From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web09.5039.1628140640907434236 for ; Wed, 04 Aug 2021 22:17:21 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=QbnCUVkd; spf=pass (domain: intel.com, ip: 192.55.52.136, mailfrom: jiewen.yao@intel.com) X-IronPort-AV: E=McAfee;i="6200,9189,10066"; a="193665459" X-IronPort-AV: E=Sophos;i="5.84,296,1620716400"; d="scan'208";a="193665459" Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Aug 2021 22:17:19 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.84,296,1620716400"; d="scan'208";a="512417613" Received: from orsmsx601.amr.corp.intel.com ([10.22.229.14]) by FMSMGA003.fm.intel.com with ESMTP; 04 Aug 2021 22:17:19 -0700 Received: from orsmsx611.amr.corp.intel.com (10.22.229.24) by ORSMSX601.amr.corp.intel.com (10.22.229.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10; Wed, 4 Aug 2021 22:17:19 -0700 Received: from orsmsx601.amr.corp.intel.com (10.22.229.14) by ORSMSX611.amr.corp.intel.com (10.22.229.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10; Wed, 4 Aug 2021 22:17:18 -0700 Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by orsmsx601.amr.corp.intel.com (10.22.229.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10 via Frontend Transport; Wed, 4 Aug 2021 22:17:18 -0700 Received: from NAM02-SN1-obe.outbound.protection.outlook.com (104.47.57.44) by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.10; Wed, 4 Aug 2021 22:17:18 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cJSUgkb69Whn+VNEAH353LkVb/8vmnC+yXJbAgsb770FlWX6YcOtjNEP1rPk6uD/IFyFrOxwe0kDhKW0xyPSBXtjp6iwujH5d2CcS84pzHcJag8oQlhZ/zonAyiCQAiK5W9mQSRLi2x+WSW1pBfpPNNk9lKKKAvZHTHn06m4ZePe+YSGQA9og65gyot+dq8hy3/0OeZSvHaFcaH4yR9WpnGnXnFVNEFB0uOHavKEQRkDkjrwHvzsdluTrO8Rk7OtGdBbuM4Bz2fhDZubptITPscx/vis4KWBPaq9r5D4gkVqyYBHAd6ZXeeCPlSNrMWZSLcP22zMf4/1oP5CU0AUBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q5b4GiXcG1qLfdk9TPm0b7cgyBwzN81TFul26fPl8VY=; b=XckKf7MJGqgx2EPHBLnyFsKZ00qhH1ocGCrD7GPfJBaXb4Q9yURHuYGv6+qAZHpUUF03ArdHkaI0144YIKpU/jEky0pT8HDy6uyVVmTPWbIvdFDQp3yX5wZPU4jRjuBPIdMhEcE4sWZaftX08FUA37koa0AkP6aqHiBXAKlsnIhNjzkBI0qj6+H/dbjq9wfakzCUR7MURZqLo9sEBa300lfivl8bNrJDLGscfkDzenhHRb8oGCBdwAOId0QgPqZ30Ee1XCQ2Bs0OimI8Mn3rRrJNOGW9Izvu/cR933Rd84n8qEAVf8lskQpHeMXFRtorxJItkE6yBdYfQwgjhGgjqA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q5b4GiXcG1qLfdk9TPm0b7cgyBwzN81TFul26fPl8VY=; b=QbnCUVkdMAU2Y+ZWYkigeuRl2xjJyVaiJCJPbtOc51KYRLgQ4WuviKyr6ZoUoNuMnTGChpiwfeAGkRfYRbzvFAMn8yLHEcxb6XRbwCaMRmuxkk90AnVgSsB1Ehu2kJMEZhfUxQDXAu9gGj6uBXnjH41NYnwPCTp1MqmoRbQSRWE= Received: from PH0PR11MB4885.namprd11.prod.outlook.com (2603:10b6:510:35::14) by PH0PR11MB5046.namprd11.prod.outlook.com (2603:10b6:510:3b::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.21; Thu, 5 Aug 2021 05:17:16 +0000 Received: from PH0PR11MB4885.namprd11.prod.outlook.com ([fe80::6c99:8170:1c3c:9121]) by PH0PR11MB4885.namprd11.prod.outlook.com ([fe80::6c99:8170:1c3c:9121%3]) with mapi id 15.20.4373.026; Thu, 5 Aug 2021 05:17:16 +0000 From: "Yao, Jiewen" To: "devel@edk2.groups.io" , "ashish.kalra@amd.com" CC: "dovmurik@linux.vnet.ibm.com" , "brijesh.singh@amd.com" , "tobin@ibm.com" , "Thomas.Lendacky@amd.com" , "jejb@linux.ibm.com" , "Justen, Jordan L" , "ard.biesheuvel@arm.com" , "erdemaktas@google.com" , "Xu, Min M" Subject: Re: [edk2-devel] [PATCH v6 0/6] SEV Live Migration support for OVMF. Thread-Topic: [edk2-devel] [PATCH v6 0/6] SEV Live Migration support for OVMF. Thread-Index: AQHXh5pVmf1ecxAg2kuP+YPei5j2B6tkYWQQ Date: Thu, 5 Aug 2021 05:17:15 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.5.1.3 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: e152aa94-eab7-435e-2055-08d957d04a4a x-ms-traffictypediagnostic: PH0PR11MB5046: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: Onuk9sme8TsJ2m4BjGZjjwChQF7PnCG+Wj+TuqMcE0O+A3uaWaC9UyirRssWC4hZcyblM2dru6fGw/cYBF8Y/nFofgEUxYIf6e27zEcClII3b0gJo1sa7uAGsuMOiEgzKzTYEPYVwpx4usdvI25/t0cfTo8B/chQDZlmgNl0q4HDT36mUffWxNtP/0dqH9iilCET2jfsqj8nhfe6UzR+JRBG3/wF2ahMuKw3BfPLfrtvbrGx4eCWIwhYOYXAfYkGHQ7QEKGkKWL0qfRXHd9wH9NmLa5OSchB9gIVkQn0aUuCoVeB//o6/ZZ2qwLMKL2JPRsQWLD/XQnadM0EaWSAluNfeBIaa5M7VuI/WJVRj7CrREgtMo8NzAGaLKvUTRv3zygziy7PR9kKDUiBNI/Hq3dq0ud5bz3zR5UhSONzlTCcJR+sUhk1UwodZAxRgADP+xxZHEsoBcu5AzF11xIklL5gCdQ+8KJ04+kZlDanQT2GtkjPi9zhY947DzM+Gi3zjFKFIubSX+9oGYGD4WbIFwcZE/ceMHb1VhMAS6FodtGeCLD6V8kf2Lp07Go7A7+SJubgk/j5hGTNkv2xCmnwG7V2pvrPTgLVuEn9EDOfofCJQoHTn2B/bKqMtsYyBpe2wtcKh+hlOK7rswT6f41Ows+Zq8SeqjFwIgyvSjoN0rmKtq2F8jWJmAKFUuYrQVSvw2Omm3efojbqDnX/MAjGf7z8UIRuoYJf23zjzXPpC7Qmgb8ARizf6hHOqMD3udbnfAdU+Teiran/UyhjOQcE7kA+cguTeeaIdX79r53cXP48OlfObMz/0dNcPMfIZYpA35+6w2yPeYH+vysoEOQ0BA== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB4885.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(86362001)(83380400001)(7696005)(5660300002)(33656002)(966005)(66946007)(55016002)(38100700002)(2906002)(8936002)(8676002)(38070700005)(107886003)(508600001)(316002)(122000001)(71200400001)(76116006)(186003)(66446008)(19627235002)(6506007)(26005)(52536014)(54906003)(4326008)(64756008)(110136005)(53546011)(66556008)(9686003)(66476007);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?S+j+rP6+Owo2KlDl9LsVrro1CEnFCUQ+elaZpgc3vzKCHErjzQaajICRyb+A?= =?us-ascii?Q?zPtraCIC1dYtrWkL7SzQK9iLD5gOUkKsLS76WNOfkQFdiJ4Rmx47BB24Za3a?= =?us-ascii?Q?jhSXceUC1rE/ROKdAgcibWF6Qkn3bs6GFjL0RrdGqr7BN0lVgL8Ue67CFi8P?= =?us-ascii?Q?1cKuUUwH6cxIIGq83nrYbMIdQ/2n2c58uAiXOFa4Z1WbP+2AiJ4hy/LCgvHF?= =?us-ascii?Q?tbwAvalNNJUTsFNWpGph1XJTm5oxxUz7s2VjmZLah4k50r6cuPAZxpDVd6bi?= =?us-ascii?Q?b6fREHIB9zNKY5XZYSP5DXejhA4U3ZYjNQmcnsac5vmjnC7gEX2MUDHdltfu?= =?us-ascii?Q?ySrVAWHEhXim6xp1TmZqALR/5cZZedHGTtTe1xO7SqMObaC9wwL97bCMIAvY?= =?us-ascii?Q?neyNCcCFFqbWuedI9OukH0EA12Dt5lIz1qmn9z+WduDAjPjOcVEV+bB1XL04?= =?us-ascii?Q?BPwFFxViJG2feoxo0kZJrSvqq6HmXwnOxj0N5pAXAil43CC5FAyRgaSSK3BN?= =?us-ascii?Q?q62BiCPoUc86mGbomYokxOKS+DhLakdx/9VsLg/0Zo5lztooAtVrgwyqVy+l?= =?us-ascii?Q?R1S6IZ5eoI+yTljalwN2tPVZfRAcfVu0SVrn9Haxg141LuxXIz232xEyrpbz?= =?us-ascii?Q?iPdzkxvg5jVBE85PS/NYovKD43RNbE/nMe05S0Yy7hoUF5FMSxF1cNXzs2kF?= =?us-ascii?Q?2OuSAzK+wA7bjmOvKJJMvyPEb7IkHAtba3urZmmUHSZhVbu8njhiMOBqGYhH?= =?us-ascii?Q?Ur2Mg/yFvwx+kTeCLazkwRFSV5zgW4bKSbZMg+4miq9NN0ojc6fLxCaRHWDu?= =?us-ascii?Q?VLUBvfN93TRddZnTDxHTfZcdzoliuImSCS1cahhTtePNAwCoMjPXqaGsV+YB?= =?us-ascii?Q?/9S77vZd+qFvyBxs0jdI4xZhwevUtcJzMc1TcqWrcMrQrYulLNMcDk0Ir9rO?= =?us-ascii?Q?TyB2h6rUKog9LueIRt0locP1Iz+RkSj1i8p4CLg3dO056Jw7jievEzO3rmed?= =?us-ascii?Q?exC7lRhR32RnKu1z2cGpCjp3qr9nc9lp1cCKZNRoy202EmhOhFddIn7VsvFN?= =?us-ascii?Q?CkB807Ju9a2yFoovvLMXeKfx3w7Te64YycpTo/ROkdKf57KVWwF7Fi7FbNUu?= =?us-ascii?Q?z85ezrA8fF2mzW53qPcsBMVsVCfPtevYy+GD71LpUTXLKVKQupFxwqt4brOp?= =?us-ascii?Q?cOf/7fo9lTolnQvV8l+ZeA761rc90Xpr4HMm5EtKF9N/XWTeGUV2dBjVvfmy?= =?us-ascii?Q?bJmrFeHKoW6Z83ARnKovsg426NqN5fJUsoMcZXh4PV7e/hOcwrHC7aH6XuyA?= =?us-ascii?Q?ra9K9yxCPMO6B3ZVeEJ9Otyg?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4885.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: e152aa94-eab7-435e-2055-08d957d04a4a X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Aug 2021 05:17:15.9527 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: /k6od7bVAguufZxIAFgdVg1Fli9Y2999973VrSP/DVCg1mFpBHLv6IbFov+6SPU/QnH74N0kns2Kh1MGJpMxrw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5046 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi I have some questions: 1) May I know what is the usage of this UEFI variable - SevLiveMigrationEn= abled?=20 I only see it is created, but I do not see how it is consumed. 2) Is this a full live migration patch, or is this just a startup and ther= e will be more on the way? Thank you Yao Jiewen > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Ashish Ka= lra > via groups.io > Sent: Monday, August 2, 2021 8:31 PM > To: devel@edk2.groups.io > Cc: dovmurik@linux.vnet.ibm.com; brijesh.singh@amd.com; tobin@ibm.com; > Thomas.Lendacky@amd.com; jejb@linux.ibm.com; Justen, Jordan L > ; ard.biesheuvel@arm.com; > erdemaktas@google.com; Yao, Jiewen ; Xu, Min M > > Subject: [edk2-devel] [PATCH v6 0/6] SEV Live Migration support for OVMF= . >=20 > From: Ashish Kalra >=20 > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3467 >=20 > By default all the SEV guest memory regions are considered encrypted, > if a guest changes the encryption attribute of the page (e.g mark a > page as decrypted) then notify hypervisor. Hypervisor will need to > track the unencrypted pages. The information will be used during > guest live migration, guest page migration and guest debugging. >=20 > The patch-set detects if it is running under KVM hypervisor and then > checks for SEV live migration feature support via KVM_FEATURE_CPUID, > if detected setup a new UEFI enviroment variable to indicate OVMF > support for SEV live migration. >=20 > A branch containing these patches is available here: > https://github.com/ashkalra/edk2-1/tree/sev_live_migration_v5_10 >=20 > Changes since v5: > - Split first patch into three components, one patch for the > MemEncryptSevLiveMigrationIsEnabled() API, one patch for the > SetMemoryEncDecHypercall3() API, one patch to make use of the > SetMemoryEncDecHypercall3() API. > - Fix patch subject, in code and patch comments and > additionally add relevant comments. > - Replace SetMemoryEncDecHypercall3() API's Status argument > with a boolean IsEncrypted argument and corresponding fixes > to users of this API call. > - Fix AsciiStrCmp() usage in KVM hypervisor detection code. >=20 > Changes since v4: > - Remove MemEncryptHypercallLib Library and add support to issue > hypercall in the BaseMemEncryptSevLib library itself. > - For SEV-ES, make the VC handler hypercall aware by comparing > the hypercall number and add the additional register values > in the GHCB. > - Fix comments in the hypercall API interface. > - The encryption bit is set/clear on the smallest page size, hence > use the 4k page size in MAP_GPA_RANGE hypercall. > - Make the hypercall expect the guest physical address to be > page-aligned. > - Add KVM live migration feature flag check in BaseMemEncryptSevLib > library similar to how BaseMemEncryptSevLib does for the > MemEncryptSevIsEnabled() and check it before invoking HC. Also > export the MemEncryptSevLiveMigrationIsEnabled() function as > part of the library. > - Add error handling on hypercall return, on failure, return error > code to caller which potentially will cause an assert() and > terminate the boot. >=20 > Changes since v3: > - Fix all DSC files under OvmfPkg except X64 to add support for > BaseMemEncryptLib and add NULL instance of BaseMemEncryptLib > for 32 bit platforms. > - Add the MemEncryptHypercallLib-related files to Maintainers.txt, > in section "OvmfPkg: Confidential Computing". > - Add support for the new KVM_HC_MAP_GPA_RANGE hypercall interface. > - Add patch for SEV live migration support. >=20 > Changes since v2: > - GHCB_BASE setup during reset-vector as decrypted is marked explicitly > in the hypervisor page encryption bitmap after setting the > PcdSevEsIsEnabled PCD. >=20 > Changes since v1: > - Mark GHCB_BASE setup during reset-vector as decrypted explicitly in > the hypervisor page encryption bitmap. > - Resending the series with correct shallow threading. >=20 > Ashish Kalra (6): > OvmfPkg/BaseMemEncryptLib: Detect SEV live migration feature. > OvmfPkg/BaseMemEncryptLib: Hypercall API for page encryption state > change > OvmfPkg/BaseMemEncryptLib: Invoke page encryption state change > hypercall > OvmfPkg/VmgExitLib: Encryption state change hypercall support in VC > handler > OvmfPkg/PlatformPei: Mark SEC GHCB page as unencrypted via hypercall > OvmfPkg/AmdSevDxe: Add support for SEV live migration. >=20 > OvmfPkg/AmdSevDxe/AmdSevDxe.c | 64 +++++++++++++++++ > OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 4 ++ > OvmfPkg/Include/Guid/AmdSevMemEncryptLib.h | 20 ++++++ > OvmfPkg/Include/Library/MemEncryptSevLib.h | 70 +++++++++++++++++++ > .../DxeMemEncryptSevLib.inf | 1 + > .../DxeMemEncryptSevLibInternal.c | 39 +++++++++++ > .../Ia32/MemEncryptSevLib.c | 27 +++++++ > .../PeiDxeMemEncryptSevLibInternal.c | 52 ++++++++++++++ > .../PeiMemEncryptSevLib.inf | 1 + > .../PeiMemEncryptSevLibInternal.c | 39 +++++++++++ > .../SecMemEncryptSevLibInternal.c | 38 ++++++++++ > .../X64/AsmHelperStub.nasm | 33 +++++++++ > .../X64/MemEncryptSevLib.c | 62 ++++++++++++++++ > .../X64/PeiDxeVirtualMemory.c | 20 ++++++ > OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 13 ++++ > OvmfPkg/OvmfPkg.dec | 1 + > OvmfPkg/PlatformPei/AmdSev.c | 11 +++ > 17 files changed, 495 insertions(+) > create mode 100644 OvmfPkg/Include/Guid/AmdSevMemEncryptLib.h > create mode 100644 > OvmfPkg/Library/BaseMemEncryptSevLib/X64/AsmHelperStub.nasm >=20 > -- > 2.17.1 >=20 >=20 >=20 >=20 >=20