From: "Laszlo Ersek" <lersek@redhat.com>
To: devel@edk2.groups.io, thomas.lendacky@amd.com
Cc: Brijesh Singh <brijesh.singh@amd.com>,
James Bottomley <jejb@linux.ibm.com>,
Jordan Justen <jordan.l.justen@intel.com>,
Ard Biesheuvel <ard.biesheuvel@arm.com>
Subject: Re: [edk2-devel] [PATCH 09/12] OvmfPkg/MemEncryptSevLib: Address range encryption state interface
Date: Tue, 5 Jan 2021 10:48:43 +0100 [thread overview]
Message-ID: <b1e232ff-9c94-fcdf-be0a-ee0b97a6337a@redhat.com> (raw)
In-Reply-To: <6877ca800856e85692d7ab99357895fa318f36c7.1608065471.git.thomas.lendacky@amd.com>
On 12/15/20 21:51, Lendacky, Thomas wrote:
> From: Tom Lendacky <thomas.lendacky@amd.com>
>
> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108
>
> Update the MemEncryptSevLib library to include an interface that can
> report the encryption state on a range of memory. The values will
> represent the range as being unencrypted, encrypted, a mix of unencrypted
> and encrypted, and error (e.g. ranges that aren't mapped).
>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> Cc: Brijesh Singh <brijesh.singh@amd.com>
> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
> ---
> .../DxeBaseMemEncryptSevLib.inf | 1 +
> .../PeiBaseMemEncryptSevLib.inf | 1 +
> .../SecBaseMemEncryptSevLib.inf | 1 +
> OvmfPkg/Include/Library/MemEncryptSevLib.h | 33 +++
> .../BaseMemEncryptSevLib/X64/VirtualMemory.h | 35 ++-
> .../Ia32/MemEncryptSevLib.c | 31 ++-
> .../X64/MemEncryptSevLib.c | 32 ++-
> .../X64/PeiDxeVirtualMemory.c | 19 +-
> .../X64/SecVirtualMemory.c | 20 ++
> .../BaseMemEncryptSevLib/X64/VirtualMemory.c | 207 ++++++++++++++++++
> 10 files changed, 368 insertions(+), 12 deletions(-)
> create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c
Acked-by: Laszlo Ersek <lersek@redhat.com>
Thanks,
Laszlo
> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeBaseMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeBaseMemEncryptSevLib.inf
> index 390f2d60677f..04728a5dd256 100644
> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeBaseMemEncryptSevLib.inf
> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeBaseMemEncryptSevLib.inf
> @@ -34,6 +34,7 @@ [Sources.X64]
> MemEncryptSevLibInternal.c
> X64/MemEncryptSevLib.c
> X64/PeiDxeVirtualMemory.c
> + X64/VirtualMemory.c
> X64/VirtualMemory.h
>
> [Sources.IA32]
> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf
> index cb973fdeb868..4e4f59c0b0b6 100644
> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf
> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf
> @@ -34,6 +34,7 @@ [Sources.X64]
> MemEncryptSevLibInternal.c
> X64/MemEncryptSevLib.c
> X64/PeiDxeVirtualMemory.c
> + X64/VirtualMemory.c
> X64/VirtualMemory.h
>
> [Sources.IA32]
> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecBaseMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/SecBaseMemEncryptSevLib.inf
> index b26f739d69fd..79389298a3b3 100644
> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecBaseMemEncryptSevLib.inf
> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecBaseMemEncryptSevLib.inf
> @@ -34,6 +34,7 @@ [Sources.X64]
> MemEncryptSevLibInternal.c
> X64/MemEncryptSevLib.c
> X64/SecVirtualMemory.c
> + X64/VirtualMemory.c
> X64/VirtualMemory.h
>
> [Sources.IA32]
> diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/Library/MemEncryptSevLib.h
> index 394065f15bc1..421b2e2c2c1e 100644
> --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h
> +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h
> @@ -33,6 +33,16 @@ typedef struct _SEC_SEV_ES_WORK_AREA {
> UINT64 EncryptionMask;
> } SEC_SEV_ES_WORK_AREA;
>
> +//
> +// Memory encryption address range states.
> +//
> +typedef enum {
> + MemEncryptSevAddressRangeUnencrypted,
> + MemEncryptSevAddressRangeEncrypted,
> + MemEncryptSevAddressRangeMixed,
> + MemEncryptSevAddressRangeError,
> +} MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE;
> +
> /**
> Returns a boolean to indicate whether SEV-ES is enabled.
>
> @@ -147,4 +157,27 @@ MemEncryptSevGetEncryptionMask (
> VOID
> );
>
> +/**
> + Returns the encryption state of the specified virtual address range.
> +
> + @param[in] Cr3BaseAddress Cr3 Base Address (if zero then use
> + current CR3)
> + @param[in] BaseAddress Base address to check
> + @param[in] Length Length of virtual address range
> +
> + @retval MemEncryptSevAddressRangeUnencrypted Address range is mapped
> + unencrypted
> + @retval MemEncryptSevAddressRangeEncrypted Address range is mapped
> + encrypted
> + @retval MemEncryptSevAddressRangeMixed Address range is mapped mixed
> + @retval MemEncryptSevAddressRangeError Address range is not mapped
> +**/
> +MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE
> +EFIAPI
> +MemEncryptSevGetAddressRangeState (
> + IN PHYSICAL_ADDRESS Cr3BaseAddress,
> + IN PHYSICAL_ADDRESS BaseAddress,
> + IN UINTN Length
> + );
> +
> #endif // _MEM_ENCRYPT_SEV_LIB_H_
> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h
> index 26d26cd922a4..996f94f07ebb 100644
> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h
> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h
> @@ -3,7 +3,7 @@
> Virtual Memory Management Services to set or clear the memory encryption bit
>
> Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.<BR>
> - Copyright (c) 2017, AMD Incorporated. All rights reserved.<BR>
> + Copyright (c) 2017 - 2020, AMD Incorporated. All rights reserved.<BR>
>
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
> @@ -178,7 +178,17 @@ typedef struct {
> UINTN FreePages;
> } PAGE_TABLE_POOL;
>
> +/**
> + Return the pagetable memory encryption mask.
>
> + @return The pagetable memory encryption mask.
> +
> +**/
> +UINT64
> +EFIAPI
> +InternalGetMemEncryptionAddressMask (
> + VOID
> + );
>
> /**
> This function clears memory encryption bit for the memory region specified by
> @@ -234,4 +244,27 @@ InternalMemEncryptSevSetMemoryEncrypted (
> IN BOOLEAN Flush
> );
>
> +/**
> + Returns the encryption state of the specified virtual address range.
> +
> + @param[in] Cr3BaseAddress Cr3 Base Address (if zero then use
> + current CR3)
> + @param[in] BaseAddress Base address to check
> + @param[in] Length Length of virtual address range
> +
> + @retval MemEncryptSevAddressRangeUnencrypted Address range is mapped
> + unencrypted
> + @retval MemEncryptSevAddressRangeEncrypted Address range is mapped
> + encrypted
> + @retval MemEncryptSevAddressRangeMixed Address range is mapped mixed
> + @retval MemEncryptSevAddressRangeError Address range is not mapped
> +**/
> +MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE
> +EFIAPI
> +InternalMemEncryptSevGetAddressRangeState (
> + IN PHYSICAL_ADDRESS Cr3BaseAddress,
> + IN PHYSICAL_ADDRESS BaseAddress,
> + IN UINTN Length
> + );
> +
> #endif
> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c b/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c
> index b4f6e5738e6e..12a5bf495bd7 100644
> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c
> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c
> @@ -2,7 +2,7 @@
>
> Secure Encrypted Virtualization (SEV) library helper function
>
> - Copyright (c) 2017, AMD Incorporated. All rights reserved.<BR>
> + Copyright (c) 2017 - 2020, AMD Incorporated. All rights reserved.<BR>
>
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
> @@ -82,3 +82,32 @@ MemEncryptSevSetPageEncMask (
> //
> return RETURN_UNSUPPORTED;
> }
> +
> +/**
> + Returns the encryption state of the specified virtual address range.
> +
> + @param[in] Cr3BaseAddress Cr3 Base Address (if zero then use
> + current CR3)
> + @param[in] BaseAddress Base address to check
> + @param[in] Length Length of virtual address range
> +
> + @retval MemEncryptSevAddressRangeUnencrypted Address range is mapped
> + unencrypted
> + @retval MemEncryptSevAddressRangeEncrypted Address range is mapped
> + encrypted
> + @retval MemEncryptSevAddressRangeMixed Address range is mapped mixed
> + @retval MemEncryptSevAddressRangeError Address range is not mapped
> +**/
> +MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE
> +EFIAPI
> +MemEncryptSevGetAddressRangeState (
> + IN PHYSICAL_ADDRESS Cr3BaseAddress,
> + IN PHYSICAL_ADDRESS BaseAddress,
> + IN UINTN Length
> + )
> +{
> + //
> + // Memory is always encrypted in 32-bit mode
> + //
> + return MemEncryptSevAddressRangeEncrypted;
> +}
> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/MemEncryptSevLib.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/MemEncryptSevLib.c
> index cf0921e21464..4fea6a6be0ac 100644
> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/MemEncryptSevLib.c
> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/MemEncryptSevLib.c
> @@ -2,7 +2,7 @@
>
> Secure Encrypted Virtualization (SEV) library helper function
>
> - Copyright (c) 2017, AMD Incorporated. All rights reserved.<BR>
> + Copyright (c) 2017 - 2020, AMD Incorporated. All rights reserved.<BR>
>
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
> @@ -88,3 +88,33 @@ MemEncryptSevSetPageEncMask (
> Flush
> );
> }
> +
> +/**
> + Returns the encryption state of the specified virtual address range.
> +
> + @param[in] Cr3BaseAddress Cr3 Base Address (if zero then use
> + current CR3)
> + @param[in] BaseAddress Base address to check
> + @param[in] Length Length of virtual address range
> +
> + @retval MemEncryptSevAddressRangeUnencrypted Address range is mapped
> + unencrypted
> + @retval MemEncryptSevAddressRangeEncrypted Address range is mapped
> + encrypted
> + @retval MemEncryptSevAddressRangeMixed Address range is mapped mixed
> + @retval MemEncryptSevAddressRangeError Address range is not mapped
> +**/
> +MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE
> +EFIAPI
> +MemEncryptSevGetAddressRangeState (
> + IN PHYSICAL_ADDRESS Cr3BaseAddress,
> + IN PHYSICAL_ADDRESS BaseAddress,
> + IN UINTN Length
> + )
> +{
> + return InternalMemEncryptSevGetAddressRangeState (
> + Cr3BaseAddress,
> + BaseAddress,
> + Length
> + );
> +}
> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c
> index 3a5bab657bd7..d3455e812bd1 100644
> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c
> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c
> @@ -28,14 +28,14 @@ typedef enum {
> } MAP_RANGE_MODE;
>
> /**
> - Get the memory encryption mask
> + Return the pagetable memory encryption mask.
>
> - @param[out] EncryptionMask contains the pte mask.
> + @return The pagetable memory encryption mask.
>
> **/
> -STATIC
> UINT64
> -GetMemEncryptionAddressMask (
> +EFIAPI
> +InternalGetMemEncryptionAddressMask (
> VOID
> )
> {
> @@ -200,7 +200,7 @@ Split2MPageTo4K (
>
> PageTableEntry1 = PageTableEntry;
>
> - AddressEncMask = GetMemEncryptionAddressMask ();
> + AddressEncMask = InternalGetMemEncryptionAddressMask ();
>
> ASSERT (PageTableEntry != NULL);
> ASSERT (*PageEntry2M & AddressEncMask);
> @@ -286,7 +286,7 @@ SetPageTablePoolReadOnly (
> LevelSize[3] = SIZE_1GB;
> LevelSize[4] = SIZE_512GB;
>
> - AddressEncMask = GetMemEncryptionAddressMask();
> + AddressEncMask = InternalGetMemEncryptionAddressMask();
> PageTable = (UINT64 *)(UINTN)PageTableBase;
> PoolUnitSize = PAGE_TABLE_POOL_UNIT_SIZE;
>
> @@ -431,7 +431,7 @@ Split1GPageTo2M (
>
> PageDirectoryEntry = AllocatePageTableMemory(1);
>
> - AddressEncMask = GetMemEncryptionAddressMask ();
> + AddressEncMask = InternalGetMemEncryptionAddressMask ();
> ASSERT (PageDirectoryEntry != NULL);
> ASSERT (*PageEntry1G & AddressEncMask);
> //
> @@ -485,7 +485,7 @@ SetOrClearCBit(
> {
> UINT64 AddressEncMask;
>
> - AddressEncMask = GetMemEncryptionAddressMask ();
> + AddressEncMask = InternalGetMemEncryptionAddressMask ();
>
> if (Mode == SetCBit) {
> *PageTablePointer |= AddressEncMask;
> @@ -527,6 +527,7 @@ DisableReadOnlyPageWriteProtect (
> /**
> Enable Write Protect on pages marked as read-only.
> **/
> +STATIC
> VOID
> EnableReadOnlyPageWriteProtect (
> VOID
> @@ -605,7 +606,7 @@ SetMemoryEncDec (
> //
> // Check if we have a valid memory encryption mask
> //
> - AddressEncMask = GetMemEncryptionAddressMask ();
> + AddressEncMask = InternalGetMemEncryptionAddressMask ();
> if (!AddressEncMask) {
> return RETURN_ACCESS_DENIED;
> }
> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecVirtualMemory.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecVirtualMemory.c
> index 5c337ea0b820..bca5e3febb1b 100644
> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecVirtualMemory.c
> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecVirtualMemory.c
> @@ -13,6 +13,26 @@
>
> #include "VirtualMemory.h"
>
> +/**
> + Return the pagetable memory encryption mask.
> +
> + @return The pagetable memory encryption mask.
> +
> +**/
> +UINT64
> +EFIAPI
> +InternalGetMemEncryptionAddressMask (
> + VOID
> + )
> +{
> + UINT64 EncryptionMask;
> +
> + EncryptionMask = MemEncryptSevGetEncryptionMask ();
> + EncryptionMask &= PAGING_1G_ADDRESS_MASK_64;
> +
> + return EncryptionMask;
> +}
> +
> /**
> This function clears memory encryption bit for the memory region specified by
> PhysicalAddress and Length from the current page table context.
> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c
> new file mode 100644
> index 000000000000..36aabcf556a7
> --- /dev/null
> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c
> @@ -0,0 +1,207 @@
> +/** @file
> +
> + Virtual Memory Management Services to test an address range encryption state
> +
> + Copyright (c) 2020, AMD Incorporated. All rights reserved.<BR>
> +
> + SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include <Library/CpuLib.h>
> +#include <Library/MemEncryptSevLib.h>
> +
> +#include "VirtualMemory.h"
> +
> +/**
> + Returns the (updated) address range state based upon the page table
> + entry.
> +
> + @param[in] CurrentState The current address range state
> + @param[in] PageDirectoryEntry The page table entry to check
> + @param[in] AddressEncMask The encryption mask
> +
> + @retval MemEncryptSevAddressRangeUnencrypted Address range is mapped
> + unencrypted
> + @retval MemEncryptSevAddressRangeEncrypted Address range is mapped
> + encrypted
> + @retval MemEncryptSevAddressRangeMixed Address range is mapped mixed
> +**/
> +STATIC
> +MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE
> +UpdateAddressState (
> + IN MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE CurrentState,
> + IN UINT64 PageDirectoryEntry,
> + IN UINT64 AddressEncMask
> + )
> +{
> + if (CurrentState == MemEncryptSevAddressRangeEncrypted) {
> + if ((PageDirectoryEntry & AddressEncMask) == 0) {
> + CurrentState = MemEncryptSevAddressRangeMixed;
> + }
> + } else if (CurrentState == MemEncryptSevAddressRangeUnencrypted) {
> + if ((PageDirectoryEntry & AddressEncMask) != 0) {
> + CurrentState = MemEncryptSevAddressRangeMixed;
> + }
> + } else if (CurrentState == MemEncryptSevAddressRangeError) {
> + //
> + // First address check, set initial state
> + //
> + if ((PageDirectoryEntry & AddressEncMask) == 0) {
> + CurrentState = MemEncryptSevAddressRangeUnencrypted;
> + } else {
> + CurrentState = MemEncryptSevAddressRangeEncrypted;
> + }
> + }
> +
> + return CurrentState;
> +}
> +
> +/**
> + Returns the encryption state of the specified virtual address range.
> +
> + @param[in] Cr3BaseAddress Cr3 Base Address (if zero then use
> + current CR3)
> + @param[in] BaseAddress Base address to check
> + @param[in] Length Length of virtual address range
> +
> + @retval MemEncryptSevAddressRangeUnencrypted Address range is mapped
> + unencrypted
> + @retval MemEncryptSevAddressRangeEncrypted Address range is mapped
> + encrypted
> + @retval MemEncryptSevAddressRangeMixed Address range is mapped mixed
> + @retval MemEncryptSevAddressRangeError Address range is not mapped
> +**/
> +MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE
> +EFIAPI
> +InternalMemEncryptSevGetAddressRangeState (
> + IN PHYSICAL_ADDRESS Cr3BaseAddress,
> + IN PHYSICAL_ADDRESS BaseAddress,
> + IN UINTN Length
> + )
> +{
> + PAGE_MAP_AND_DIRECTORY_POINTER *PageMapLevel4Entry;
> + PAGE_MAP_AND_DIRECTORY_POINTER *PageUpperDirectoryPointerEntry;
> + PAGE_MAP_AND_DIRECTORY_POINTER *PageDirectoryPointerEntry;
> + PAGE_TABLE_1G_ENTRY *PageDirectory1GEntry;
> + PAGE_TABLE_ENTRY *PageDirectory2MEntry;
> + PAGE_TABLE_4K_ENTRY *PageTableEntry;
> + UINT64 AddressEncMask;
> + UINT64 PgTableMask;
> + PHYSICAL_ADDRESS Address;
> + PHYSICAL_ADDRESS AddressEnd;
> + MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE State;
> +
> + //
> + // If Cr3BaseAddress is not specified then read the current CR3
> + //
> + if (Cr3BaseAddress == 0) {
> + Cr3BaseAddress = AsmReadCr3();
> + }
> +
> + AddressEncMask = MemEncryptSevGetEncryptionMask ();
> + AddressEncMask &= PAGING_1G_ADDRESS_MASK_64;
> +
> + PgTableMask = AddressEncMask | EFI_PAGE_MASK;
> +
> + State = MemEncryptSevAddressRangeError;
> +
> + //
> + // Encryption is on a page basis, so start at the beginning of the
> + // virtual address page boundary and walk page-by-page.
> + //
> + Address = (PHYSICAL_ADDRESS) (UINTN) BaseAddress & ~EFI_PAGE_MASK;
> + AddressEnd = (PHYSICAL_ADDRESS)
> + (UINTN) (BaseAddress + Length);
> +
> + while (Address < AddressEnd) {
> + PageMapLevel4Entry = (VOID*) (Cr3BaseAddress & ~PgTableMask);
> + PageMapLevel4Entry += PML4_OFFSET (Address);
> + if (!PageMapLevel4Entry->Bits.Present) {
> + return MemEncryptSevAddressRangeError;
> + }
> +
> + PageDirectory1GEntry = (VOID *) (
> + (PageMapLevel4Entry->Bits.PageTableBaseAddress <<
> + 12) & ~PgTableMask
> + );
> + PageDirectory1GEntry += PDP_OFFSET (Address);
> + if (!PageDirectory1GEntry->Bits.Present) {
> + return MemEncryptSevAddressRangeError;
> + }
> +
> + //
> + // If the MustBe1 bit is not 1, it's not actually a 1GB entry
> + //
> + if (PageDirectory1GEntry->Bits.MustBe1) {
> + //
> + // Valid 1GB page
> + //
> + State = UpdateAddressState (
> + State,
> + PageDirectory1GEntry->Uint64,
> + AddressEncMask
> + );
> +
> + Address += BIT30;
> + continue;
> + }
> +
> + //
> + // Actually a PDP
> + //
> + PageUpperDirectoryPointerEntry =
> + (PAGE_MAP_AND_DIRECTORY_POINTER *) PageDirectory1GEntry;
> + PageDirectory2MEntry =
> + (VOID *) (
> + (PageUpperDirectoryPointerEntry->Bits.PageTableBaseAddress <<
> + 12) & ~PgTableMask
> + );
> + PageDirectory2MEntry += PDE_OFFSET (Address);
> + if (!PageDirectory2MEntry->Bits.Present) {
> + return MemEncryptSevAddressRangeError;
> + }
> +
> + //
> + // If the MustBe1 bit is not a 1, it's not a 2MB entry
> + //
> + if (PageDirectory2MEntry->Bits.MustBe1) {
> + //
> + // Valid 2MB page
> + //
> + State = UpdateAddressState (
> + State,
> + PageDirectory2MEntry->Uint64,
> + AddressEncMask
> + );
> +
> + Address += BIT21;
> + continue;
> + }
> +
> + //
> + // Actually a PMD
> + //
> + PageDirectoryPointerEntry =
> + (PAGE_MAP_AND_DIRECTORY_POINTER *)PageDirectory2MEntry;
> + PageTableEntry =
> + (VOID *)(
> + (PageDirectoryPointerEntry->Bits.PageTableBaseAddress <<
> + 12) & ~PgTableMask
> + );
> + PageTableEntry += PTE_OFFSET (Address);
> + if (!PageTableEntry->Bits.Present) {
> + return MemEncryptSevAddressRangeError;
> + }
> +
> + State = UpdateAddressState (
> + State,
> + PageTableEntry->Uint64,
> + AddressEncMask
> + );
> +
> + Address += EFI_PAGE_SIZE;
> + }
> +
> + return State;
> +}
>
next prev parent reply other threads:[~2021-01-05 9:48 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-15 20:50 [PATCH 00/12] SEV-ES security mitigations Lendacky, Thomas
2020-12-15 20:51 ` [PATCH 01/12] Ovmf/ResetVector: Simplify and consolidate the SEV features checks Lendacky, Thomas
2021-01-04 18:58 ` [edk2-devel] " Laszlo Ersek
2020-12-15 20:51 ` [PATCH 02/12] OvmfPkg/Sec: Move SEV-ES SEC workarea definition to common header file Lendacky, Thomas
2021-01-04 19:02 ` [edk2-devel] " Laszlo Ersek
2020-12-15 20:51 ` [PATCH 03/12] OvmfPkg/ResetVector: Validate the encryption bit position for SEV/SEV-ES Lendacky, Thomas
2021-01-04 19:59 ` [edk2-devel] " Laszlo Ersek
2021-01-04 20:45 ` Lendacky, Thomas
2020-12-15 20:51 ` [PATCH 04/12] OvmfPkg/ResetVector: Perform a simple SEV-ES sanity check Lendacky, Thomas
2021-01-04 20:00 ` [edk2-devel] " Laszlo Ersek
2021-01-04 20:48 ` Lendacky, Thomas
2020-12-15 20:51 ` [PATCH 05/12] OvmfPkg/MemEncryptSevLib: Add an interface to retrieve the encryption mask Lendacky, Thomas
2021-01-04 20:34 ` [edk2-devel] " Laszlo Ersek
2021-01-04 21:09 ` Lendacky, Thomas
2020-12-15 20:51 ` [PATCH 06/12] OvmfPkg/AmdSevDxe: Clear encryption bit on PCIe MMCONFIG range Lendacky, Thomas
2021-01-04 21:04 ` [edk2-devel] " Laszlo Ersek
2021-01-05 22:48 ` Lendacky, Thomas
2021-01-06 15:38 ` Laszlo Ersek
2020-12-15 20:51 ` [PATCH 07/12] OvmfPkg/VmgExitLib: Check for an explicit DR7 cached value Lendacky, Thomas
2021-01-04 21:05 ` [edk2-devel] " Laszlo Ersek
2020-12-15 20:51 ` [PATCH 08/12] OvmfPkg/MemEncryptSevLib: Make the MemEncryptSevLib available for SEC Lendacky, Thomas
2021-01-05 9:40 ` [edk2-devel] " Laszlo Ersek
2021-01-05 14:34 ` Lendacky, Thomas
2021-01-05 15:38 ` Lendacky, Thomas
2021-01-06 14:22 ` Laszlo Ersek
2021-01-06 14:21 ` Laszlo Ersek
2020-12-15 20:51 ` [PATCH 09/12] OvmfPkg/MemEncryptSevLib: Address range encryption state interface Lendacky, Thomas
2021-01-05 9:48 ` Laszlo Ersek [this message]
2020-12-15 20:51 ` [PATCH 10/12] OvmfPkg/VmgExitLib: Support nested #VCs Lendacky, Thomas
2021-01-05 10:08 ` [edk2-devel] " Laszlo Ersek
2020-12-15 20:51 ` [PATCH 11/12] OvmfPkg/PlatformPei: Reserve GHCB backup pages if S3 is supported Lendacky, Thomas
2021-01-05 10:13 ` [edk2-devel] " Laszlo Ersek
2021-01-05 14:40 ` Lendacky, Thomas
2020-12-15 20:51 ` [PATCH 12/12] OvfmPkg/VmgExitLib: Validate #VC MMIO is to un-encrypted memory Lendacky, Thomas
2021-01-05 10:28 ` [edk2-devel] " Laszlo Ersek
2021-01-05 14:45 ` Lendacky, Thomas
2020-12-17 14:23 ` [PATCH 00/12] SEV-ES security mitigations Laszlo Ersek
2020-12-21 15:02 ` [edk2-devel] " Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b1e232ff-9c94-fcdf-be0a-ee0b97a6337a@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox