Re: [edk2-devel] [PATCH RFC v3 03/22] OvmfPkg/MemEncryptSevLib: extend the workarea to include SNP enabled field

["Laszlo Ersek" <lersek@redhat.com>]

On 06/08/21 15:51, Brijesh Singh wrote:
> 
> On 6/8/21 3:17 AM, Laszlo Ersek wrote:
>>
>>>> (3) Actually, no.
>>>>
>>>> This patch should be reduced to the following files only:
>>>>
>>>> - OvmfPkg/PlatformPei/AmdSev.c
>>>> - OvmfPkg/PlatformPei/PlatformPei.inf
>>>>
>>>> and the following changes should be dropped completely:
>>>>
>>>> - OvmfPkg/Include/Library/MemEncryptSevLib.h
>>>> - OvmfPkg/ResetVector/Ia32/PageTables64.asm
>>>> - OvmfPkg/ResetVector/ResetVector.nasmb
>>>>
>>>> Specifically, the "SEC_SEV_ES_WORK_AREA.SevSnpEnabled" field should
>>>> never be introduced.
>>>>
>>>> The reason is apparent only from patch #10 -- "OvmfPkg/PlatformPei:
>>>> register GHCB gpa for the SEV-SNP guest".
>>>>
>>>> The core idea is that in patch#10, in the SEC module, you can implement
>>>> SevSnpIsEnabled() by just reading MSR_SEV_STATUS, and checking the SNP
>>>> bit. Namely, while the SevSnpIsEnabled() call is made in
>>>> SevEsProtocolCheck(), i.e., before exception handling is set up in the
>>>> SEC module -- and so you indeed cannot call CPUID --, you don't *have*
>>>> to call CPUID at that call site. Where you call SevSnpIsEnabled() in
>>>> SevEsProtocolCheck(), you already know that SEV-ES is enabled, so it's
>>>> safe to just read the exact same SEV status MSR that the SEV-ES status
>>>> comes from in the first place, without any CPUID safety check.
>>> We must check the SNP Enabled inside the assembly code for the page
>>> invalidate functions, and I decided to cache the value. A similar
>>> SNP-enabled check is required in SEC phase before the
>>> ProcessLibraryConstrctorList() is called. There are two options on how
>>> we can go about doing the SNP enabled check inside the SEC phase
>>> 1. Call the SEV_STATUS MSR after reading the
>>> SEC_SEV_ES_WORK_AREA.SevEnabled. As you said, we need to be sure that ES
>>> is enabled before calling the SEV_STATUS MSR.
>>> 2. SEV_STATUS MSR is read in Reset vector for the SNP enabled check
>>> purpose. Extend the SevEsWorkArea to cache the state.
>>>
>>>  I chose #2 because it avoids checking for ES enabled before checking
>>> the SNP enabled. I understand that in the current code path, SNP check
>>> is called inside the SevEsProtocolCheck() -- ES is already enabled, and
>>> its safe to call SEV_STATUS MSR. What if we need to check for the SNP
>>> state outside the ES-specific code block in the future? Then we will
>>> need to extend the SevEsWorkArea.
>> What would be the reason for this, ever?
> 
> One reason I can think of is if we ever decided validate the pages
> before the SevEsProtocolCheck(). The version 2 of GHCB spec adds few new
> NAE's that are SNP specific such as Page State Change. They are not
> applicable to the ES guests. Currently, we do the page validation much
> later and by then ProcessorConstructList() is called. Anyway, this is
> not an important thing to consider right now. As I said, I will drop the
> extending workarea to cache the SNP enable and Hypervisor feature values.

Thanks.

I agree there are conflicting goals here (and by that I don't mean my
goals conflict with yours). One goal is to avoid speculative generality,
as (in my experience) actual usage of such generality rarely
materializes, but we keep paying the price of a more complex data flow
in maintenance. The conflicting goal is to lay a future-proof foundation
(also known as "let's not code ourselves into a corner").

Personally, I'm really bad at predicting the future, while (I feel)
more-complex-than-necessary data flow tends to sound my alarm quickly.
(Perhaps because that can make debugging difficult.) I know I'm going
out on a limb here and that I might eat my words later, but right now, I
think we should not extend the work area.

Thanks for putting up with me.


> 
> 
>>
>> I think this ties in with another point (or question) I raised
>> elsewhere: the assembly code in the reset vector suggests *anyway* that
>> SNP is only available if ES is available, but I couldn't verify that
>> from any specs. If this dependency is an architectural fact (that is, if
>> ES is absent, then SNP may never be present), then I wouldn't like to
>> introduce a separate field for SNP presence in the SEC_SEV_ES_WORK_AREA
>> structure.
> 
> The SEV-SNP builds upon existing SEV and SEV-ES support and provides an
> additional protection from the hypervisor. The SEV-SNP feature requires
> both the SEV and SEV-ES must be enabled. There is some text about it in
> APM volume 2 [1] chapter  15.36.
> 
> 
> [1] https://www.amd.com/system/files/TechDocs/24593.pdf

Perfect, the first paragraph is exactly what I needed:

    The SEV-SNP features enable additional protection for encrypted VMs
    designed to achieve stronger isolation from the hypervisor. SEV-SNP
    is used with the SEV and SEV-ES features described in Section 15.34
    and Section 15.35 respectively and requires the enablement and use
    of these features.

Thanks!
Laszlo