From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (NAM11-BN8-obe.outbound.protection.outlook.com [40.107.236.83]) by mx.groups.io with SMTP id smtpd.web12.30.1630617476079744841 for ; Thu, 02 Sep 2021 14:17:56 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amd.com header.s=selector1 header.b=gENqNao1; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.236.83, mailfrom: brijesh.singh@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Nv6jlWHpw009qzcYq6CP2ebsjM0I1iXKQIzd5WCQN4G0XoGg+aPNFjG+avC4lbFQqzcqVGPH3WYk+kDR4man92U0XS8VB5i1pNwkN0MwMNNMQF7tfQoGA2BcX8N50PI4DU/zqvkGKu/G+Atl92/WgQazr2G4IjMKF4o70pQ9aqy+0W3zdxDvXYIWEz+FZ4hT90gjAfR5+HMvgF3hUGYZKrSqZN1P44dbgV79L4zZFt/kXTKNxXv3K6hTiQ01dDuFUlW3kFwRvC/Sy/sZOaCFZShgowy6PylFHKkhUNAlYA7oKdNgAW9IH5ZUMtilaKuQma19N/gcyGbO+Sl+OutFKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xC5PWaNt4Js3iCr6Xf9cZG6Jwoa6PWiJO2LrB8gBi/o=; b=gO682pg80OCZuZi1E3pMO5MiyYKSltIUkz8MsOk9354uFUAZxtBjBDRt0vuBCbj/RPtIPEVdg/UuFV7TeEhLt7CG8AjLKnglcreuXysrkPol/jmVrDutjMSQei0Sb5O4D3Lk7AaOKidW0vLA3L4RH16tjwtTYzeB24xU5WLYB7hCtRNvyeXBg1YF2vU4ZHQgbZT29tW/hI2FAV6mOVlnzccLfua/7pPJRm/+HopfS8kToMEec7GzgQP3Kc/yaCpS6qBJrNK0oPQwEKYWGluq0wJibou/BqPfdCz8XOE7AUDvM0qCbUNLMVx7zqvOvDRkx5HgbqxpZN3TZXE6TwVeAQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xC5PWaNt4Js3iCr6Xf9cZG6Jwoa6PWiJO2LrB8gBi/o=; b=gENqNao1fkbB5n4EY4KTxFN0r4k82JDDaPVESnwQP3CUIYv/nCVczR8B1YkUfQg0NF8HVQ4QBaLIbr2XCvejH006XQ2k9wMMgV5qAR+YTrmMV5GAJr6fnLMHNHolF6lJfMFaXw1ecpiU85gbF8CxE7Q5f8/wFOPwe6aQPFpE1l4= Authentication-Results: amd.com; dkim=none (message not signed) header.d=none;amd.com; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN6PR12MB4672.namprd12.prod.outlook.com (2603:10b6:805:12::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4457.23; Thu, 2 Sep 2021 21:17:54 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4478.021; Thu, 2 Sep 2021 21:17:54 +0000 Subject: Re: [PATCH v6 02/29] OvmfPkg: reserve CPUID page for SEV-SNP From: "Brijesh Singh" To: Gerd Hoffmann CC: devel@edk2.groups.io, James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth References: <20210901161646.24763-1-brijesh.singh@amd.com> <20210901161646.24763-3-brijesh.singh@amd.com> <20210902080448.jjigp62hsfo4o2h6@sirius.home.kraxel.org> Message-ID: Date: Thu, 2 Sep 2021 16:17:52 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 In-Reply-To: X-ClientProxiedBy: SN7PR04CA0200.namprd04.prod.outlook.com (2603:10b6:806:126::25) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) Return-Path: brijesh.singh@amd.com MIME-Version: 1.0 Received: from Brijeshs-MacBook-Pro.local (70.112.153.56) by SN7PR04CA0200.namprd04.prod.outlook.com (2603:10b6:806:126::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4478.20 via Frontend Transport; Thu, 2 Sep 2021 21:17:53 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a9a134ff-4a27-4112-a8ba-08d96e5720af X-MS-TrafficTypeDiagnostic: SN6PR12MB4672: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:820; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: kBI11U9LL03IrFGOHMCPWolNUH8W3iK7KINH6VEEYeTo/4ojhiEzmuTLRFuZJrHlTzulao+p+Jtzm+t2GvfB43g2UBpwQD8uFRyzgXWIUqjl0+6KUR7tm0bHjTa3/GfHuVYylL2ZS2v3rqA8nmer5G6wcW6liIvz6rgNlTlUJo9SAWamH41CVnjUVyOR18DoJ7lnE7nDckXtfH1Porpt9g0QDZA8i05oRHi2zXRhG43HB45X2otj+uL9PJKee7zZ4Rk6J7MMf/bY3PIzafajxLQZoPAQ99AxqNxbu7s5y4r9bdJvYdnEYcR6gz9TRrwd13IsFeaAZd/J+xq8g987dzxRgksvGsScvFseratbDw/Xhugi8ncQR429wLpNuv+jFeMhp/UfbrtqEUoxIup7VunZ4yBUvWhurWHt1898rfLo34fU+nrNP5BsF4NIqryo08eQNgryjxYlHoFg/3GnP4yj88Aaue9JibejvowK61m+RxHZS0c3je1vVBEsUpR7pa+ts6IE8STggWhe6SDJrEXXtIa/zA/Qy10q6c7N6kM+Lheua2e4hDYIu99RzYPXkeJaRkiHcocvibRRGgjctbrITUK8ZqVOLa0G5PkSnuoIIUps9THnxJfLvO06Y6NfT8bVgq29y99VezT1fzoyiJKjPLyLNnENRdrMWYJ6d0B3Ps/1N2CzwuvYYBShcrKc6x4jHSiJZZ2sl6OzsLKz1AXrq8OPt6ESn5Ku8Ds7LRFK4pia479BIS7dvO65GXnURcjAzMlSbOfahl0+0KC7oJqjQNNcBXj7lUvhx78GdQju2D/U44y5l5fSHKkSCOWuHd/XMlBlxPPsHj4ke8H2QOBs1Bji83ePLCsdAvHXudLEtpzDjvbkRBq79sz4d+lM X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB2718.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(136003)(366004)(346002)(396003)(376002)(39860400002)(4326008)(2906002)(8936002)(31686004)(2616005)(66476007)(66556008)(66946007)(956004)(45080400002)(36756003)(8676002)(38100700002)(38350700002)(5660300002)(6916009)(966005)(44832011)(478600001)(6512007)(316002)(52116002)(6486002)(26005)(53546011)(186003)(54906003)(86362001)(83380400001)(31696002)(6506007)(45980500001)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?ZZl+2kNzmewwhk/XUg0RZeBSte6kHQ48jC6r8rUgkn39YcMN9rrNxdv5o/h5?= =?us-ascii?Q?RmexfqBAWYknqPzLuiJzU+LUsmrIbdfieaM9t43ZrXmH7mrtz+9HZzy+bN88?= =?us-ascii?Q?XJPs2z7/pz/4vl7zMqQ/j/LQga4UjF3LqO0C8rMNUTX8AZmVXMY9CcFQvfYq?= =?us-ascii?Q?zTo2DI28Da5PqMsViw1//wSiWwiNq3+Nqdovygnw/Wb4DccjCKB56Q1bcTEq?= =?us-ascii?Q?hAkNbOETBJAnSfXJ52h3COP3FWIJNQqEsK0Ut/Rf0qGW7rhtN/vJKrtjhozS?= =?us-ascii?Q?gnmq4O8K42KqeFhieTmWBrZRBZro8SJZfkFGuvjnx2/UiKFVo+8h1z6ZaRxv?= =?us-ascii?Q?e2wjLIQEqILrYQ1IEVAH4+rlUDDORL4DizcgmkXFPBtZQM8TjA3wzrYcgA2j?= =?us-ascii?Q?OVk4YkE1/HidJGFEm7vUc199mO7YKmTdYlWVwwchs1Ouw5554sDgee22F7CB?= =?us-ascii?Q?QmJ0ssPeuIPASOPNJMP8LTp0QwlI4/tXYh9/zLYDSvWk/faT9NWTLmMH+oNc?= =?us-ascii?Q?JkXFNz7wik+aC4FT6nlyCwrVW4cOzmnzj23uH4OICaAyqKARVCb3Dj2y80xv?= =?us-ascii?Q?lB3ly5YX53C3mwMobSGpjPvGgE6YVpt1nCZFixri7GgkJ67sYawIIKXD5Pd4?= =?us-ascii?Q?YUljwlg11Ca0eqw41UeIydO5asOPrju3gPySapWitwh4RylN15DuUbpc/ncU?= =?us-ascii?Q?prJhzELbtG/a0lTdqwAJpfw5n0S90ngj6BrRruE/8Eq4kJrYf2Z4TTJZ85J7?= =?us-ascii?Q?lTsQ2ITvew4vDEemDqwduY47HDw8CeAhHeWMF1DCwxBiZcW86cpbth4z9hQI?= =?us-ascii?Q?RDLUDWFIYpwm4edO/eTTBf3mXnan8HjxxjczIFW8nQsb5ohQEOmq50WLtSRi?= =?us-ascii?Q?0ttiYA6suHc3K4zIMnf12AMFr8L+WXSxmLpKttiTjbrU0zbrDKWa0PSpX3pn?= =?us-ascii?Q?sDtsSMEMNVETeemY3imm3ljv9vkrNQE7ctdfW31XarLu6Pkwf5v0IVxOKQPX?= =?us-ascii?Q?p7gkyYGn4vST/FiZcPACmBF1e2vfWpKc27cs3rjpuEa4J3bFQ6QfmO8WqlxS?= =?us-ascii?Q?XLI140a0VceL6PHTCwogLmf8CdjIWs++hDTgL++7SOZIrXkpUxnYYDHVPLcT?= =?us-ascii?Q?gW/skd/4BsLHd3ljL3ShAXkodFryi9zkQcbPKJ2Q+qOaTzy6AIzmuSYk/kGt?= =?us-ascii?Q?s/z2B4AvgVarztB3q07L5B/Mc5HP8r4TcbCalaZrQXU3WPHq6Pr0Bm6jcg71?= =?us-ascii?Q?r/19QC/wlPIMoIphASDCVZ0d46P24dffIQEsDi+NqDW9wALo7PO7wjw8Hx0X?= =?us-ascii?Q?9khfgtIp4MPWwMlv4gi5XEZa?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: a9a134ff-4a27-4112-a8ba-08d96e5720af X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Sep 2021 21:17:54.0708 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Q9z3BJ7bw9b3010lJ3IW/t9aAXCU7kRzRTMdBD8E5DmHE9j5kU+5U6D0A3UVjA167VprZxIO/Xn0Nk2RIgipDw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR12MB4672 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US On 9/2/21 7:28 AM, Brijesh Singh wrote: > Hi Gerd, > > On 9/2/21 3:04 AM, Gerd Hoffmann wrote: >> On Wed, Sep 01, 2021 at 11:16:19AM -0500, Brijesh Singh wrote: >>> BZ: https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2= Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D3275&data=3D04%7C01%7Cbri= jesh.singh%40amd.com%7C13c81a39aa2e4f22430e08d96de85a69%7C3dd8961fe4884e608= e11a82d994e183d%7C0%7C0%7C637661666978547521%7CUnknown%7CTWFpbGZsb3d8eyJWIj= oiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sda= ta=3D4b22Sv6xoUGQ3xutPYdsqb4cNh1SS9Z8MOQG7dHiqYU%3D&reserved=3D0 >>> >>> Platform features and capabilities are traditionally discovered via the >>> CPUID instruction. Hypervisors typically trap and emulate the CPUID >>> instruction for a variety of reasons. There are some cases where incorr= ect >>> CPUID information can potentially lead to a security issue. The SEV-SNP >>> firmware provides a feature to filter the CPUID results through the PSP= . >>> The filtered CPUID values are saved on a special page for the guest to >>> consume. Reserve a page in MEMFD that will contain the results of >>> filtered CPUID values. >> Is the format of the page documented somewhere? > Yes, it is documented in the SEV-SNP spec [1] section 7.1 and the checks > performed by the SEV-SNP firmware are documented in the PPR [2] section > 2.1.5.3. I will document these link in the commit message. > > [1] https://www.amd.com/system/files/TechDocs/56860.pdf > > [2] > https://www.amd.com/en/support/tech-docs/processor-programming-reference-= ppr-for-amd-family-19h-model-01h-revision-b1 > > >> Is this snp-specific? Or could this also be used without snp? > This is SNP specific format and cannot be used without SNP. I should clarify the statement, the format itself does not contain anything=C2=A0 SNP specific. However, the CPUID page format is documented i= n the SNP specific spec. Are you thinking about using it for non SEV guest to avoid the VM exit ? If so, it should be very much possible. For that we should define the format outside of SNP specific spec and make it a generic so that guest and HV's can implement it consume it in the non-SNP guest.=C2=A0 thanks