From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (NAM12-BN8-obe.outbound.protection.outlook.com [40.107.237.85]) by mx.groups.io with SMTP id smtpd.web10.6475.1635519135619750781 for ; Fri, 29 Oct 2021 07:52:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=x5y+Wj4i; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.237.85, mailfrom: brijesh.singh@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=X+B1SpiQkYqLAEJxGPuPoJzLskkD9Ba20+v0XqNVro6ZtPQsuCDEAMhsuvu4/HzeeIwmxp/ATq0BD6Jz4cbeJQECJfHpGpPmGdpoVKqxQX80g4QS+GGVCfoTVtJXrmkFJWnclGX1Ie6lqqy3/sHMXWEqaPIpPQj2EbXvbmoS+CRKl0nRPhpDoFGs8KVCcCeS+aFRp4sgndo21v3RkK+U2Re+/48APnLQHQ3Bpn6IMu0Wobeb5JZkyRnYoz7ajC6kqnP1eS6ND1+o0LYnyW6YKe2r0IWWHMK62XL5R0MZiBjbyUD/p6Bb5Z8dzFOrPWH0IaMn4Y9WN2r/Mx65AQ38mA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6v2qp8SwBiOCu+R4td0kcQlRdbMgIGIbJcKodRQQPSY=; b=VFxehb9V6imaxX+KaC41I9tSQWu7RRhBMd9LNGQJczURYjb/JA+Gg2to2/yrM17X+HT8BPN053iRx5avLbwJ5xnbRDoPbJC6D/ABfQSxQ/md70p9cXIeAMkjYjecCWGwFu82XW5RQG56shr6ElpaLHttQrWQxvlTW6GVRRJc/JayTQHdR5Occc44Ozr/qBST7NhayGfpzN0HFvbCX3UGDO9wKFMlD5B05tOR1sKwG77QiVyNYYBbRz/dDvw2drmH2Hha2NV355dx1DWbWl+wZq//bxf5mv/VnT3eKuKgXMqyKuWBkIiDXnzpyLxMeRopZ81wRp5OB4cYQC5T4xJokA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6v2qp8SwBiOCu+R4td0kcQlRdbMgIGIbJcKodRQQPSY=; b=x5y+Wj4i6CDsk7SUpYtItYcJo6airl826X2+koRjPUnAnK7JeiWAcSvbwdJE+A5m0zNHzAjAMqBQ9SVha2phyCpEIMWpEZCh+3/CY8nQssUqvBQDvr/t6aYLv5CmWAimH3mq8VCT4f+oIg2mudrhZGjYNB49rv3ACLgad1EGfDk= Authentication-Results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2447.namprd12.prod.outlook.com (2603:10b6:802:27::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4628.18; Fri, 29 Oct 2021 14:52:09 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::e4da:b3ea:a3ec:761c]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::e4da:b3ea:a3ec:761c%7]) with mapi id 15.20.4628.020; Fri, 29 Oct 2021 14:52:09 +0000 Message-ID: Date: Fri, 29 Oct 2021 09:52:06 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.2.1 Cc: brijesh.singh@amd.com, James Bottomley , "Xu, Min M" , Tom Lendacky , "Justen, Jordan L" , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann Subject: Re: [edk2-devel] [PATCH v11 00/32] Add AMD Secure Nested Paging (SEV-SNP) support To: "Yao, Jiewen" , "devel@edk2.groups.io" References: <20211023041349.1263726-1-brijesh.singh@amd.com> <7c252991-d51a-461e-da8e-8f1de6fe41ba@amd.com> From: "Brijesh Singh" In-Reply-To: X-ClientProxiedBy: SN4PR0501CA0025.namprd05.prod.outlook.com (2603:10b6:803:40::38) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) Return-Path: brijesh.singh@amd.com MIME-Version: 1.0 Received: from [10.0.0.5] (70.112.153.56) by SN4PR0501CA0025.namprd05.prod.outlook.com (2603:10b6:803:40::38) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4649.13 via Frontend Transport; Fri, 29 Oct 2021 14:52:08 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a7668141-9c93-4e18-9ec8-08d99aebaedf X-MS-TrafficTypeDiagnostic: SN1PR12MB2447: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:2887; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: GA3DdQA2cpDKg2bSPhedjSsJJX+iWK7O/zx+OvimVaLXWkGp7nbUJwsw5CkMKg8VQ9gE7M3GNo+u2x47vGefdX6rtqsgrNTS4rCjZF3io1zqMdXHITj0AGjhGRM4M0gHzzlMjbs3fl44N38VvYEYQIxLtJHxN+G+hGj+z3V+OJcT9oXvYASRLc8RNQ4+uwCy7Mw9U5lmQQKA5TGBIXpIdJZagKHAPa9j1A1cu+ZNF3M1v9m4egECx8/l9Sop1p8N+6ry29tI8pbHSsunBpTcx6WxQe25w8jtRe6tRoCtQ1O+4k2WYjuHtwPxav3wvwg+mp9skUkxhHbn0Ci4iEPREdnJSjlwKoIBJoCLthNEIVneRjznf8ZCef9AvQrmre6Jlakr1Vpjk6dEGJh6BR5s9T/uyDvfgXkLontS37ka7DGdueGQjQFGqfn+Wmlwr8glSCBDIRLsHojaYc2K+fUx2no2BjmPTEdJKCizNJUkLVXmCMktMVkf3vnhb3782nqLPnkiylbHyRt3LW9XY0ly+OHuk9Sdcpua3jzc2J0qcpmsPa86V92s0MXKFCVKhbLy+LCN48M59nIuFqplwbObpLjLw9gqxRB6T/fBEkh00ifbjj1y7tsI+SiVCbFEIuXIp9PDpdPf9BxWHKvuK81l5/VL8D0jMmhjB71zE8IpCydbE3tgbR36O55N8GEqi+vGKwNkIkJI0N+NPejHNM4CmSYgWh2fHkjZEyQ1ju9dnAYaTyf6ujHsC6j18VsubmQZGv9aTGzA1n/gCvXoKvwM88ZKn7vDDvgLZoTotOupf2EElDcnP8vkOUbQyMFRVet5M6Fk7L1mafNaAMyE3DEyYpMnIwdrII0TObW3w3v3uWE= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB2718.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(86362001)(38100700002)(8676002)(508600001)(36756003)(316002)(16576012)(26005)(5660300002)(54906003)(110136005)(44832011)(19627235002)(66556008)(83380400001)(2906002)(4326008)(53546011)(966005)(6486002)(956004)(31686004)(2616005)(31696002)(45080400002)(66946007)(186003)(8936002)(30864003)(66476007)(43740500002)(45980500001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?NmZzekpzblE5b09DTjhMMWY0U1Z5UlVUZm43K2pqcUJNN0R4RFZWSHpFcWxS?= =?utf-8?B?MjlnTTI4UjBMWmtuOTVUWFkyYzI5aUtCaHo1OUdweFBsby9HTU81TENOa00w?= =?utf-8?B?MkZFV2x4UXptSktka1FCMUZnMGFKY2k3NVpOL3pTVDNYOGlsdTBLaTM5OWNT?= =?utf-8?B?ajhWdGEySnlhaEtOakVUZlBET1hjZk9Najd4QWtTZE45K2toamJsemJXck94?= =?utf-8?B?TzFINjRzTEdQeUNUUExIci9YcEF6ejMyVGVsVVduN3RDOHJLeXZOV3lVR1Ja?= =?utf-8?B?VnFNa3lhMTlSM0JCQzdlUWJod3JMZk5mSTZWZ1o5UVNETVozdmo1QUQ1bVdQ?= =?utf-8?B?MnorRGFqWnB4aXcxZVFmWUpMd28vS3B6WEhrTUJuUlFEZU9yZURWNjlDdENj?= =?utf-8?B?K2RzalhjV2hKUUFCWkpkQkJnUC93cjNmV3h3S1RBSnRONmx4TElTbndVdTh4?= =?utf-8?B?YWh5NW9tTkl5ZGIzS0JlNTRiS3RVbitHSzUwZXV0N0ZNcjIvZEhpaDU4VUdT?= =?utf-8?B?MUt5Q2dGQmN1YkxHWlpRejJiSDlqdHpGV0UwR3RIY21tbDl5Rlh4bzFPN2ND?= =?utf-8?B?b3owUExuTDYvNXJlNHZwV0pjalVDZ0hWU0wvNm5lNUVveWpUT25Pb1ZRZEt0?= =?utf-8?B?OUxJVDd2OFJjQjMyRjJGb0tRSXlQeGdnVlZUVE5xM3RHTkhtaWhIeGtpVXlQ?= =?utf-8?B?cmw5cGM3bnMxVXArdlhvdGlRU2x6bFRrenpsQmhUa0pZcmgzTmRhc2N2QjIx?= =?utf-8?B?V1BJbzhuMmFSRmFZUXZpSGRNdzB0Z05qcTR4VmdzendJQmpBYWtLYjRlMm4r?= =?utf-8?B?UThwYVBPekZjcG1EWHR5ZE0rWjY4MEZtbHdUYmVqRW1sRTJ0OGtjancrc2ZS?= =?utf-8?B?alBDK2xkSHRYeUFqYytQck1nZ0hrWnlpNHF4Wm5qbUxaSHcyMzJWVFBwYk5X?= =?utf-8?B?cjJWczc3OHV6QWtCek1yV1FibXdJZjYwMXd1MGl4eFVpWXRLR254OHJzREFl?= =?utf-8?B?Q1RNTGNCNGhmKzErZmNsbDJtc1VQdGwzL1A4ZWV4TGxwb21oWmhXcm1acS82?= =?utf-8?B?YkpmMytiK1d3eCtMbkxtQmpDZDQ2bzdVSitYVm9Jam1BRlIreWYyclV2VHpi?= =?utf-8?B?ZHBySC9naVZRYis2T2JxVVprdllCNkd5TnRxeFQ3L3M4R0E2S2Y0dUpFT3h3?= =?utf-8?B?Vyt2bmVzaU91dkU5MjQvazBEVVJWWFBBSzhlSEhtbjRIMkJYaTNLUzB3S09Q?= =?utf-8?B?b1lWdUphSTJ4SUxJNkhvOVpJSk1od3UvODM0ZWZibUE0SzlUODhKSFoyVjAz?= =?utf-8?B?M0RDMzdlS1VPSkV1VHRvMEorY0dFcVVySlpGNWFudUpaS0xyQThzOVpURXJa?= =?utf-8?B?REc1WjRZVXh2UFVpWW9qb2hEV0g3MEVvOElXUkg1azlPcUdKQWhidXptVU45?= =?utf-8?B?b3J3Sjc3R1ZrUk9KYjM4R1N3WnBsTnEzY1pRa0x1OFU0ZElaM0gzRFVIQVJN?= =?utf-8?B?VnFBY285cTlzL0l2MkZ2NkRDSmtDczl0a1ZFcVRYWlFBaExlaUlpSENwKzBC?= =?utf-8?B?SDYwUCt4c1JvK2xCZktNMnorWXF1MTA4K25sbk5vVHpXeG12cVU0aTI5Q3lB?= =?utf-8?B?b29FanhlWmNvY0YyUzQzeEVvZ1FoUC9lZDZQZHpUTGxISzRQWXZMZkVST0Jh?= =?utf-8?B?a2xuR0QwWUc1VnhBV1dhVUhCOVpwT0VxV1dmUjNIdkJGV0t2VUgrcFpGM0to?= =?utf-8?B?MXlwWVVUdHcxR2dTd3pITWwrZEk2NW52cXNiTWNmVDBHS0FhOTcwc1FNVUlY?= =?utf-8?B?L2RxbUtaRjNOMkQ2Q0FWQlF4ZWlIbUlVay84U0ZSU3ZtYndjRUprVEtBR2lY?= =?utf-8?B?T056WGl1OHdiejQvdEZ2SlQxcFFCbkJSZDc4cFlpRGlyRXdqRWkxbkk0M2ds?= =?utf-8?B?UGdFUWl3LzMvYmZ1VGJvYzd4T2xjWnE0WFd3bHlNOXpURVg3ZnBrTDc5S3Fm?= =?utf-8?B?VVoyYW4zTklPOGJMQnRNd1k1VkJGMys0Y3Z4VWk2U1Jubk5NNkJlNGlrN3ZY?= =?utf-8?B?ZUM4REkyTEthNGZKNFQ3dmIzUGI1QUE4VldHU2l4UU03MEZoKzlMTmI2aFFI?= =?utf-8?B?UXBYKzM1Y051c2NlU0RoK2RvRTZDdjBWVWdxTHBLSGJFVFBKbmhKbDVROE9j?= =?utf-8?Q?tVVHHcnwuTa1PHjkcLogOyY=3D?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: a7668141-9c93-4e18-9ec8-08d99aebaedf X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Oct 2021 14:52:09.4247 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ypQ3HRRjqQo6WX6ElHyOk5phlZDsxSTdISQ+J5zMD5VkluT3r88SNQFn69IxZ8xieZkCyvOBpnt2+b1FSecjSg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2447 Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Hi Jiewen, I have not heard anything back from UefiCpuPkg maintainer yet, I will send another gentle ping on Monday again and hope maintainer get to it. -Brijesh On 10/29/21 7:26 AM, Yao, Jiewen wrote: > Hi Brijesh > Have you got R-B from UefiCpuPkg maintainer? > > > >> -----Original Message----- >> From: Brijesh Singh >> Sent: Monday, October 25, 2021 7:54 AM >> To: devel@edk2.groups.io; Yao, Jiewen >> Cc: brijesh.singh@amd.com; James Bottomley ; Xu, Min M >> ; Tom Lendacky ; Justen, >> Jordan L ; Ard Biesheuvel >> ; Erdem Aktas ; >> Michael Roth ; Gerd Hoffmann >> Subject: Re: [edk2-devel] [PATCH v11 00/32] Add AMD Secure Nested Paging >> (SEV-SNP) support >> >> Thank Jiewen, >> >> I have ping'ed UefiCpuPkg maintainer (Ray and Rahul) on every patch >> which touches the UefiCpuPkg. If maintainer wants me to rework on >> something then I will work accordingly. If they are okay with v11 then >> now the merge will create a conflict (due to the TDX patches merge >> commit). I have rebased my series to the recent master and have pushed >> it here: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAMDESE%2Fovmf%2Ftree%2Fsnp-v12&data=04%7C01%7Cbrijesh.singh%40amd.com%7C9f8b4428d098453ff93308d99ad7586b%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637711071975243180%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=vF9b44WpM45fiDCF4%2BdwvKCcoPHr0bj6xzTCi4%2BlR2s%3D&reserved=0. I can post the >> series if you prefer it. >> >> thanks >> >> On 10/23/21 8:46 PM, Yao, Jiewen via groups.io wrote: >>> Yes. I will try my best to merge. >>> >>> I checked the patch set but I did not find the "R-B" from UefiCpuPkg >> maintainer. Neither from email nor from you v11. >>> Did I miss something? >>> >>> Thank you >>> Yao Jiewen >>> >>> >>>> -----Original Message----- >>>> From: Brijesh Singh >>>> Sent: Saturday, October 23, 2021 12:13 PM >>>> To: devel@edk2.groups.io >>>> Cc: James Bottomley ; Xu, Min M >> ; >>>> Yao, Jiewen ; Tom Lendacky >>>> ; Justen, Jordan L ; >>>> Ard Biesheuvel ; Erdem Aktas >>>> ; Michael Roth ; Gerd >>>> Hoffmann ; Brijesh Singh >>>> Subject: [PATCH v11 00/32] Add AMD Secure Nested Paging (SEV-SNP) >> support >>>> Hi Gerd and Jiewen, >>>> >>>> CI was a bit unstable during my v10 submission, so, I was not able to >>>> run it to the completion. Finally, I managed to get the CI going, >>>> and it reported few Windows 32-bit build errors. The v11 fixes those build >>>> errors. Please consider this for the merge. >>>> >>>> Thank you so much for all your support in reviewing the series. >>>> >>>> ----------------------------------------------------------------------------- >>>> BZ: >> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla. >> tianocore.org%2Fshow_bug.cgi%3Fid%3D3275&data=04%7C01%7Cbrijesh. >> singh%40amd.com%7Cddc5570780ff4a91d0da08d9969026e2%7C3dd8961fe488 >> 4e608e11a82d994e183d%7C0%7C0%7C637706369230826414%7CUnknown%7 >> CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJ >> XVCI6Mn0%3D%7C3000&sdata=L41krO6G221HaIsG92FloIzgCDqMLAAsU26 >> jaEMF7yw%3D&reserved=0 >>>> SEV-SNP builds upon existing SEV and SEV-ES functionality while adding >>>> new hardware-based memory protections. SEV-SNP adds strong memory >>>> integrity >>>> protection to help prevent malicious hypervisor-based attacks like data >>>> replay, memory re-mapping and more in order to create an isolated memory >>>> encryption environment. >>>> >>>> This series provides the basic building blocks to support booting the SEV-SNP >>>> VMs, it does not cover all the security enhancement introduced by the SEV- >> SNP >>>> such as interrupt protection. >>>> >>>> Many of the integrity guarantees of SEV-SNP are enforced through a new >>>> structure called the Reverse Map Table (RMP). Adding a new page to SEV-SNP >>>> VM requires a 2-step process. First, the hypervisor assigns a page to the >>>> guest using the new RMPUPDATE instruction. This transitions the page to >>>> guest-invalid. Second, the guest validates the page using the new PVALIDATE >>>> instruction. The SEV-SNP VMs can use the new "Page State Change Request >>>> NAE" >>>> defined in the GHCB specification to ask hypervisor to add or remove page >>>> from the RMP table. >>>> >>>> Each page assigned to the SEV-SNP VM can either be validated or unvalidated, >>>> as indicated by the Validated flag in the page's RMP entry. There are two >>>> approaches that can be taken for the page validation: Pre-validation and >>>> Lazy Validation. >>>> >>>> Under pre-validation, the pages are validated prior to first use. And under >>>> lazy validation, pages are validated when first accessed. An access to a >>>> unvalidated page results in a #VC exception, at which time the exception >>>> handler may validate the page. Lazy validation requires careful tracking of >>>> the validated pages to avoid validating the same GPA more than once. The >>>> recently introduced "Unaccepted" memory type can be used to communicate >>>> the >>>> unvalidated memory ranges to the Guest OS. >>>> >>>> At this time we only support the pre-validation. OVMF detects all the >> available >>>> system RAM in the PEI phase. When SEV-SNP is enabled, the memory is >> validated >>>> before it is made available to the EDK2 core. >>>> >>>> Now that series contains all the basic support required to launch SEV-SNP >>>> guest. We are still missing the Interrupt security feature provided by the >>>> SNP. The feature will be added after the base support is accepted. >>>> >>>> Additional resources >>>> --------------------- >>>> SEV-SNP whitepaper >>>> >> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.a%2F&data=04%7C01%7Cbrijesh.singh%40amd.com%7C9f8b4428d098453ff93308d99ad7586b%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637711071975243180%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=9sOcgACg2M6QuveVuAf8FZFv5rb9i36svspZsudpkdM%3D&reserved=0 >> md.com%2Fsystem%2Ffiles%2FTechDocs%2FSEV-SNP-strengthening-vm- >> &data=04%7C01%7Cbrijesh.singh%40amd.com%7Cddc5570780ff4a91d0da >> 08d9969026e2%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C63770 >> 6369230826414%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQ >> IjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=nVMSG% >> 2FvSS2Wa21lu1lGrHr9OYX8hL7FoAcQXBBiCztc%3D&reserved=0 >>>> isolation-with-integrity-protection-and-more.pdf >>>> >>>> APM 2: >> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.a%2F&data=04%7C01%7Cbrijesh.singh%40amd.com%7C9f8b4428d098453ff93308d99ad7586b%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637711071975243180%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=9sOcgACg2M6QuveVuAf8FZFv5rb9i36svspZsudpkdM%3D&reserved=0 >> md.com%2Fsystem%2Ffiles%2FTechDocs%2F24593.pdf&data=04%7C01%7 >> Cbrijesh.singh%40amd.com%7Cddc5570780ff4a91d0da08d9969026e2%7C3dd8 >> 961fe4884e608e11a82d994e183d%7C0%7C0%7C637706369230826414%7CUnk >> nown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1h >> aWwiLCJXVCI6Mn0%3D%7C3000&sdata=G8Xg2glOGY2EjHpeQ3WM4gZCh >> uI0k8QcLDTbpJiTplg%3D&reserved=0 (section 15.36) >>>> The complete source is available at >>>> >> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.c%2F&data=04%7C01%7Cbrijesh.singh%40amd.com%7C9f8b4428d098453ff93308d99ad7586b%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637711071975243180%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fjvSca7meCrd6%2FDBlefYmRIqYS8GEcwbR6819yb7rdw%3D&reserved=0 >> om%2FAMDESE%2Fovmf%2Ftree%2Fsnp- >> v11&data=04%7C01%7Cbrijesh.singh%40amd.com%7Cddc5570780ff4a91d >> 0da08d9969026e2%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C63 >> 7706369230826414%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiL >> CJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=HMH >> Fq8G%2FPqdhzNW3Ashmc4%2Bmv1RcDULD4vniofhiS54%3D&reserved=0 >>>> GHCB spec: >>>> >> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdevelop >> er.amd.com%2Fwp- >> content%2Fresources%2F56421.pdf&data=04%7C01%7Cbrijesh.singh%40a >> md.com%7Cddc5570780ff4a91d0da08d9969026e2%7C3dd8961fe4884e608e11 >> a82d994e183d%7C0%7C0%7C637706369230826414%7CUnknown%7CTWFpbGZ >> sb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0 >> %3D%7C3000&sdata=YiPgZU87fdnl5rJpD0E2ue9aTKbqUwizuBrKxom0FiU% >> 3D&reserved=0 >>>> SEV-SNP firmware specification: >>>> >> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.a%2F&data=04%7C01%7Cbrijesh.singh%40amd.com%7C9f8b4428d098453ff93308d99ad7586b%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637711071975243180%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=9sOcgACg2M6QuveVuAf8FZFv5rb9i36svspZsudpkdM%3D&reserved=0 >> md.com%2Fsystem%2Ffiles%2FTechDocs%2F56860.pdf&data=04%7C01%7 >> Cbrijesh.singh%40amd.com%7Cddc5570780ff4a91d0da08d9969026e2%7C3dd8 >> 961fe4884e608e11a82d994e183d%7C0%7C0%7C637706369230826414%7CUnk >> nown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1h >> aWwiLCJXVCI6Mn0%3D%7C3000&sdata=bfQsY4%2BRnlFGuD3Bg%2BFPb3l >> RgSGgpomNocXswHqkm%2F4%3D&reserved=0 >>>> Change since v10: >>>> * fix 'unresolved external symbol __allshl' link error when building I32 for >>>> VS2017. >>>> >>>> Changes since v9: >>>> * Move CCAttrs Pcd define in MdePkg >>>> * Add comment to indicate that allocating the identity map PT is temporary >> until >>>> we get lazy validation >>>> >>>> Changes since v8: >>>> * drop the generic metadata and make it specific to SEV. >>>> >>>> Changes since v7: >>>> * Move SEV specific changes in MpLib in AmdSev file >>>> * Update the GHCB register function to not restore the GHCB MSR because >>>> we were already in the MSR protocol mode. >>>> * Drop the SNP name from PcdSnpSecPreValidate. >>>> * Add new section for GHCB memory in the OVMF metadata. >>>> >>>> Change since v6: >>>> * Drop the SNP boot block GUID and switch to using the Metadata guided >>>> structure >>>> proposed by Min in TDX series. >>>> * Exclude the GHCB page from the pre-validated region. It simplifies the >> reset >>>> vector code where we do not need to unvalidate the GHCB page. >>>> * Now that GHCB page is not validated so move the VMPL check from reset >>>> vector >>>> code to the MemEncryptSevLib on the first page validation. >>>> * Introduce the ConfidentialComputingGuestAttr PCD to communicate which >>>> memory encryption is active so that MpInitLib can make use of it. >>>> * Drop the SEVES specific PCD as the information can be communicated via >>>> the ConfidentialComputingGuestAttr. >>>> * Move the SNP specific AP creation function in AmdSev.c. >>>> * Define the SNP Blob GUID in a new file. >>>> >>>> Change since v5: >>>> * When possible use the CPUID value from CPUID page >>>> * Move the SEV specific functions from SecMain.c in AmdSev.c >>>> * Rebase to the latest code >>>> * Add the review feedback from Yao. >>>> >>>> Change since v4: >>>> * Use the correct MSR for the SEV_STATUS >>>> * Add VMPL-0 check >>>> >>>> Change since v3: >>>> * ResetVector: move all SEV specific code in AmdSev.asm and add macros to >>>> keep >>>> the code readable. >>>> * Drop extending the EsWorkArea to contain SNP specific state. >>>> * Drop the GhcbGpa library and call the VmgExit directly to register GHCB >> GPA. >>>> * Install the CC blob config table from AmdSevDxe instead of extending the >>>> AmdSev/SecretsDxe for it. >>>> * Add the separate PCDs for the SNP Secrets. >>>> >>>> Changes since v2: >>>> * Add support for the AP creation. >>>> * Use the module-scoping override to make AmdSevDxe use the IO port for >> PCI >>>> reads. >>>> * Use the reserved memory type for CPUID and Secrets page. >>>> * >>>> Changes since v1: >>>> * Drop the interval tree support to detect the pre-validated overlap region. >>>> * Use an array to keep track of pre-validated regions. >>>> * Add support to query the Hypervisor feature and verify that SNP feature is >>>> supported. >>>> * Introduce MemEncryptSevClearMmioPageEncMask() to clear the C-bit >> from >>>> MMIO ranges. >>>> * Pull the SevSecretDxe and SevSecretPei into OVMF package build. >>>> * Extend the SevSecretDxe to expose confidential computing blob location >>>> through >>>> EFI configuration table. >>>> >>>> Brijesh Singh (28): >>>> OvmfPkg/SecMain: move SEV specific routines in AmdSev.c >>>> UefiCpuPkg/MpInitLib: move SEV specific routines in AmdSev.c >>>> OvmfPkg/ResetVector: move clearing GHCB in SecMain >>>> OvmfPkg/ResetVector: introduce SEV metadata descriptor for VMM use >>>> OvmfPkg: reserve SNP secrets page >>>> OvmfPkg: reserve CPUID page >>>> OvmfPkg/ResetVector: pre-validate the data pages used in SEC phase >>>> OvmfPkg/MemEncryptSevLib: add MemEncryptSevSnpEnabled() >>>> OvmfPkg/SecMain: register GHCB gpa for the SEV-SNP guest >>>> OvmfPkg/PlatformPei: register GHCB gpa for the SEV-SNP guest >>>> OvmfPkg/AmdSevDxe: do not use extended PCI config space >>>> OvmfPkg/MemEncryptSevLib: add support to validate system RAM >>>> OvmfPkg/MemEncryptSevLib: add function to check the VMPL0 >>>> OvmfPkg/BaseMemEncryptSevLib: skip the pre-validated system RAM >>>> OvmfPkg/MemEncryptSevLib: add support to validate > 4GB memory in PEI >>>> phase >>>> OvmfPkg/SecMain: validate the memory used for decompressing Fv >>>> OvmfPkg/PlatformPei: validate the system RAM when SNP is active >>>> UefiCpuPkg: Define ConfidentialComputingGuestAttr >>>> OvmfPkg/PlatformPei: set PcdConfidentialComputingAttr when SEV is >>>> active >>>> UefiCpuPkg/MpInitLib: use PcdConfidentialComputingAttr to check SEV >>>> status >>>> UefiCpuPkg: add PcdGhcbHypervisorFeatures >>>> OvmfPkg/PlatformPei: set the Hypervisor Features PCD >>>> MdePkg/GHCB: increase the GHCB protocol max version >>>> UefiCpuPkg/MpLib: add support to register GHCB GPA when SEV-SNP is >>>> enabled >>>> OvmfPkg/MemEncryptSevLib: change the page state in the RMP table >>>> OvmfPkg/MemEncryptSevLib: skip page state change for Mmio address >>>> OvmfPkg/PlatformPei: mark cpuid and secrets memory reserved in EFI map >>>> OvmfPkg/AmdSev: expose the SNP reserved pages through configuration >>>> table >>>> >>>> Michael Roth (3): >>>> OvmfPkg/ResetVector: use SEV-SNP-validated CPUID values >>>> OvmfPkg/VmgExitLib: use SEV-SNP-validated CPUID values >>>> UefiCpuPkg/MpInitLib: use BSP to do extended topology check >>>> >>>> Tom Lendacky (1): >>>> UefiCpuPkg/MpInitLib: Use SEV-SNP AP Creation NAE event to launch APs >>>> >>>> MdePkg/MdePkg.dec | 4 + >>>> OvmfPkg/OvmfPkg.dec | 18 + >>>> UefiCpuPkg/UefiCpuPkg.dec | 5 + >>>> OvmfPkg/AmdSev/AmdSevX64.dsc | 8 +- >>>> OvmfPkg/Bhyve/BhyveX64.dsc | 5 +- >>>> OvmfPkg/OvmfPkgIa32.dsc | 4 + >>>> OvmfPkg/OvmfPkgIa32X64.dsc | 9 +- >>>> OvmfPkg/OvmfPkgX64.dsc | 8 +- >>>> OvmfPkg/OvmfXen.dsc | 5 +- >>>> OvmfPkg/OvmfPkgX64.fdf | 6 + >>>> OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 7 + >>>> .../DxeMemEncryptSevLib.inf | 3 + >>>> .../PeiMemEncryptSevLib.inf | 7 + >>>> .../SecMemEncryptSevLib.inf | 3 + >>>> OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf | 2 + >>>> OvmfPkg/Library/VmgExitLib/VmgExitLib.inf | 3 + >>>> OvmfPkg/PlatformPei/PlatformPei.inf | 7 + >>>> OvmfPkg/ResetVector/ResetVector.inf | 5 + >>>> OvmfPkg/Sec/SecMain.inf | 4 + >>>> UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 6 +- >>>> UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 6 +- >>>> .../Include/ConfidentialComputingGuestAttr.h | 25 + >>>> MdePkg/Include/Register/Amd/Ghcb.h | 2 +- >>>> .../Guid/ConfidentialComputingSevSnpBlob.h | 33 ++ >>>> OvmfPkg/Include/Library/MemEncryptSevLib.h | 26 + >>>> .../X64/SnpPageStateChange.h | 36 ++ >>>> .../BaseMemEncryptSevLib/X64/VirtualMemory.h | 24 + >>>> OvmfPkg/PlatformPei/Platform.h | 5 + >>>> OvmfPkg/Sec/AmdSev.h | 95 ++++ >>>> UefiCpuPkg/Library/MpInitLib/MpLib.h | 93 ++++ >>>> OvmfPkg/AmdSevDxe/AmdSevDxe.c | 23 + >>>> .../DxeMemEncryptSevLibInternal.c | 27 ++ >>>> .../Ia32/MemEncryptSevLib.c | 17 + >>>> .../PeiMemEncryptSevLibInternal.c | 27 ++ >>>> .../SecMemEncryptSevLibInternal.c | 19 + >>>> .../X64/DxeSnpSystemRamValidate.c | 40 ++ >>>> .../X64/PeiDxeVirtualMemory.c | 167 ++++++- >>>> .../X64/PeiSnpSystemRamValidate.c | 127 +++++ >>>> .../X64/SecSnpSystemRamValidate.c | 82 ++++ >>>> .../X64/SnpPageStateChangeInternal.c | 294 ++++++++++++ >>>> OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 444 >> ++++++++++++++++-- >>>> OvmfPkg/PlatformPei/AmdSev.c | 231 +++++++++ >>>> OvmfPkg/PlatformPei/MemDetect.c | 2 + >>>> OvmfPkg/Sec/AmdSev.c | 298 ++++++++++++ >>>> OvmfPkg/Sec/SecMain.c | 158 +------ >>>> UefiCpuPkg/Library/MpInitLib/AmdSev.c | 239 ++++++++++ >>>> UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 16 +- >>>> UefiCpuPkg/Library/MpInitLib/Ia32/AmdSev.c | 70 +++ >>>> UefiCpuPkg/Library/MpInitLib/MpLib.c | 345 +++++--------- >>>> UefiCpuPkg/Library/MpInitLib/PeiMpLib.c | 4 +- >>>> UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c | 261 ++++++++++ >>>> OvmfPkg/FvmainCompactScratchEnd.fdf.inc | 5 + >>>> OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 17 + >>>> OvmfPkg/ResetVector/Ia32/AmdSev.asm | 86 +++- >>>> OvmfPkg/ResetVector/ResetVector.nasmb | 18 + >>>> OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm | 74 +++ >>>> UefiCpuPkg/Library/MpInitLib/MpEqu.inc | 2 + >>>> UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm | 200 ++++++++ >>>> UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm | 100 +--- >>>> 59 files changed, 3329 insertions(+), 528 deletions(-) >>>> create mode 100644 MdePkg/Include/ConfidentialComputingGuestAttr.h >>>> create mode 100644 >>>> OvmfPkg/Include/Guid/ConfidentialComputingSevSnpBlob.h >>>> create mode 100644 >>>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h >>>> create mode 100644 OvmfPkg/Sec/AmdSev.h >>>> create mode 100644 >>>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRamValidate.c >>>> create mode 100644 >>>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c >>>> create mode 100644 >>>> OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c >>>> create mode 100644 >>>> >> OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c >>>> create mode 100644 OvmfPkg/Sec/AmdSev.c >>>> create mode 100644 UefiCpuPkg/Library/MpInitLib/AmdSev.c >>>> create mode 100644 UefiCpuPkg/Library/MpInitLib/Ia32/AmdSev.c >>>> create mode 100644 UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c >>>> create mode 100644 OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm >>>> create mode 100644 UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm >>>> >>>> -- >>>> 2.25.1 >>> >>> >>> >>>