From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by mx.groups.io with SMTP id smtpd.web08.7761.1631195671838090659 for ; Thu, 09 Sep 2021 06:54:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=oE5grFL+; spf=pass (domain: intel.com, ip: 134.134.136.100, mailfrom: min.m.xu@intel.com) X-IronPort-AV: E=McAfee;i="6200,9189,10101"; a="284498066" X-IronPort-AV: E=Sophos;i="5.85,280,1624345200"; d="scan'208";a="284498066" Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Sep 2021 06:54:31 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,280,1624345200"; d="scan'208";a="694122780" Received: from fmsmsx604.amr.corp.intel.com ([10.18.126.84]) by fmsmga006.fm.intel.com with ESMTP; 09 Sep 2021 06:54:31 -0700 Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx604.amr.corp.intel.com (10.18.126.84) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Thu, 9 Sep 2021 06:54:30 -0700 Received: from fmsmsx601.amr.corp.intel.com (10.18.126.81) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Thu, 9 Sep 2021 06:54:30 -0700 Received: from fmsedg602.ED.cps.intel.com (10.1.192.136) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12 via Frontend Transport; Thu, 9 Sep 2021 06:54:30 -0700 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.174) by edgegateway.intel.com (192.55.55.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.12; Thu, 9 Sep 2021 06:54:30 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oNTA4tlBzQxA5rJ4oRVZGlL5prtBQJhTR+9xX+sU0XOk5ns794b1wYv3bLoQVbxsGGtM3ytjRrD9wKZKxp5nHDnRVevvUMfkccBQxtdk6nFXsv2em4GhcRZxzXKk49DEJhY7lNzzJPdS7agX3J4rrGZZwU2MOwK6FI0C1g7v4k3B7B3hkh1OImz3wFcObbDCRpzHN7+EUB/KDO7eibRf9A5jDkoV3PfSJogBHHWu89Z8gfHYPV07dXbBgiIlA2fbcaIJpbgBtLu97v4EPz5QJMZOluiiQvWyncBWdzyc+p0MEgk5AD8Aa7ouDDbezZhnNxCm7ySeaf7Z/DELC6iTSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=EOPiQ5yWZBWfISM3g5c8grnoXR2hqBe8P4qg3sdc9Jo=; b=J78HwcJrJdhDTfvdjmfNdu3qW+8sdqLMPq60syafjdDwvwjg2mn4GgMiWv+M3cPrgmka/FvY6MRR7VKQtuuo6X62ETvBvkVU1ddJciqLwFIiMMRCATsI7r5FMizn7Y6Zxf7YpYy05RNGNES9OEPtFv29sfAljmsYSuiGtbDgheXT8efCyhnDC4xHpqa5Qj6lmeD02C4HUqEhzFP3nX7pUGkGJetFIhYTo8KuZoI+q6wqtmUnbQMYod4MSySOYm4qf42VcZCeSQcGx2taMdGoKgnBnfYR5O+o6bdziMyDGKYUwqpNW66QXhMN7TUEK5TUsoGJQUhF26e96evdVyCr6g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EOPiQ5yWZBWfISM3g5c8grnoXR2hqBe8P4qg3sdc9Jo=; b=oE5grFL+D4O3w7VU/v8fF3NBiDcplp7tzdKdSR3ugEQMVzxsk0HPjM5oJvNQHknsk6h99oM+mMl83kbRe0HP6PBXuJO7KvWMsJbJ/TY8E3Vl2+AiUGuXhe4qaR0p8qglYGPLip8ywQwtPtq6e+vAKB3LEICcXMJYhCckvJ2sYsc= Received: from PH0PR11MB5064.namprd11.prod.outlook.com (2603:10b6:510:3b::15) by PH0PR11MB4885.namprd11.prod.outlook.com (2603:10b6:510:35::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.16; Thu, 9 Sep 2021 13:54:26 +0000 Received: from PH0PR11MB5064.namprd11.prod.outlook.com ([fe80::c93:200e:5aeb:e11b]) by PH0PR11MB5064.namprd11.prod.outlook.com ([fe80::c93:200e:5aeb:e11b%3]) with mapi id 15.20.4415.029; Thu, 9 Sep 2021 13:54:26 +0000 From: "Min Xu" To: "kraxel@redhat.com" , "Yao, Jiewen" CC: "devel@edk2.groups.io" , Ard Biesheuvel , "Justen, Jordan L" , Brijesh Singh , Erdem Aktas , James Bottomley , Tom Lendacky Subject: Re: [edk2-devel] [PATCH V5 2/2] OvmfPkg/ResetVector: Enable Intel TDX in ResetVector of Ovmf Thread-Topic: [edk2-devel] [PATCH V5 2/2] OvmfPkg/ResetVector: Enable Intel TDX in ResetVector of Ovmf Thread-Index: AQHXnUe8X7jjLtXUt0aYMxY+W+0FeauLqi4AgAFA1CCAAC5bAIACxYsAgAB76QCAAAT8IIABRkcAgAArcYCACfRNQA== Date: Thu, 9 Sep 2021 13:54:26 +0000 Message-ID: References: <81c97a782bbbf83043854ad8a86d14604918d788.1630289827.git.min.m.xu@intel.com> <20210830074058.22gfqmzrha4su6fh@sirius.home.kraxel.org> <20210831053510.ian6sqpefzmrrfi7@sirius.home.kraxel.org> <20210902071812.2qet62x7npu25rht@sirius.home.kraxel.org> <20210903053919.ybkq7imveuxbufao@sirius.home.kraxel.org> In-Reply-To: <20210903053919.ybkq7imveuxbufao@sirius.home.kraxel.org> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.5.1.3 authentication-results: redhat.com; dkim=none (message not signed) header.d=none;redhat.com; dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 45656781-8dbd-4980-4439-08d97399568d x-ms-traffictypediagnostic: PH0PR11MB4885: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: pImzFowKzikyLa9Vj2x0rE/v9oqCphTart8HhYpcIJfJgomR7vAJHL2hmfR5ghnNWgXNIhMmpnk7H5qA+tPEA9Dm0VpHWLKiN1lykrWZJpD3Jvo81Ggy/mfusefWYd7gOdFjqQY0F7UvbSe6LAJYKQVP9vTAg8Ujij9kbFr66Gq0aKwx486VTef1INdPaNnGm4vtGxk7gD4DBA7ol2HhCL2MEUrAbsR4dn1BJ0uwb3UVa/AqGvHkPevOKppkF6Wkm2tROnvZQLlsiSNiDUxBo/a4jSsFOoxShrXzDH42sHf07TUz8Geb3CVPm1/nBfWC+A8HFY69nSCvWUPrMfvFBWd4p5rDQKSLHhZ/DXCj4YXX8C3jHHxnRU5urfIoxgbz+GQLWDIVBaMwEbB4AzcIn3rSExb7pUjnLYOrt2ulH6c/iVNPFVzur4aS2uHTUP3ZgALE57w0CLm+BRoShKi7Vca0os49nGKthOrVbm/8QKZO4KM3gBM/4XnjBKf5l8Xvz8ENJYOwVt3Hk06mqxUlxozv/XqNCAbVmwbLFtiGvW98ROyLjqV69nIVYg3VtlYEET7kmWQxG+W5gMZTaiMtrtC728XP088AlJ+qBlZka/HJ6Hv4NbOSVlqcvt9dU3XQRicgqTXNC8MZsFi4xSODFx6BXhoQnc7qx94f+fRHoBnk4X72uRcrDAc1u/nww1HRLI/sir40gutkYpUJtqw+Ig== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB5064.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(136003)(39860400002)(366004)(346002)(376002)(396003)(6506007)(83380400001)(38100700002)(52536014)(122000001)(33656002)(71200400001)(2906002)(55016002)(86362001)(38070700005)(9686003)(4326008)(54906003)(110136005)(8676002)(66446008)(66946007)(66556008)(66476007)(64756008)(8936002)(76116006)(7696005)(19627235002)(5660300002)(186003)(478600001)(26005)(316002)(6636002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?fzLBjdg3KwqgkbMzEdfLOW/amL6t+Lj9sYQoD+lDTy2vmYede1lzBPIYyGzX?= =?us-ascii?Q?guBywtMUeAXCYmyYscXJDnZfErtrOiK8yWUu+grQG/gRS4Su/KO9nDWzc6d/?= =?us-ascii?Q?qufJ1agkEwo9X4qBe3MvwcCOnikg5jAZBsfGzpMoDr6MD6arC3VtQfVPiFi7?= =?us-ascii?Q?nk9HTOOr+rNyfLLrEzda6J6DDrnCdVLqzPzWLKk+xT9VcdlLWHwVeuwLky3K?= =?us-ascii?Q?OoZxNPTKoazgvUvWZ+rhEB3gPvkMNGoYtqzNJhC+FI4spBN9tz6qUHvcfJ6g?= =?us-ascii?Q?h8+DmaxHp8GoinmvlC+14V/3OSl4knlxiTsDDdqfS5ijiD17gmNykH+ktKLL?= =?us-ascii?Q?o2NspA2sUX+jGoPNBE8hBjZ7dlWd3paiR422MUaJiMv1zbaz4OLbBqZ2b1O0?= =?us-ascii?Q?aTI5BGvm7lAPfzmX8Fv2PAVylh07zVo8UdwmqquxS2kf4Cdb5sVlYRTAeb0p?= =?us-ascii?Q?qFDTvKDt3vkUR/e8yUIFlPxOlgWcwT54muxtHlT+WwweH5XCbdtQ2UKIPfWJ?= =?us-ascii?Q?Ol3AWz6TbLYfBVY73qr9l4rzmAjQAsnZOC6+K3DiKEqhGjTOqCziZSEzYUT1?= =?us-ascii?Q?eXk/dhEJSvTBzJzpFMyzBgHAcvf3hZZI71ZoZNiGTVRrazRu9dofLAaVqtlS?= =?us-ascii?Q?6MxFp0x7V51HJxfY+/CSvcfRFAIeJK8RTMAN4FB+vES/vbuHiIyxjLUxMarW?= =?us-ascii?Q?lHZrpmegc6NGvMkcaL8wdc7/ibrJlTsZ93oI77+r64+Zej6wVJrcrhj8CN8a?= =?us-ascii?Q?mMbBqemUzzmn2UrQ/DV9SsrMDgQCrZoN0eyQwvh1yDJpSS0GFgNWv1OE07Xb?= =?us-ascii?Q?BhHUoXNBzK/yn3VpgE11MT5kBDB+hsXHYQ+qMWxrI6SRVYxNKmRUsGxHnzD4?= =?us-ascii?Q?s9V+ld2jJZ2C9mFM08aGECLRcVB9OMoVS2bPycHEyJx0TsgPdALJ8kyuH+So?= =?us-ascii?Q?Ratzc60I05mEfvodUTCfOwowj71BeE9MGVWPC13ltXpTsJw4QELKANwdU1FW?= =?us-ascii?Q?BHuOT5IM+VRAIMHt8WdgqayARVCYRvZIaBAKe2qEJEOtdmx6OmJeuA5R6yjP?= =?us-ascii?Q?+80Fv3tpBwtQ2UPmziVWZhsaCtdg4YN874FGZ7suZ8TYaQkGDZVVlESZpv6+?= =?us-ascii?Q?73n3s778BteQk2FkThOXkzFduSXFiq3BVc3dHnD9pVkAykOi2iIQbim7lAD5?= =?us-ascii?Q?fF8b6Ck5/raM5bbL5Xc1Z7iNFfpXR9MJ62BHgz59lECU33TD0vVHQE8G8ZNg?= =?us-ascii?Q?pHpBNMVQBz4Lv12vE6rOoIdSBJqZ8yhJEABFH01zyCmjCdwE/j2Xnzb3nJr3?= =?us-ascii?Q?5PEo2Pvy7yXXPhMPW8/9FIVR?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB5064.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 45656781-8dbd-4980-4439-08d97399568d X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Sep 2021 13:54:26.7770 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 9M/1pu6fhlM4PsNxtdHgaZsvgccuKaaaQcMbOsVs5o8KC3fXCRtoTfu5Iz32mePvPOxNmwlLPKK9hZf5zdSlJw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB4885 Return-Path: min.m.xu@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable On September 3, 2021 1:39 PM, Gerd Hoffmann wrote: > On Fri, Sep 03, 2021 at 03:03:50AM +0000, Yao, Jiewen wrote: > > HI Min/Gerd > > I think we have multiple ways to enable 5 level paging. > > > > 1) We do not change to 5 level in initial paging in reset vector. > > We can switch from 4 level to 5 level later when permanent memory is > available. > > We don't need change flash layout. >=20 > Does that work with tdx? >=20 > I had the impression that ovmf can't choose whenever it uses 4-level or 5= -level > paging in case tdx is enabled, but instead has to use what the tdx firmwa= re (or > hardware?) dictates. And this being the reason why we have to deal with = that > in the reset vector in the first place. >=20 > But maybe I'm wrong here. >=20 > If we can use 4-level paging initially, then we surely should go for opti= on (1) > and simply not touch the reset vectors paging code. After PoC I find this option is not a good one. Though the reset vectors is= not touched, there are tricky changes in DxeIpl. To set up 5-level paging = in an 4-level paging, it should first be switched from 64-bit long mode to = 32 protected mode, then turn off the Paging, disable IA32_ERER.LME, then se= t the Cr4. The tricky thing is that in TDX IA32_EFER is not changeable. Mde= ModulePkg/.../DxeIpl is widely used and it is high risk to make such chang= es. >=20 > > 2) We can enable 5 level paging in initial paging. > > 2.1) We can enable 5 level paging with 1G paging support. > > We don't need change flash layout. Only 3 pages is needed. (12K) I > > don't know if we can real case that a CPU support 5 level but without 1= G > paging. According to Intel SDM Volume 3 Section 4.1.1. Quote "6. Processors that support 4-level paging or 5-level paging do not n= ecessarily support 1-GByte page; see Section 4.1.4" So option 2.1 is not feasible. > > > > 2.2) We can still enable 5 level paging with 2M paging. > > 2.2.1) We can change flash layout to increase 6 pages (24K) memory to 7 > pages (28K). > > So the CR3 in 5 level is same as the CR3 in 4 level. > > > > 2.2.2) We don't change flash layout but steal another page in > > somewhere else - PcdOvmfPml5Base That means CR3 in 5 level is different > with CR4 in 4 level. > > Personally, I don't like the idea to create PcdOvmfPml5Base/Size Other > > AP MUST check 5 level and 4 level to get right CR3 location. That is tr= icky and > unnecessary. > > > > In current patch, 2.2.2) is used. > > > > I suggest we also evaluate option 1), 2.1) and 2.2.1). >=20 > My idea is 2.2.1 with a fixed, 5-level layout. > Then use 4-level-cr3 =3D=3D 5-level-cr3 + PAGE_SIZE Agree. 5-level-cr3 =3D PT_ADDR (0), 4-level-cr3 =3D PT_ADDR (0x1000) 2.2.1 is preferred. >=20 > 2.1 looks good too. As I explained above, 2.1 is not feasible. >=20 I will use 2.2.1 to implement 5-level paging in OvmfPkgX64. Thanks! Min