From: "Min Xu" <min.m.xu@intel.com>
To: Brijesh Singh <brijesh.singh@amd.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: James Bottomley <jejb@linux.ibm.com>,
"Yao, Jiewen" <jiewen.yao@intel.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
"Justen, Jordan L" <jordan.l.justen@intel.com>,
Ard Biesheuvel <ardb+tianocore@kernel.org>,
Erdem Aktas <erdemaktas@google.com>,
"Michael Roth" <Michael.Roth@amd.com>
Subject: Re: [PATCH v3 3/3] OvmfPkg/ResetVector: move the GHCB page setup in AmdSev.asm
Date: Thu, 19 Aug 2021 14:15:23 +0000 [thread overview]
Message-ID: <PH0PR11MB5064FBC8B41CBE72C9F57717C5C09@PH0PR11MB5064.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20210817134651.20444-4-brijesh.singh@amd.com>
Reviewed-by: Min Xu <min.m.xu@intel.com>
> -----Original Message-----
> From: Brijesh Singh <brijesh.singh@amd.com>
> Sent: Tuesday, August 17, 2021 9:47 PM
> To: devel@edk2.groups.io
> Cc: James Bottomley <jejb@linux.ibm.com>; Xu, Min M
> <min.m.xu@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Tom Lendacky
> <thomas.lendacky@amd.com>; Justen, Jordan L <jordan.l.justen@intel.com>;
> Ard Biesheuvel <ardb+tianocore@kernel.org>; Erdem Aktas
> <erdemaktas@google.com>; Michael Roth <Michael.Roth@amd.com>; Brijesh
> Singh <brijesh.singh@amd.com>
> Subject: [PATCH v3 3/3] OvmfPkg/ResetVector: move the GHCB page setup in
> AmdSev.asm
>
> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3429
>
> While build the initial page table, the SetCr3ForPageTables64 checks whether
> SEV-ES is enabled. If so, clear the page encryption mask from the GHCB page.
> Move the logic to clear the page encryption mask in the AmdSev.asm.
>
> Cc: James Bottomley <jejb@linux.ibm.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Erdem Aktas <erdemaktas@google.com>
> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
> ---
> OvmfPkg/ResetVector/Ia32/AmdSev.asm | 111 +++++++++++++++++-----
> OvmfPkg/ResetVector/Ia32/PageTables64.asm | 53 ++---------
> 2 files changed, 92 insertions(+), 72 deletions(-)
>
> diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm
> b/OvmfPkg/ResetVector/Ia32/AmdSev.asm
> index 87d81b01e263..250ac8d8b180 100644
> --- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm
> +++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm
> @@ -44,6 +44,27 @@ BITS 32
> ; The unexpected response code
> %define TERM_UNEXPECTED_RESP_CODE 2
>
> +%define PAGE_PRESENT 0x01
> +%define PAGE_READ_WRITE 0x02
> +%define PAGE_USER_SUPERVISOR 0x04
> +%define PAGE_WRITE_THROUGH 0x08
> +%define PAGE_CACHE_DISABLE 0x010
> +%define PAGE_ACCESSED 0x020
> +%define PAGE_DIRTY 0x040
> +%define PAGE_PAT 0x080
> +%define PAGE_GLOBAL 0x0100
> +%define PAGE_2M_MBO 0x080
> +%define PAGE_2M_PAT 0x01000
> +
> +%define PAGE_4K_PDE_ATTR (PAGE_ACCESSED + \
> + PAGE_DIRTY + \
> + PAGE_READ_WRITE + \
> + PAGE_PRESENT)
> +
> +%define PAGE_PDP_ATTR (PAGE_ACCESSED + \
> + PAGE_READ_WRITE + \
> + PAGE_PRESENT)
> +
>
> ; Macro is used to issue the MSR protocol based VMGEXIT. The caller is ;
> responsible to populate values in the EDX:EAX registers. After the vmmcall
> @@ -117,6 +138,70 @@ BITS 32
> SevEsUnexpectedRespTerminate:
> TerminateVmgExit TERM_UNEXPECTED_RESP_CODE
>
> +; If SEV-ES is enabled then initialize and make the GHCB page shared
> +SevClearPageEncMaskForGhcbPage:
> + ; Check if SEV is enabled
> + cmp byte[WORK_AREA_GUEST_TYPE], 1
> + jnz SevClearPageEncMaskForGhcbPageExit
> +
> + ; Check if SEV-ES is enabled
> + cmp byte[SEV_ES_WORK_AREA], 1
> + jnz SevClearPageEncMaskForGhcbPageExit
> +
> + ;
> + ; The initial GHCB will live at GHCB_BASE and needs to be un-encrypted.
> + ; This requires the 2MB page for this range be broken down into 512 4KB
> + ; pages. All will be marked encrypted, except for the GHCB.
> + ;
> + mov ecx, (GHCB_BASE >> 21)
> + mov eax, GHCB_PT_ADDR + PAGE_PDP_ATTR
> + mov [ecx * 8 + PT_ADDR (0x2000)], eax
> +
> + ;
> + ; Page Table Entries (512 * 4KB entries => 2MB)
> + ;
> + mov ecx, 512
> +pageTableEntries4kLoop:
> + mov eax, ecx
> + dec eax
> + shl eax, 12
> + add eax, GHCB_BASE & 0xFFE0_0000
> + add eax, PAGE_4K_PDE_ATTR
> + mov [ecx * 8 + GHCB_PT_ADDR - 8], eax
> + mov [(ecx * 8 + GHCB_PT_ADDR - 8) + 4], edx
> + loop pageTableEntries4kLoop
> +
> + ;
> + ; Clear the encryption bit from the GHCB entry
> + ;
> + mov ecx, (GHCB_BASE & 0x1F_FFFF) >> 12
> + mov [ecx * 8 + GHCB_PT_ADDR + 4], strict dword 0
> +
> + mov ecx, GHCB_SIZE / 4
> + xor eax, eax
> +clearGhcbMemoryLoop:
> + mov dword[ecx * 4 + GHCB_BASE - 4], eax
> + loop clearGhcbMemoryLoop
> +
> +SevClearPageEncMaskForGhcbPageExit:
> + OneTimeCallRet SevClearPageEncMaskForGhcbPage
> +
> +; Check if SEV is enabled, and get the C-bit mask above 31.
> +; Modified: EDX
> +;
> +; The value is returned in the EDX
> +GetSevCBitMaskAbove31:
> + xor edx, edx
> +
> + ; Check if SEV is enabled
> + cmp byte[WORK_AREA_GUEST_TYPE], 1
> + jnz GetSevCBitMaskAbove31Exit
> +
> + mov edx, dword[SEV_ES_WORK_AREA_ENC_MASK + 4]
> +
> +GetSevCBitMaskAbove31Exit:
> + OneTimeCallRet GetSevCBitMaskAbove31
> +
> ; Check if Secure Encrypted Virtualization (SEV) features are enabled.
> ;
> ; Register usage is tight in this routine, so multiple calls for the @@ -249,32
> +334,6 @@ SevExit:
>
> OneTimeCallRet CheckSevFeatures
>
> -; Check if Secure Encrypted Virtualization - Encrypted State (SEV-ES) feature -;
> is enabled.
> -;
> -; Modified: EAX
> -;
> -; If SEV-ES is enabled then EAX will be non-zero.
> -; If SEV-ES is disabled then EAX will be zero.
> -;
> -IsSevEsEnabled:
> - xor eax, eax
> -
> - ; During CheckSevFeatures, the WORK_AREA_GUEST_TYPE is set
> - ; to 1 if SEV is enabled.
> - cmp byte[WORK_AREA_GUEST_TYPE], 1
> - jne SevEsDisabled
> -
> - ; During CheckSevFeatures, the SEV_ES_WORK_AREA was set to 1 if
> - ; SEV-ES is enabled.
> - cmp byte[SEV_ES_WORK_AREA], 1
> - jne SevEsDisabled
> -
> - mov eax, 1
> -
> -SevEsDisabled:
> - OneTimeCallRet IsSevEsEnabled
> -
> ; Start of #VC exception handling routines ;
>
> diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> index f688909f1c7d..07b6ca070909 100644
> --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> @@ -46,16 +46,13 @@ SetCr3ForPageTables64:
> ; work area when detected.
> mov byte[WORK_AREA_GUEST_TYPE], 0
>
> + ; Check whether the SEV is active and populate the SevEsWorkArea
> OneTimeCall CheckSevFeatures
> - xor edx, edx
> - test eax, eax
> - jz SevNotActive
>
> - ; If SEV is enabled, C-bit is always above 31
> - sub eax, 32
> - bts edx, eax
> -
> -SevNotActive:
> + ; If SEV is enabled, the C-bit position is always above 31.
> + ; The mask will be saved in the EDX and applied during the
> + ; the page table build below.
> + OneTimeCall GetSevCBitMaskAbove31
>
> ;
> ; For OVMF, build some initial page tables at @@ -105,44 +102,8 @@
> pageTableEntriesLoop:
> mov [(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], edx
> loop pageTableEntriesLoop
>
> - OneTimeCall IsSevEsEnabled
> - test eax, eax
> - jz SetCr3
> -
> - ;
> - ; The initial GHCB will live at GHCB_BASE and needs to be un-encrypted.
> - ; This requires the 2MB page for this range be broken down into 512 4KB
> - ; pages. All will be marked encrypted, except for the GHCB.
> - ;
> - mov ecx, (GHCB_BASE >> 21)
> - mov eax, GHCB_PT_ADDR + PAGE_PDP_ATTR
> - mov [ecx * 8 + PT_ADDR (0x2000)], eax
> -
> - ;
> - ; Page Table Entries (512 * 4KB entries => 2MB)
> - ;
> - mov ecx, 512
> -pageTableEntries4kLoop:
> - mov eax, ecx
> - dec eax
> - shl eax, 12
> - add eax, GHCB_BASE & 0xFFE0_0000
> - add eax, PAGE_4K_PDE_ATTR
> - mov [ecx * 8 + GHCB_PT_ADDR - 8], eax
> - mov [(ecx * 8 + GHCB_PT_ADDR - 8) + 4], edx
> - loop pageTableEntries4kLoop
> -
> - ;
> - ; Clear the encryption bit from the GHCB entry
> - ;
> - mov ecx, (GHCB_BASE & 0x1F_FFFF) >> 12
> - mov [ecx * 8 + GHCB_PT_ADDR + 4], strict dword 0
> -
> - mov ecx, GHCB_SIZE / 4
> - xor eax, eax
> -clearGhcbMemoryLoop:
> - mov dword[ecx * 4 + GHCB_BASE - 4], eax
> - loop clearGhcbMemoryLoop
> + ; Clear the C-bit from the GHCB page if the SEV-ES is enabled.
> + OneTimeCall SevClearPageEncMaskForGhcbPage
>
> SetCr3:
> ;
> --
> 2.17.1
next prev parent reply other threads:[~2021-08-19 14:15 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-17 13:46 [PATCH v3 0/3] reuse the SevEsWork area Brijesh Singh
2021-08-17 13:46 ` [PATCH v3 1/3] OvmfPkg: introduce a common work area Brijesh Singh
2021-08-19 14:14 ` [edk2-devel] " Min Xu
2021-08-17 13:46 ` [PATCH v3 2/3] OvmfPkg/ResetVector: update SEV support to use new work area format Brijesh Singh
2021-08-19 14:15 ` Min Xu
2021-08-17 13:46 ` [PATCH v3 3/3] OvmfPkg/ResetVector: move the GHCB page setup in AmdSev.asm Brijesh Singh
2021-08-19 14:15 ` Min Xu [this message]
2021-08-25 6:31 ` [PATCH v3 0/3] reuse the SevEsWork area Yao, Jiewen
2021-08-27 13:14 ` Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=PH0PR11MB5064FBC8B41CBE72C9F57717C5C09@PH0PR11MB5064.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox