From: "Min Xu" <min.m.xu@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
"brijesh.singh@amd.com" <brijesh.singh@amd.com>,
Vishal Annapurve <vannapurve@google.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>,
"Justen, Jordan L" <jordan.l.justen@intel.com>,
Gerd Hoffmann <kraxel@redhat.com>,
Erdem Aktas <erdemaktas@google.com>,
James Bottomley <jejb@linux.ibm.com>,
"Yao, Jiewen" <jiewen.yao@intel.com>,
Tom Lendacky <thomas.lendacky@amd.com>
Subject: Re: [edk2-devel] [PATCH V6 1/1] OvmfPkg: Enable TDX in ResetVector
Date: Fri, 17 Sep 2021 12:55:13 +0000 [thread overview]
Message-ID: <PH0PR11MB50642497A9D17F5E210DFEEEC5DD9@PH0PR11MB5064.namprd11.prod.outlook.com> (raw)
In-Reply-To: <aeb4a5c3-082b-6023-6657-2dc7327d03cd@amd.com>
On September 15, 2021 3:53 AM, Brijesh Singh wrote:
>
> Hi Vishal,
>
> On 9/14/21 2:00 PM, Vishal Annapurve wrote:
> > Hi Min, Brijesh,
> >
> > Regarding:
> >> diff --git a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
> >> b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
> >> ...
> >> +%ifdef ARCH_IA32
> >> nop
> >> nop
> >> jmp EarlyBspInitReal16
> >>
> >>+%else
> >>+
> >>+ smsw ax
> >
> > We are having intermittent VM crashes with running this code in
> > AMD-SEV enabled VMs. As per the AMD64 manual
> >
> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
> > .amd.com%2Fsystem%2Ffiles%2FTechDocs%2F24593.pdf&data=04%7C01%
> 7Cbrijes
> >
> h.singh%40amd.com%7C652023e953924957972a08d977b2031a%7C3dd896
> 1fe4884e6
> >
> 08e11a82d994e183d%7C0%7C0%7C637672430875783281%7CUnknown%7C
> TWFpbGZsb3d
> >
> 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3
> D%7C3000&sdata=VFiIbcV6H4xx5XZd%2F0OZjerSfJwLfUjK7mPU9JHY05E%3D
> &reserved=0> section 15.8.1, executing "smsw" instruction doesn't result in bit
> 63 being set in EXITINFO1 and KVM ends up emulating "smsw" instruction by
> trying to read encrypted guest VM memory as per the code
> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.ke
> rnel.org%2Fpub%2Fscm%2Fvirt%2Fkvm%2Fkvm.git%2Ftree%2Farch%2Fx86%
> 2Fkvm%2Fsvm%2Fsvm.c%23n2495&data=04%7C01%7Cbrijesh.singh%40amd.
> com%7C652023e953924957972a08d977b2031a%7C3dd8961fe4884e608e11
> a82d994e183d%7C0%7C0%7C637672430875783281%7CUnknown%7CTWFp
> bGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI
> 6Mn0%3D%7C3000&sdata=jSw7PLfXjhB8utM7Dxx2P%2F5M3fqvO3q3DBaFW
> %2Bu03A8%3D&reserved=0>.
> > Since KVM tries to make sense of different random cipher texts in
> > different boots, it seems to intermittently result in visible issues.
> >
>
> The smsw does not provide decode assist, in those cases KVM reads the
> guest memory and tries to decode. With encrypted guest, the memory
> contains the ciphertext and hypervisor will not be able to decode the
> instruction.
>
> But it brings a question to Min, why we are using the smsw ? why cannot
> use mov CRx. The smsw was meant for very old processors (286 or 8086
> etc) and is used for legacy compatibility. The recommendation is to use
> the mov CRx. The mov CRx will provide the decode assist to HV.
As I mentioned in my last mail, in the beginning I missed the limitation of smsw.
So I update the code (ResetVectorVtf0.asm) as below using mov CRx.
<1> BITS 16
176 00000800 0F20C0 <1> mov eax, cr0 <-- previously it was smsw
177 00000803 A801 <1> test al, 1
178 00000805 7405 <1> jz .Real
179 <1> BITS 32
180 00000807 E951FFFFFF <1> jmp Main32
181 <1> BITS 16
182 <1> .Real:
183 0000080C E939FF <1> jmp EarlyBspInitReal16
I test the code in a AMD SEV server and try to launch a SEV guest. This time it stuck at the *mov eax, cr0*.
I am curious if *mov eax, cr0* works in real mode in a SEV guest?
I also test the code in a legacy vm guest and td guest, all passed.
Did I miss something?
I followed https://github.com/AMDESE/AMDSEV to set up the AMD SEV environment and successfully launched SEV guest with the OVMF image.
Thanks!
Min
next prev parent reply other threads:[~2021-09-17 12:55 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-14 8:50 [PATCH V6 0/1] Add Intel TDX support in OvmfPkg/ResetVector Min Xu
2021-09-14 8:50 ` [PATCH V6 1/1] OvmfPkg: Enable TDX in ResetVector Min Xu
2021-09-14 11:24 ` Brijesh Singh
2021-09-14 19:00 ` [edk2-devel] " vannapurve
2021-09-14 19:52 ` Brijesh Singh
2021-09-15 2:34 ` Min Xu
2021-09-17 12:55 ` Min Xu [this message]
2021-09-17 15:52 ` Brijesh Singh
2021-09-18 5:16 ` Min Xu
2021-09-18 11:30 ` Brijesh Singh
2021-09-18 12:15 ` James Bottomley
2021-09-19 3:14 ` Min Xu
2021-09-20 15:49 ` Brijesh Singh
2021-09-15 2:13 ` Min Xu
2021-09-16 7:54 ` Gerd Hoffmann
2021-09-20 9:51 ` Min Xu
2021-09-21 5:16 ` Gerd Hoffmann
2021-09-21 9:04 ` Min Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=PH0PR11MB50642497A9D17F5E210DFEEEC5DD9@PH0PR11MB5064.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox