public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Lendacky, Thomas" <thomas.lendacky@amd.com>
To: Dun Tan <dun.tan@intel.com>, devel@edk2.groups.io
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Jordan Justen <jordan.l.justen@intel.com>,
	Gerd Hoffmann <kraxel@redhat.com>, Ray Ni <ray.ni@intel.com>
Subject: Re: [Patch V3 03/11] OvmfPkg:Remove code that apply AddressEncMask to non-leaf entry
Date: Fri, 21 Apr 2023 09:53:47 -0500	[thread overview]
Message-ID: <b706b6cd-6950-385f-3711-a09c4dc1402a@amd.com> (raw)
In-Reply-To: <123351a8-1f6b-07b1-6b73-6052bb84d704@amd.com>

On 4/21/23 09:26, Tom Lendacky wrote:
> On 4/21/23 03:36, Dun Tan wrote:
>> Remove code that apply AddressEncMask to non-leaf entry when split
>> smm page table by MemEncryptSevLib. In FvbServicesSmm driver, it
>> calls MemEncryptSevClearMmioPageEncMask to clear AddressEncMask
>> bit in page table for a specific range. In AMD SEV feature, this
>> AddressEncMask bit in page table is used to indicate if the memory
>> is guest private memory or shared memory. But all memory used by
>> page table are treated as encrypted regardless of encryption bit.
>> So remove the EncMask bit for smm non-leaf page table entry
>> doesn't impact AMD SEV feature.
>> If page split happens in the AddressEncMask bit clear process,
>> there will be some new non-leaf entries with AddressEncMask
>> applied in smm page table. When ReadyToLock, code in PiSmmCpuDxe
>> module will use CpuPageTableLib to modify smm page table. So
>> remove code to apply AddressEncMask for new non-leaf entries
>> since CpuPageTableLib doesn't consume the EncMask PCD.
> 
> I'm really not a fan of removing the encryption mask, because technically 
> it is correct to have it present in non-leaf entries. I really think the 
> pagetable library should be able to work correctly with or without the 
> encryption mask.

Or if we do go this route, there needs to be a really big, informative 
comment above the areas where the AddressEncMask is now being removed to 
explain why the code isn't setting the encryption mask (SEV pagetable walk 
behavior and the fact that the pagetable library is unaware of the 
encryption bit and encounters errors when trying to walk the entries, etc.).

Thanks,
Tom

> 
> What would it take to make the pagetable library aware of the mask?
> 
> Thanks,
> Tom
> 
>>
>> Signed-off-by: Dun Tan <dun.tan@intel.com>
>> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
>> Cc: Jiewen Yao <jiewen.yao@intel.com>
>> Cc: Jordan Justen <jordan.l.justen@intel.com>
>> Cc: Gerd Hoffmann <kraxel@redhat.com>
>> Cc: Tom Lendacky <thomas.lendacky@amd.com>
>> Cc: Ray Ni <ray.ni@intel.com>
>> ---
>>   OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c | 6 +++---
>>   1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git 
>> a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c 
>> b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c
>> index a1f6e61c1e..f2b821f6d9 100644
>> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c
>> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c
>> @@ -233,7 +233,7 @@ Split2MPageTo4K (
>>     // Fill in 2M page entry.
>>     //
>>     *PageEntry2M = ((UINT64)(UINTN)PageTableEntry1 |
>> -                  IA32_PG_P | IA32_PG_RW | AddressEncMask);
>> +                  IA32_PG_P | IA32_PG_RW);
>>   }
>>   /**
>> @@ -352,7 +352,7 @@ SetPageTablePoolReadOnly (
>>           PhysicalAddress += LevelSize[Level - 1];
>>         }
>> -      PageTable[Index] = (UINT64)(UINTN)NewPageTable | AddressEncMask |
>> +      PageTable[Index] = (UINT64)(UINTN)NewPageTable |
>>                            IA32_PG_P | IA32_PG_RW;
>>         PageTable = NewPageTable;
>>       }
>> @@ -440,7 +440,7 @@ Split1GPageTo2M (
>>     // Fill in 1G page entry.
>>     //
>>     *PageEntry1G = ((UINT64)(UINTN)PageDirectoryEntry |
>> -                  IA32_PG_P | IA32_PG_RW | AddressEncMask);
>> +                  IA32_PG_P | IA32_PG_RW);
>>     PhysicalAddress2M = PhysicalAddress;
>>     for (IndexOfPageDirectoryEntries = 0;

  reply	other threads:[~2023-04-21 14:53 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-04-21  8:36 [Patch V3 00/11] Use CpuPageTableLib to create and update smm page table duntan
2023-04-21  8:36 ` [Patch V3 01/11] OvmfPkg: Add CpuPageTableLib required by PiSmmCpuDxe duntan
2023-04-21  8:36 ` [Patch V3 02/11] UefiPayloadPkg: " duntan
2023-04-21  8:36 ` [Patch V3 03/11] OvmfPkg:Remove code that apply AddressEncMask to non-leaf entry duntan
2023-04-21 14:26   ` Lendacky, Thomas
2023-04-21 14:53     ` Lendacky, Thomas [this message]
2023-04-24  3:38       ` [edk2-devel] " duntan
2023-04-24  9:54     ` Gerd Hoffmann
2023-04-25  2:51       ` Ni, Ray
2023-04-26  7:58         ` Min Xu
2023-04-21  8:36 ` [Patch V3 04/11] UefiCpuPkg: Use CpuPageTableLib to convert SMM paging attribute duntan
2023-04-21  8:36 ` [Patch V3 05/11] UefiCpuPkg/PiSmmCpuDxeSmm: Avoid setting non-present range to RO/NX duntan
2023-04-21  8:36 ` [Patch V3 06/11] UefiCpuPkg: Extern mSmmShadowStackSize in PiSmmCpuDxeSmm.h duntan
2023-04-21  8:36 ` [Patch V3 07/11] UefiCpuPkg/PiSmmCpuDxeSmm: Add 2 function to disable/enable CR0.WP duntan
2023-04-21  8:36 ` [Patch V3 08/11] UefiCpuPkg/PiSmmCpuDxeSmm: Clear CR0.WP before modify page table duntan
2023-04-21  8:36 ` [Patch V3 09/11] UefiCpuPkg: Refinement to current smm page table generation code duntan
2023-04-21  8:36 ` [Patch V3 10/11] UefiCpuPkg: Refinement to code about updating smm page table duntan
2023-04-21  8:36 ` [Patch V3 11/11] UefiCpuPkg/PiSmmCpuDxeSmm: Remove unnecessary function duntan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b706b6cd-6950-385f-3711-a09c4dc1402a@amd.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox