSystemRamValidate.c  &nb= sp;          |  40 ++
>>>>>  .../X64/PeiDxeVirtualMemory.c   &= nbsp;           &nbs= p; | 167 ++++++-
>>>>>  .../X64/PeiSnpSystemRamValidate.c  &nb= sp;          | 127 +++++
>>>>>  .../X64/SecSnpSystemRamValidate.c  &nb= sp;          |  82 ++++ >>>>>  .../X64/SnpPageStateChangeInternal.c  =         | 294 ++++++++++++
>>>>>  OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | = 444
>>> ++++++++++++++++--
>>>>>  OvmfPkg/PlatformPei/AmdSev.c   &n= bsp;            = ;  | 231 +++++++++
>>>>>  OvmfPkg/PlatformPei/MemDetect.c   = ;            | =   2 +
>>>>>  OvmfPkg/Sec/AmdSev.c    &nbs= p;            &= nbsp;        | 298 ++++++++++++
>>>>>  OvmfPkg/Sec/SecMain.c    &nb= sp;            =         | 158 +------
>>>>>  UefiCpuPkg/Library/MpInitLib/AmdSev.c  = ;       | 239 ++++++++++
>>>>>  UefiCpuPkg/Library/MpInitLib/DxeMpLib.c &nb= sp;     |  16 +-
>>>>>  UefiCpuPkg/Library/MpInitLib/Ia32/AmdSev.c =    |  70 +++
>>>>>  UefiCpuPkg/Library/MpInitLib/MpLib.c  =         | 345 +++++---------
>>>>>  UefiCpuPkg/Library/MpInitLib/PeiMpLib.c &nb= sp;     |   4 +-
>>>>>  UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c &= nbsp;   | 261 ++++++++++
>>>>>  OvmfPkg/FvmainCompactScratchEnd.fdf.inc &nb= sp;     |   5 +
>>>>>  OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm&nbs= p; |  17 +
>>>>>  OvmfPkg/ResetVector/Ia32/AmdSev.asm  &= nbsp;        |  86 +++-
>>>>>  OvmfPkg/ResetVector/ResetVector.nasmb  = ;       |  18 +
>>>>>  OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm = ;  |  74 +++
>>>>>  UefiCpuPkg/Library/MpInitLib/MpEqu.inc &nbs= p;      |   2 +
>>>>>  UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm&nbs= p; | 200 ++++++++
>>>>>  UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm | = 100 +---
>>>>>  59 files changed, 3329 insertions(+), 528 deleti= ons(-)
>>>>>  create mode 100644 MdePkg/Include/ConfidentialCo= mputingGuestAttr.h
>>>>>  create mode 100644
>>>>> OvmfPkg/Include/Guid/ConfidentialComputingSevSnpBlob.h=
>>>>>  create mode 100644
>>>>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateC= hange.h
>>>>>  create mode 100644 OvmfPkg/Sec/AmdSev.h
>>>>>  create mode 100644
>>>>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemR= amValidate.c
>>>>>  create mode 100644
>>>>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemR= amValidate.c
>>>>>  create mode 100644
>>>>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemR= amValidate.c
>>>>>  create mode 100644
>>>>>
>>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInt= ernal.c
>>>>>  create mode 100644 OvmfPkg/Sec/AmdSev.c
>>>>>  create mode 100644 UefiCpuPkg/Library/MpInitLib/= AmdSev.c
>>>>>  create mode 100644 UefiCpuPkg/Library/MpInitLib/= Ia32/AmdSev.c
>>>>>  create mode 100644 UefiCpuPkg/Library/MpInitLib/= X64/AmdSev.c
>>>>>  create mode 100644 OvmfPkg/ResetVector/X64/OvmfS= evMetadata.asm
>>>>>  create mode 100644 UefiCpuPkg/Library/MpInitLib/= X64/AmdSev.nasm
>>>>>
>>>>> --
>>>>> 2.25.1
>>>>
>>>>
>>>>




--_000_PH0PR11MB4885B448A5B85FB93EDAAA908C919PH0PR11MB4885namp_--