From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (NAM10-BN7-obe.outbound.protection.outlook.com [40.107.92.48]) by mx.groups.io with SMTP id smtpd.web08.33008.1620046528755625101 for ; Mon, 03 May 2021 05:55:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=WHNaru+V; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.92.48, mailfrom: brijesh.singh@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JabaNDxA2YEg3/KdNhNAKUx0RZG4y42af3cYC4ACLvx2Dhl9OJPhoVkirD9xY6tnfGFFsz8eFRRR3Lwl/VM/jqfUIETazgTBC9Dy1PmdXsxiWSkgBE4StPnxo+/jtylb6NhqqOBXwZR9GeY8nUF7dwrF1gmlvW7YwVoK8PVGjhEuH57BvU5p7TJXwQGWI1YteEXH12vxYFg77hRKc2ZLmwTncsPOE1dP/9sSPDLnBTz71Fs/SwYqMbA1dzoGVafMDcNukEAPItdHUy9RYVmULodhTMuXYSBabKcKHG7Xv3ozxYrYl45oucMgzLVH8y5f6kAxzvNUFPW44gurxCxteg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6++MwKFMbY9CNSaSHoqN59AWXg7aa6DqCgsDTMQ2/2U=; b=LnzXC8zkBb05tNctB0kc+8WLeQ7yXg8HfTxwco/Xv/eUKLH1FUSsrTYrIqB713bLWU3exeOwefTz+tNvv3O2mGJADJAfr5JSuaQrZe9m0nZI7RbSwvEK7JwgCkdglqVZJ+AWcYE0lE8vNa1p7cem84CU9RocGUQWKmggDAIhT/AVgcah9x4zYqIPtb8z/Ua0f9OnS6Z1uEQRjipLUW6aL2NdCYhc3bLPJZ+bJdEfn3IsxzzqcynKQs6ghHTBI95iL0lxLkO0+mhe9fC3nBEG/rGCdQvRV1hFXs58xBLVHkAkPGB46hN9MtmkHa/QCiSbtpeWWXRUXBAcDDbMKK1qpA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6++MwKFMbY9CNSaSHoqN59AWXg7aa6DqCgsDTMQ2/2U=; b=WHNaru+VmlhAiVr/iFcQwJU8FWLc6ARIABc/qwLBhcdMzKvSmCS3OIyO1zHx62afZ3t8v92GIJtzo+wdORoknJAdP96Ugs8Dlb/owWrEGAiVIDjsakEptscbZ7LEn4hW4gPOOMdasMPcl+YPvvOlQMHYfA4gMuX6xKbREEV40NM= Authentication-Results: google.com; dkim=none (message not signed) header.d=none;google.com; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2367.namprd12.prod.outlook.com (2603:10b6:802:26::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.40; Mon, 3 May 2021 12:55:26 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::9898:5b48:a062:db94]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::9898:5b48:a062:db94%6]) with mapi id 15.20.4087.044; Mon, 3 May 2021 12:55:26 +0000 Cc: brijesh.singh@amd.com, James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas Subject: Re: [edk2-devel] [PATCH RFC v2 03/28] MdePkg: Define the GHCB GPA structure To: Laszlo Ersek , devel@edk2.groups.io References: <20210430115148.22267-1-brijesh.singh@amd.com> <20210430115148.22267-4-brijesh.singh@amd.com> From: "Brijesh Singh" Message-ID: Date: Mon, 3 May 2021 07:55:23 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.10.0 In-Reply-To: X-Originating-IP: [70.112.153.56] X-ClientProxiedBy: SN4PR0201CA0047.namprd02.prod.outlook.com (2603:10b6:803:2e::33) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) Return-Path: brijesh.singh@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from Brijeshs-MacBook-Pro.local (70.112.153.56) by SN4PR0201CA0047.namprd02.prod.outlook.com (2603:10b6:803:2e::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.25 via Frontend Transport; Mon, 3 May 2021 12:55:25 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 8d9adc8e-a304-4859-f2d9-08d90e32b8a4 X-MS-TrafficTypeDiagnostic: SN1PR12MB2367: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: f8Ew7UVA+YEpfp5xnSrzJpBMCH3mu8joeAl4CemAO1a1dG2ZgAFxTmVr0M5705MKPMqFvRVnlWbKPLDYs4ZPCB3m6TJPDIlIUoCPMpJm1r8UbkeDs6eHxylhNbpErpChnSPN13C5CgStiUpUvDiQoH5I/rprY+x5HfRJRpmtDrufj+F69jqX41+3TIOm9mUnYv1TNwkUCEC4OYm378Xu+hQnzea2aOEs2vRB7p2wjFblWNSCGapEQbB18sSuHt8S/LpT08s99vlCMFl7u/46h0XXr+3xXCGUKPKGzyZSjpKJyFQDptVzlNVu1al+fGHL/HRNSfcKA9jCIppSUXJgWE5K8/0n6k56Jz/V2V02isrwwJxg4Z0PMoHtSVjgsao7PmZxk6KEUMBxW4+KNziEMCs00H68klQJ09H1mdZSqQXgZrdagd9/4kJdb+YSxEUAQwiQBsIeovpysDhIHROhDBxwn5y5Qx/lfvtClTRt7ibz5tHZJfQxRrHgETpa0DQQ2qN10jiaJszgIciDl+2i5MKAuh42RIo9crb5J/foF/hQ8wJaCKMzvELb0qKk3VIw6sL3l138/OyqXZckDbKnrHnUYByw3M9k7I+fO8LxyAQRC78FFMkIEdiUjRvW44w1AXSrTqFvUphBrygeQxgDxorBeFh/0VOfCtcnVPxlxsEBfPagXBqPGmTGj3Fh4t+7wIbmn3JgM3eA0ZuSQLqztUb7h16QFskxLO9gUfooZh0fItHa9fZdA6YUUOq4gbgbXpEFxRSSIYIv9ckahQY1ZyiFUWntF31Mckmqb2ujdPsc4nof1kO8TiJnCIdlFlyv X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB2718.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(376002)(39860400002)(396003)(136003)(346002)(366004)(86362001)(36756003)(6512007)(31686004)(478600001)(8936002)(45080400002)(2906002)(6486002)(52116002)(83380400001)(54906003)(956004)(2616005)(26005)(31696002)(66476007)(5660300002)(66556008)(38100700002)(19627235002)(186003)(38350700002)(16526019)(66946007)(8676002)(316002)(53546011)(966005)(6506007)(4326008)(44832011)(45980500001)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?ZTVWdmxhSmJNYXlQeWd6Y2lybnRVallXN0lxbWhSa2JDYUg2T1JBQm9ueUdB?= =?utf-8?B?cTliSU0wUFFaWnc3T3ZCK1NDL3o4WnV0ak10bHVudWgyTzNDZXZiZUlxeGpO?= =?utf-8?B?dlhvaEQ5WHNFVFJDRzlEWmZ6OWFIbG02THg1d042VWpzU3p3YmhaeCsrSUta?= =?utf-8?B?cTNkTnNWbHd6YlEybzhjTS9ocTZmbnVnbVJodi83YzNJZGdZSE5Rd3NkODIr?= =?utf-8?B?aWlVU3hRQjVjSzNVM2VIclVtWk5aVHpFa3c4cmJ1dmhBS0NsRmcyTFRDTExU?= =?utf-8?B?Zy9jN1JQMTljeS9FRURxbzFVZjFjdDJ5ZDVWSThudjlYSy9pNEJxTjBYUE5n?= =?utf-8?B?L1VXcXFQNEdzTDZJK0xGUllyTEFESTI5a2NMU3ZXUFBXcTdRMG5CemdUSW1l?= =?utf-8?B?N2tRcUZIa2NZemRRaGsyZjFaTHRSTmk3MU5lVTViNzl5RFREMFJkMlh3MVZw?= =?utf-8?B?YXZseGkwa1Jia3VJMEJUMklibmlIUmZBMm93M1lqZHlMb3RPbnptY0JwU1U1?= =?utf-8?B?L3lIOUlDMm5nUTc0eWFNbXBCZFhvMUZLVkdlbGNmOU5EUkg4N3YxYThOWlJo?= =?utf-8?B?NEVWMHNXd0luRi9YbFNzdVJLUWVrYzBzdlZ3N1IvdkJPdGpKS2F1bDVHVmcy?= =?utf-8?B?dWs4S2xQUWtoMkt1aSthaklQZjJPK2xma3dKa0xidGhvdXhvSmQ0Q1gzWGJa?= =?utf-8?B?YTlodUoxaDJNeG5rY3lFeVZBdGs4clJaU1BCdW1zSjVZbzVJS0ZnN2hyWk1z?= =?utf-8?B?Zm1CZkJ3bU5jNXZmc0wzT1pkOWZRQnFWWXJRZndsdXVKVUNoWVhnNW1oMTZB?= =?utf-8?B?K1JkNStOLzZsV0Jpd1lRYWNPSVZBTFpZK0VVN3ByK1E0eHZPdU9jd0wvM2xj?= =?utf-8?B?a05JQkROcVozU3RtQ2YvSmhSclZyWmZGZGE5aUVDeWxlZVoxcXlZRU9JSVJS?= =?utf-8?B?dm5WSGFsTHh5bktDOGZya1JrdHp0UWhPb3dWdjVqZVA2K29mdWdaSlFlaUN6?= =?utf-8?B?aDM5UHJmNkNSRlJTdXNHUllwS3FWb256SWVWQ0xjbis3NXpvT3V4aURiN0li?= =?utf-8?B?RERPMjZwclczamN5VTMvbHRvMU5CL2w4WmpyczdHT1JManRGWmIxT211ZVB4?= =?utf-8?B?Y0c4L2xTTGxSb01HL3ZsSjFvYVlIN2d2UlVvR3o0Y2VJVlpOM2M3VmhrQmFH?= =?utf-8?B?dE9nWUgwbFVxRUp3d1hpbzJHQ3ZRT1dSN1RIMEhhV2RaVFZrSmNGWG40MHFk?= =?utf-8?B?SWtjY1JLMEM0Y3E5VHY1eVB6bDdsRmU3QUgzWEFXRXZ0a29kaXI2eW54WFNP?= =?utf-8?B?NzgzMHk5S0pTYU9FOU1FdXlIVzltaEt6VlBkMW91Qy9FWDVYWVdTRGowSk9o?= =?utf-8?B?MUNhNSsvSEgzclhxYWx3Zm5acFRndElwWkIvTTh5RVYrWkprMnBsY1hzZTVh?= =?utf-8?B?cERSV0xUVzZLaWRyVjBFVVJuWmowNUdBOXdaT0xKdlp4SXEyVm41M3ptejk4?= =?utf-8?B?VnJqQ2d5bTc4SVF0M2h1YlZPS2ZBczRlT3dZaVhrMXNKREc0WTByU3R1YXpi?= =?utf-8?B?Tzg2NG9ZL285akpieTZKRHplNDNwZStOV3JqTzVxd2p5ZHBheHQzdnZHbm5r?= =?utf-8?B?dE4zbjFMbDMxd2NnRXZjRERtemRxTHE5QVNuT2hjak1RQVhQN2s1SU02b080?= =?utf-8?B?bVNqV2crWkJQVjVER1k0eWZDanFHc3ZSYzRKdDZQQjg4UGlzSXpOR1NMSldP?= =?utf-8?Q?+YTh5VoqjSRCRVSP03BEaRjkZ8yHAZQdb6UB1LK?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8d9adc8e-a304-4859-f2d9-08d90e32b8a4 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 May 2021 12:55:26.0696 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: rjwj7QjLVLVfFWBJPYj0ul2IYfwRL8VNWjOsMST2kqniT4O2vHpjikXnAAhc1jEJUgOV452M+C+3NRZJ30/2Ew== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2367 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US On 5/3/21 7:19 AM, Laszlo Ersek wrote: > On 05/03/21 12:24, Laszlo Ersek wrote: >> On 04/30/21 13:51, Brijesh Singh wrote: >>> BZ: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D3275&data=04%7C01%7Cbrijesh.singh%40amd.com%7C9eac9a93753d403dcc4d08d90e2dbcb5%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637556411874265560%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=eNafEGfhCMOkOboQOJnxq8Rw%2BOTuvAUGIziDuELV8%2Bk%3D&reserved=0 >>> >>> An SEV-SNP guest is required to perform the GHCB GPA registration. See >>> the GHCB specification for further details. >>> >>> Cc: James Bottomley >>> Cc: Min Xu >>> Cc: Jiewen Yao >>> Cc: Tom Lendacky >>> Cc: Jordan Justen >>> Cc: Ard Biesheuvel >>> Cc: Laszlo Ersek >>> Cc: Erdem Aktas >>> Signed-off-by: Brijesh Singh >>> --- >>> MdePkg/Include/Register/Amd/Fam17Msr.h | 7 +++++++ >>> 1 file changed, 7 insertions(+) >>> >>> diff --git a/MdePkg/Include/Register/Amd/Fam17Msr.h b/MdePkg/Include/Register/Amd/Fam17Msr.h >>> index a65d51ab12..e19bd04b6c 100644 >>> --- a/MdePkg/Include/Register/Amd/Fam17Msr.h >>> +++ b/MdePkg/Include/Register/Amd/Fam17Msr.h >>> @@ -53,6 +53,11 @@ typedef union { >>> UINT64 Features:52; >>> } GhcbHypervisorFeatures; >>> >>> + struct { >>> + UINT64 Function:12; >>> + UINT64 GuestFrameNumber:52; >>> + } GhcbGpaRegister; >>> + >>> VOID *Ghcb; >>> >>> UINT64 GhcbPhysicalAddress; >>> @@ -62,6 +67,8 @@ typedef union { >>> #define GHCB_INFO_SEV_INFO_GET 2 >>> #define GHCB_INFO_CPUID_REQUEST 4 >>> #define GHCB_INFO_CPUID_RESPONSE 5 >>> +#define GHCB_INFO_GHCB_GPA_REGISTER_REQUEST 18 >>> +#define GHCB_INFO_GHCB_GPA_REGISTER_RESPONSE 19 >>> #define GHCB_HYPERVISOR_FEATURES_REQUEST 128 >>> #define GHCB_HYPERVISOR_FEATURES_RESPONSE 129 >>> #define GHCB_INFO_TERMINATE_REQUEST 256 >>> >> The number match the spec (2.0), but I have some remarks / questions. >> >> (1) Patch #2 (SVM_EXIT_HYPERVISOR_FEATURES) and this patch >> (GHCB_INFO_GHCB_GPA_REGISTER_REQUEST) break the nice alignments of the >> macro values (replacement texts) in both header files. Can you prepend a >> whitespace-only patch that simply moves the affected "columns" to the >> right far enough? Sure, do you want me to the post after all the new VMGEXIT's are defined ? >> >> (2) I've checked section 2.3.2 "GHCB GPA Registration" in the spec >> (2.0). What is the specific risk of allowing a guest to switch from one >> GHCB address to another? The GHCB is a shared page, there is no risk to switch from one page to another. This feature is designed to simplify some of the hypervisor implementation. Since the GHCB is accessed on every vmgexit, a hypervisor may prefer to create a map during the registration and refer the map instead of creating a new mapping on every vmgexit. >> >> (3) It seems strange to expect that a guest stick with a particular GHCB >> address for its entire lifetime (including firmware and OS) -- in fact >> OVMF already uses multiple GHCB addresses. The spec does not explain how >> the guest can "unlock" (de-register) a registered GHCB address. >> Furthermore, if a guest can do that *at all* (which I think it must -- >> we're already using different GHCB addresses between SEC and DXE, for >> example), then what protection does the *temporary* locking of the GHCB >> address provide? The spec does not force that GHCB should *never* change once registered. It says that before switching to new GHCB page, the guest must register the page. As you rightly said that OVMF uses multiple GHCBs from SEC to DXE. There is no unregister, registering a new GHCB is a hint to hypervisor that it should drop the old GHCB mapping. The GHCB registration is not a PSP function, and are not designed to mitigate a security exploits. It is purely a hypevisor virtualized feature. >> I'll stop reviewing here, because I think I need to understand your >> answers. I'd like to have a rudimentary mental basis for reviewing the rest. > ... interestingly, with reference to my question (2) under patch "RFC v2 > 02/28", the GHCB GPA registration function is one that can *only* be > performed with the GHCB MSR protocol, and not through the GHCB page. > > So that shows that the MSR protocol's functions cannot be considered a > pure subset of the GHCB page's functions. If > SVM_EXIT_HYPERVISOR_FEATURES didn't exist (and the same function would > only be accessible via GHCB_HYPERVISOR_FEATURES_REQUEST), then no > "larger principle" would be damaged. That is correct, not every exit have both MSR and non MSR protocol based vmgexit. It seems that during the spec review no other HV vendor saw the need for non-MSR based exit. Certainly, I don't see a need for it in KVM and can't comment on other HV ;) > > Thanks > Laszlo >