From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com [40.107.93.68])
 by mx.groups.io with SMTP id smtpd.web11.460.1627389088114749044
 for <devel@edk2.groups.io>;
 Tue, 27 Jul 2021 05:31:28 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="body hash did not verify" header.i=@amd.com header.s=selector1 header.b=oGcnwel6;
 spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.93.68, mailfrom: brijesh.singh@amd.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=LTzvufUyJmBPss0yVq/I4KWFRinwQf0VoyKdcpk9aWpjRNJeVQHar/ebkLag7++MbZBFpqRoqK76NhkuEnqGkW5Sor91UXAwgQfpT0VwLBkpRwvFc1sZGWBmdzRNz1l0oRZ81cr3D5wbWVLb6TzWZwemCTU6g9E0QWPCmlU2swig557FfuVtwdXCCDDZUeGVp2g+w8vH4VteQpoqeXbIjUM6H6hPFTyYEe6wqJTVF19/2E2ZY6p/C9IlUZ013wogN1Lz7yc5iCAh/BTPjYLHARH9jbE/SG/XRCaoCeRuBSq9/FGOEv1gpyGx5h74JpC0WzmzPRg+eJOUpWXmjylx8Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=T1S7wcUEFAfbqodtrkjhPFrodx6t17qUC6mVuRBMdnU=;
 b=W0D0ueMLHrpv8IeRgmy8XLTelyqFiwWMQ/u9JALlqAwRdicW4RTTrFquNRYB3Xre1Wvx1JKGDAS+bCO0y/+uokLQ9rerIPtM6MVMbmX/6GzhdrAPGoH2LhI04g2kTTPDqXn1VUl+gG042QmNOkYJE0ag4VwFd/ur6b/pVrEIuQ/XSLnofMN96SkcOF+XsH4njhDlI1W6OJMNX1l2LMH9NMtjN6TuBq91aMVX3ESjmHEC+0PE100Cnp1YB3FN3j26Q95v+kDXTmCLBxoCdF0hJ0AFeFNrRlYdawpHYWTlVA0n2rGaGBjBG/sn2Z8TxDr8BlXMOMByRe6gB00LVdBB/A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass
 header.d=amd.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=T1S7wcUEFAfbqodtrkjhPFrodx6t17qUC6mVuRBMdnU=;
 b=oGcnwel6dU4N1I/SofwGjTbC/fq6qiymjcbMbh6oRn3/lVvB3fgEqKTVTw+a2jgpL1xPQxXCChUnW/OXa8v1uIghij5dX+yma6u/MvaLAtm7vGh7ZNV6fOyWDngIbgpBkJdUKWOcopRwZwh2NTgY1C77mh3dOJC6y6awD9fGO5s=
Authentication-Results: amd.com; dkim=none (message not signed)
 header.d=none;amd.com; dmarc=none action=none header.from=amd.com;
Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22)
 by SA0PR12MB4446.namprd12.prod.outlook.com (2603:10b6:806:71::18) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.28; Tue, 27 Jul
 2021 12:31:26 +0000
Received: from SN6PR12MB2718.namprd12.prod.outlook.com
 ([fe80::a8a9:2aac:4fd1:88fa]) by SN6PR12MB2718.namprd12.prod.outlook.com
 ([fe80::a8a9:2aac:4fd1:88fa%3]) with mapi id 15.20.4352.031; Tue, 27 Jul 2021
 12:31:26 +0000
CC: brijesh.singh@amd.com, Ard Biesheuvel <ardb+tianocore@kernel.org>,
 "Justen, Jordan L" <jordan.l.justen@intel.com>,
 Erdem Aktas <erdemaktas@google.com>, James Bottomley <jejb@linux.ibm.com>,
 "Yao, Jiewen" <jiewen.yao@intel.com>, Tom Lendacky <thomas.lendacky@amd.com>
Subject: Re: [PATCH V3 06/10] OvmfPkg: Add AmdSev.asm in ResetVector
To: "Xu, Min M" <min.m.xu@intel.com>,
 "devel@edk2.groups.io" <devel@edk2.groups.io>
References: <cover.1627364332.git.min.m.xu@intel.com>
 <d4929c9085615cc469946238cf56b0ac468d7351.1627364333.git.min.m.xu@intel.com>
 <ebe46d3a-2c0b-821f-482e-a2b5ca298947@amd.com>
 <PH0PR11MB506451D0F8BCC721AE860BABC5E99@PH0PR11MB5064.namprd11.prod.outlook.com>
From: "Brijesh Singh" <brijesh.singh@amd.com>
Message-ID: <a7ccd4e1-4971-6e15-b5d3-171581c7ba63@amd.com>
Date: Tue, 27 Jul 2021 07:31:22 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0)
 Gecko/20100101 Thunderbird/78.12.0
In-Reply-To: <PH0PR11MB506451D0F8BCC721AE860BABC5E99@PH0PR11MB5064.namprd11.prod.outlook.com>
X-ClientProxiedBy: SA0PR11CA0200.namprd11.prod.outlook.com
 (2603:10b6:806:1bc::25) To SN6PR12MB2718.namprd12.prod.outlook.com
 (2603:10b6:805:6f::22)
Return-Path: brijesh.singh@amd.com
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from Brijeshs-MacBook-Pro.local (165.204.77.11) by SA0PR11CA0200.namprd11.prod.outlook.com (2603:10b6:806:1bc::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.17 via Frontend Transport; Tue, 27 Jul 2021 12:31:24 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: ea6602bf-e000-4c23-eda1-08d950fa73a9
X-MS-TrafficTypeDiagnostic: SA0PR12MB4446:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: 
	<SA0PR12MB4446B9796D988BDED23CD6E0E5E99@SA0PR12MB4446.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	tK1Pg7qGC81V3nH+tY0wmElgwxO+OTYMj8CjXmAc9HLb5wo+T9LSEv2wblJmJh2Gud3+OCv1ddGis36ZtFMSKk322XAwLczhWoUimfgNRGE5vI/LYErPZ75R+BcRHTKSOxoty+63ZvcQGH+zSobp5kQv5Vxvjn7DgGesVowj7zQWIkoVAlT4NRQxUTnkZRSXQvYacxQpvJW3gGCwJLjzkYwQMZ9I8qNE0VCqm01ly+hu2QZnsjPfyDdxXYa8K7bo+zqOvtT5NrEVQTlvRWM43QkLY7BCu5rtHAAo7tVtx2J/3v0BUyQtxA07VBSdkyelCpnnh2oNj6B5e5JAWt5jl2LyG5RmK4/YWaxk2BBHB6xT58/86l8dAKtotJPh5iNgHQHjKmr1VQvy6qhvYNTrejmffxm2A0h4uLYZ4MSOSGelvt2D4rzf+fU5aWaX9CkfX1y+Q7yZpIDvtOZkNM0DytpInZqERjUzQi4dJ8JhCWJIGFWAjhjeY6xDXiAGwGRf5EE1FWeK36y924pNnAQhH1Am+aJzs72CdRtqdFK3THVfRurqQv2bXs8ou8/0E5NSLHUOYRRtH3pBdAYXVFX8hq0ubiBnNakZlyZen7SivkBwi5Z8OO7EIGgchss/ZkB3+413KONwhxKK07FIEEsXBp5kDRpQHNeT0WsjxVq6zL3vRjbN8FwwQZwxqjMU7b6N3YTcKKM6IOQG4R3SP8znvHvUr2r7YVAlsnAan9jSuPO6jXvlHc8RbTPi+H/kQvGyeH7LGkKuN3LT0tG28rBI6/gCIEiJ6JkW00XRo2CFX8p/8ZCaGlqbal35Vjmp89n1qpLtBDKqzxuz+xIgL0cFWA==
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB2718.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(346002)(366004)(376002)(39860400002)(136003)(396003)(84040400004)(66946007)(66476007)(66556008)(6512007)(956004)(53546011)(31686004)(478600001)(52116002)(186003)(38350700002)(6506007)(54906003)(45080400002)(26005)(110136005)(36756003)(38100700002)(6486002)(2616005)(5660300002)(8676002)(2906002)(44832011)(4326008)(966005)(316002)(31696002)(86362001)(8936002)(83380400001)(19627235002)(45980500001)(43740500002);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
	=?us-ascii?Q?SzT2Qchc4D0tK7x7pW/32mktqqjTXNLsZainkB8Zf9z8fWqUVplvh9byHKTb?=
 =?us-ascii?Q?PTyUmGxsK+l4pIsaqDXyoZD0oc2vZkp/8BYM2GsYwfXOQvphDws9g2bOpHrx?=
 =?us-ascii?Q?eKfsEMiBGELdUN+kEigTVdM1NgIs+AY6HXWdan779DmHWzU+EhRSxlgLZnQY?=
 =?us-ascii?Q?aJvavVMeAcRf0LkzYMajmdpvUKK4KZJvRKAuoE9U7mD1tkCplV2Sfn66zxKP?=
 =?us-ascii?Q?6VT7ve9kTS/UxMXsJ85arCGBgoH9HnhfeYvp9kiVaEqA8bxnp+jj1hUPjsqZ?=
 =?us-ascii?Q?jQjmDfLOKxKDtWJFWQBoY2ZjltUYNvqJ6okkaeWKucl0ZYfdlG2AwEvuGewh?=
 =?us-ascii?Q?f8/Wy/Xb2ZPn3hiU5FI3V2SHgNr97CyN6/rnI4aw0UyVgA0nh31p99hbh4A6?=
 =?us-ascii?Q?/23mN9e+uDVyXkzfx+SUD5q0YP/pIY0r84T2HCcwegsuBHWVQDHPMWJmn9cF?=
 =?us-ascii?Q?q3FkpG2yPaHE8ieYvaF9DBa7STUXcJhCj934RidPHg8rFpVcisdTqgicZCjp?=
 =?us-ascii?Q?OjNXv7q8nImZoqdV1brU+0pNbj7PeX5wpeCP9TwBca938TOAauycp1ktIhgI?=
 =?us-ascii?Q?noJqS4CGQsi88c8C1IqmPZ4p8GQGpy0zsk729QrmH8BwOapeLMlMvYyX6oTq?=
 =?us-ascii?Q?PLo4eQgQhhsX6Ez1OP3WspKxWNEFeIhQCzWfCWhRx4SG51dbCYwfJLbttMaO?=
 =?us-ascii?Q?d58+N7tvEA3Jj3RucUrRudW2iKyaZZjkTVRLbZ/T8mUHcrCr9axBTOxf3e9O?=
 =?us-ascii?Q?r4+h2Q9BCThsO95cX9H0g2WrrXtfrEEsE/qmJi7FNwqC/ULEm7GhDoJBS7uq?=
 =?us-ascii?Q?Lbj1GTxeicAFiyaQEHjfB8Nmjsk2NNeI56ihZzeQX2EtOLLicrUOSMEEGw93?=
 =?us-ascii?Q?+uyGpqKQC1pibqRYprmyiYFjmOQuduPvn+755XfjO0/P28Cv5hMCe5hbMin5?=
 =?us-ascii?Q?KyYfHGtx/shrjhPsI1ePNew5tzqMp45A/w32hcJTmgEoyFD0qdXKQVepO2w+?=
 =?us-ascii?Q?Puxs2PFWA9xJYs/bTqOE4+VwaLM09r7yISSTm/YcGQzmWEsWVloiZYqtV1+D?=
 =?us-ascii?Q?2/N58Lh/xj3PCme0+YefPiScHHZfGzrlgSReqHDbEpT8iuluzS9ms1rTG2Fd?=
 =?us-ascii?Q?0wOwiAv/mL5VtWyENU7i8f1E0KQST19GqzJxaQKJ5xcQl48k6zVuNzkNgJ4i?=
 =?us-ascii?Q?ie6uvulxSDYOtfmQ4KNr2gNs2DKaW6Sapuq9PkY07CpVcs4b2OEvM2bcYIYZ?=
 =?us-ascii?Q?1/O7a5CrvYmc4gW5GEndrbhBHYSd5gtWyoNp0+cxjVYTdZ+GKo20SOgbcxIY?=
 =?us-ascii?Q?bKTNH2HI56howyGmzmnoMUhz?=
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ea6602bf-e000-4c23-eda1-08d950fa73a9
X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jul 2021 12:31:26.3077
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: mbu0u1E82cpGSWInLtDatzxxtVw8s989x9t/OBeufGF4CNeYM33RMe1ABfVkfGKKFqTaTyMbamkGVfBNQQNO7Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4446
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US


On 7/27/21 6:51 AM, Xu, Min M wrote:
> On July 27, 2021 6:57 PM, Brijesh Singh wrote:
>> Hi Min,
>>
>> This refactoring is already done by the SNP patch series.
>>
>> https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fedk2=
.groups.io%2Fg%2Fdevel%2Fmessage%2F77336%3Fp%3D%2C%2C%2C20%2C0%2C0%2C0%3A%3=
ACreated%2C%2Cpost&amp;data=3D04%7C01%7Cbrijesh.singh%40amd.com%7C22b61f2ff=
5bb48348b0608d950f4d7c5%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637629=
834792320372%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLC=
JBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=3DtMGpR4a2uZTTR%2FsciTN0oeca2=
mZ32GfX3K78lA5BWas%3D&amp;reserved=3D0
>> erid%3A5969970,20,2,20,83891510
>>
>> It appears that you are also pulling in some of TDX logic inside the
>> AMDSev.asm such as
>>
>> ;
>> +PostJump64BitAndLandHereSev:
>> +
>> +    ;
>> +    ; If it is Tdx guest, jump to exit point directly.
>> +    ; This is because following code may access the memory region which=
 has
>> +    ; not been accepted. It is not allowed in Tdx guests.
>> +    ;
>> +    mov     eax, dword[TDX_WORK_AREA]
>> +    cmp     eax, 0x47584454             ; 'TDXG'
>> +    jz      GoodCompare
>>
>> Why we are referring the TDX workarea inside the AmdSev.asm ?
> See my explanation in the above comments. In Tdx guests memory region can=
not
> be accessed unless it is accepted by guest or initialized by the host VMM=
. In=20
> PostJump64BitAndLandHereSev there is access to dword[SEV_ES_WORK_AREA_RDR=
AND]
> which is not initialized by host VMM. If this code will not be executed i=
n=20
> Tdx guest, then the above check is not needed. I need your help to confir=
m it.
>
> There are similar Tdx check in my patch of AmdSev.asm. For example in Che=
ckSevFeatures
> byte[SEV_ES_WORK_AREA] is used to record the SEV-ES flag. This memory reg=
ion is
> not initialized by host VMM either. So in Tdx it will trigger error.
>
> Another solution is that the memory region used by SEV in ResetVector are=
 added
> Into Tdx metadata so that host VMM will initialize those memory region wh=
en=20
> It creates the Td guest. What's your opinion?

I am not full versed on TDX yet and sorry I am not able to follow you
question completely to provide any advice. With SEV and SEV-ES, a guest
can access the memory without going through the validation process, but
with the SEV-SNP, the page need to be validated (aka accepted) before
the access. In SNP series, we ensure that the data pages used in the
reset vector are pre-validated during the VM creation time -- this
allows us to access the pages without going through accept process. If I
follow you correctly on your metadata comment then it is similar to
saying is pre-validate these range of pages used in the reset vector
code (that include GHCB page, Page table pages etc), right ?=C2=A0

For SEV-SNP, see this patch

https://edk2.groups.io/g/devel/message/77342?p=3D,,,20,0,0,0::Created,,post=
erid%3A5969970,20,2,20,83891520

A VMM (qemu) looks for the range of page it need to prevalidate before
the boot, the range is provided through the GUID (SevSnpBootBlock).

>> I will take out my refactoring patch outside of the SNP series and submi=
t it so
>> that you can build on top of. This will simplify review process.
>>
> Thank you very much for the refactoring.  I will refine my patch based on=
 it.=20
>> thanks
>>
>>