From: "Ashish Kalra" <ashish.kalra@amd.com>
To: <devel@edk2.groups.io>
Cc: <dovmurik@linux.vnet.ibm.com>, <brijesh.singh@amd.com>,
<tobin@ibm.com>, <Thomas.Lendacky@amd.com>, <jejb@linux.ibm.com>,
<dgilbert@redhat.com>, <lersek@redhat.com>,
<jordan.l.justen@intel.com>, <ard.biesheuvel@arm.com>
Subject: [PATCH v8 6/6] OvmfPkg/AmdSevDxe: Add support for SEV live migration.
Date: Tue, 5 Apr 2022 17:33:03 +0000 [thread overview]
Message-ID: <a67eb4792352eb83e800a9c7b755e560a51c0a55.1649178155.git.ashish.kalra@amd.com> (raw)
In-Reply-To: <cover.1649178155.git.ashish.kalra@amd.com>
From: Ashish Kalra <ashish.kalra@amd.com>
Check for SEV live migration feature support, if detected
setup a new UEFI enviroment variable to indicate OVMF
support for SEV live migration.
This environment variable is created by UEFI but consumed
by the (guest) linux kernel. This is actually part of a
3-way negotiation of the live migration feature between
hypervisor, guest OVMF and guest kernel. Host indicates
support for live migration, which is detected by OVMF
and correspondingly OVMF sets this SetLiveMigrationEnabled
UEFI variable, which is read by the guest kernel and it
indicates to the guest kernel that both host and OVMF
support and have enabled the live migration feature.
The new runtime UEFI environment variable is set via the
notification function registered for the
EFI_END_OF_DXE_EVENT_GROUP_GUID event in AmdSevDxe driver.
AmdSevDxe module is an apriori driver so it gets loaded between PEI
and DXE phases and the SetVariable call will fail at the driver's
entry point as the Variable DXE module is still not loaded yet.
So we need to wait for an event notification which is signaled
after the Variable DXE module is loaded, hence, using the
EndOfDxe event notification to make this call.
Signed-off-by: Ashish Kalra <ashish.kalra@amd.com>
---
OvmfPkg/AmdSevDxe/AmdSevDxe.c | 67 ++++++++++++++++++++++
OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 4 ++
OvmfPkg/Include/Guid/AmdSevMemEncryptLib.h | 20 +++++++
OvmfPkg/OvmfPkg.dec | 1 +
4 files changed, 92 insertions(+)
create mode 100644 OvmfPkg/Include/Guid/AmdSevMemEncryptLib.h
diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c
index 662d3c4ccb..1453d68d81 100644
--- a/OvmfPkg/AmdSevDxe/AmdSevDxe.c
+++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c
@@ -15,10 +15,13 @@
#include <Library/BaseMemoryLib.h>
#include <Library/DebugLib.h>
#include <Library/DxeServicesTableLib.h>
+#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/MemEncryptSevLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/UefiBootServicesTableLib.h>
#include <Guid/ConfidentialComputingSevSnpBlob.h>
+#include <Guid/AmdSevMemEncryptLib.h>
+#include <Guid/EventGroup.h>
#include <Library/PcdLib.h>
STATIC CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION mSnpBootDxeTable = {
@@ -31,6 +34,39 @@ STATIC CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION mSnpBootDxeTable = {
FixedPcdGet32 (PcdOvmfCpuidSize),
};
+STATIC
+VOID
+EFIAPI
+AmdSevDxeOnEndOfDxe (
+ IN EFI_EVENT Event,
+ IN VOID *EventToSignal
+ )
+{
+ EFI_STATUS Status;
+ BOOLEAN SevLiveMigrationEnabled;
+
+ SevLiveMigrationEnabled = MemEncryptSevLiveMigrationIsEnabled ();
+
+ if (SevLiveMigrationEnabled) {
+ Status = gRT->SetVariable (
+ L"SevLiveMigrationEnabled",
+ &gAmdSevMemEncryptGuid,
+ EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_RUNTIME_ACCESS,
+ sizeof SevLiveMigrationEnabled,
+ &SevLiveMigrationEnabled
+ );
+
+ DEBUG ((
+ DEBUG_INFO,
+ "%a: Setting SevLiveMigrationEnabled variable, status = %lx\n",
+ __FUNCTION__,
+ Status
+ ));
+ }
+}
+
EFI_STATUS
EFIAPI
AmdSevDxeEntryPoint (
@@ -42,6 +78,7 @@ AmdSevDxeEntryPoint (
EFI_GCD_MEMORY_SPACE_DESCRIPTOR *AllDescMap;
UINTN NumEntries;
UINTN Index;
+ EFI_EVENT Event;
//
// Do nothing when SEV is not enabled
@@ -158,5 +195,35 @@ AmdSevDxeEntryPoint (
);
}
+ //
+ // AmdSevDxe module is an apriori driver so it gets loaded between PEI
+ // and DXE phases and the SetVariable call will fail at the driver's
+ // entry point as the Variable DXE module is still not loaded yet.
+ // So we need to wait for an event notification which is signaled
+ // after the Variable DXE module is loaded, hence, using the
+ // EndOfDxe event notification to make this call.
+ //
+ // Register EFI_END_OF_DXE_EVENT_GROUP_GUID event.
+ // The notification function sets the runtime variable indicating OVMF
+ // support for SEV live migration.
+ //
+ Status = gBS->CreateEventEx (
+ EVT_NOTIFY_SIGNAL,
+ TPL_CALLBACK,
+ AmdSevDxeOnEndOfDxe,
+ NULL,
+ &gEfiEndOfDxeEventGroupGuid,
+ &Event
+ );
+
+ if (EFI_ERROR (Status)) {
+ DEBUG ((
+ DEBUG_ERROR,
+ "%a: CreateEventEx(): %r\n",
+ __FUNCTION__,
+ Status
+ ));
+ }
+
return EFI_SUCCESS;
}
diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
index 9acf860cf2..42f8af0d0d 100644
--- a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
+++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
@@ -52,3 +52,7 @@
[Pcd]
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId
+
+[Guids]
+ gAmdSevMemEncryptGuid
+ gEfiEndOfDxeEventGroupGuid ## CONSUMES ## Event
diff --git a/OvmfPkg/Include/Guid/AmdSevMemEncryptLib.h b/OvmfPkg/Include/Guid/AmdSevMemEncryptLib.h
new file mode 100644
index 0000000000..62d22e79a9
--- /dev/null
+++ b/OvmfPkg/Include/Guid/AmdSevMemEncryptLib.h
@@ -0,0 +1,20 @@
+/** @file
+
+ AMD Memory Encryption GUID, define a new GUID for defining
+ new UEFI environment variables assocaiated with SEV Memory Encryption.
+
+ Copyright (c) 2021, AMD Inc. All rights reserved.<BR>
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef __AMD_SEV_MEMENCRYPT_LIB_H__
+#define __AMD_SEV_MEMENCRYPT_LIB_H__
+
+#define AMD_SEV_MEMENCRYPT_GUID \
+{0x0cf29b71, 0x9e51, 0x433a, {0xa3, 0xb7, 0x81, 0xf3, 0xab, 0x16, 0xb8, 0x75}}
+
+extern EFI_GUID gAmdSevMemEncryptGuid;
+
+#endif
diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index b9ca441202..0f415f24db 100644
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -142,6 +142,7 @@
gConfidentialComputingSecretGuid = {0xadf956ad, 0xe98c, 0x484c, {0xae, 0x11, 0xb5, 0x1c, 0x7d, 0x33, 0x64, 0x47}}
gConfidentialComputingSevSnpBlobGuid = {0x067b1f5f, 0xcf26, 0x44c5, {0x85, 0x54, 0x93, 0xd7, 0x77, 0x91, 0x2d, 0x42}}
gUefiOvmfPkgPlatformInfoGuid = {0xdec9b486, 0x1f16, 0x47c7, {0x8f, 0x68, 0xdf, 0x1a, 0x41, 0x88, 0x8b, 0xa5}}
+ gAmdSevMemEncryptGuid = {0x0cf29b71, 0x9e51, 0x433a, {0xa3, 0xb7, 0x81, 0xf3, 0xab, 0x16, 0xb8, 0x75}}
[Ppis]
# PPI whose presence in the PPI database signals that the TPM base address
--
2.25.1
prev parent reply other threads:[~2022-04-05 17:33 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-05 17:28 [PATCH v8 0/6] SEV Live Migration support for OVMF Ashish Kalra
2022-04-05 17:30 ` [PATCH v8 1/6] OvmfPkg/BaseMemEncryptLib: Detect SEV live migration feature Ashish Kalra
2022-04-05 17:31 ` [PATCH v8 2/6] OvmfPkg/BaseMemEncryptLib: Hypercall API for page encryption state change Ashish Kalra
2022-04-05 17:32 ` [PATCH v8 3/6] OvmfPkg/BaseMemEncryptLib: Invoke page encryption state change hypercall Ashish Kalra
2022-06-07 8:38 ` [edk2-devel] " nikunj
2022-06-07 17:28 ` Ashish Kalra
2022-06-08 13:22 ` nikunj
2022-04-05 17:32 ` [PATCH v8 4/6] OvmfPkg/VmgExitLib: Encryption state change hypercall support in VC handler Ashish Kalra
2022-04-05 17:32 ` [PATCH v8 5/6] OvmfPkg/PlatformPei: Mark SEC GHCB page as unencrypted via hypercall Ashish Kalra
2022-05-31 15:42 ` [edk2-devel] " Nikunj A. Dadhania
2022-04-05 17:33 ` Ashish Kalra [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a67eb4792352eb83e800a9c7b755e560a51c0a55.1649178155.git.ashish.kalra@amd.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox