Re: [PATCH v2] OvmfPkg/PlatformPei: Validate SEC's GHCB page

["Lendacky, Thomas" <thomas.lendacky@amd.com>]

On 12/9/22 12:58, Adam Dunlap wrote:
> When running under SEV-ES, a page of shared memory is allocated for the
> GHCB during the SEC phase at address 0x809000. This page of memory is
> eventually passed to the OS as EfiConventionalMemory. When running
> SEV-SNP, this page is not PVALIDATE'd in the RMP table, meaning that if
> the guest OS tries to access the page, it will think that the host has
> voilated the security guarantees and will likely crash.
> 
> This patch validates this page immediately after EDK2 switches to using
> the GHCB page allocated for the PEI phase.
> 
> This was tested by writing a UEFI application that reads to and writes
> from one byte of each page of memory and checks to see if a #VC
> exception is generated indicating that the page was not validated.
> 
> Fixes: 6995a1b79bab ("OvmfPkg: Create a GHCB page for use during Sec phase")
> 
> Signed-off-by: Adam Dunlap <acdunlap@google.com>
> ---
>   OvmfPkg/PlatformPei/AmdSev.c | 21 ++++++++++++++++++---
>   1 file changed, 18 insertions(+), 3 deletions(-)
> 
> diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
> index e1b9fd9b7f..df560a8679 100644
> --- a/OvmfPkg/PlatformPei/AmdSev.c
> +++ b/OvmfPkg/PlatformPei/AmdSev.c
> @@ -212,7 +212,7 @@ AmdSevEsInitialize (
>     UINTN                GhcbBackupPageCount;
>     SEV_ES_PER_CPU_DATA  *SevEsData;
>     UINTN                PageCount;
> -  RETURN_STATUS        PcdStatus, DecryptStatus;
> +  RETURN_STATUS        PcdStatus, Status;

I'm not sure if the CI will complain in this case, but it doesn't allow 
multiple variable definitions in a line. And with the change I suggested, 
this will now likely trigger a CI failure (you can check by submitting a 
pull request to the EDK2 project, which will run the CI but not actually 
commit anything, and seeing if you encounter any issues).

>     IA32_DESCRIPTOR      Gdtr;
>     VOID                 *Gdt;
>   
> @@ -240,12 +240,12 @@ AmdSevEsInitialize (
>     // only clear the encryption mask for the GHCB pages.
>     //
>     for (PageCount = 0; PageCount < GhcbPageCount; PageCount += 2) {
> -    DecryptStatus = MemEncryptSevClearPageEncMask (
> +    Status = MemEncryptSevClearPageEncMask (
>                         0,
>                         GhcbBasePa + EFI_PAGES_TO_SIZE (PageCount),
>                         1
>                         );

You'll have to re-align the arguments under the lower-case "m" now.

> -    ASSERT_RETURN_ERROR (DecryptStatus);
> +    ASSERT_RETURN_ERROR (Status);
>     }
>   
>     ZeroMem (GhcbBase, EFI_PAGES_TO_SIZE (GhcbPageCount));
> @@ -295,6 +295,21 @@ AmdSevEsInitialize (
>   
>     AsmWriteMsr64 (MSR_SEV_ES_GHCB, GhcbBasePa);
>   
> +  //
> +  // Now that the PEI GHCB is set up, the SEC GHCB page is no longer necessary
> +  // to keep shared. Later, it is exposed to the OS as EfiConventionalMemory, so
> +  // it needs to be marked private. The size of the region is hardcoded in
> +  // OvmfPkg/ResetVector/ResetVector.nasmb in the definition of
> +  // SNP_SEC_MEM_BASE_DESC_2.
> +  //
> +

Remove the blank line here.

> +  Status = MemEncryptSevSetPageEncMask (
> +    0,                                  // Cr3 -- use system Cr3
> +    FixedPcdGet32 (PcdOvmfSecGhcbBase),
> +    1                                   // Number of pages
> +    );

These arguments need to be aligned under the lower case "m", too.

Thanks,
Tom

> +  ASSERT_RETURN_ERROR (Status);
> +
>     //
>     // The SEV support will clear the C-bit from non-RAM areas.  The early GDT
>     // lives in a non-RAM area, so when an exception occurs (like a #VC) the GDT