Re: [Patch V3 03/11] OvmfPkg:Remove code that apply AddressEncMask to non-leaf entry

["Lendacky, Thomas" <thomas.lendacky@amd.com>]

On 4/21/23 09:26, Tom Lendacky wrote:
> On 4/21/23 03:36, Dun Tan wrote:
>> Remove code that apply AddressEncMask to non-leaf entry when split
>> smm page table by MemEncryptSevLib. In FvbServicesSmm driver, it
>> calls MemEncryptSevClearMmioPageEncMask to clear AddressEncMask
>> bit in page table for a specific range. In AMD SEV feature, this
>> AddressEncMask bit in page table is used to indicate if the memory
>> is guest private memory or shared memory. But all memory used by
>> page table are treated as encrypted regardless of encryption bit.
>> So remove the EncMask bit for smm non-leaf page table entry
>> doesn't impact AMD SEV feature.
>> If page split happens in the AddressEncMask bit clear process,
>> there will be some new non-leaf entries with AddressEncMask
>> applied in smm page table. When ReadyToLock, code in PiSmmCpuDxe
>> module will use CpuPageTableLib to modify smm page table. So
>> remove code to apply AddressEncMask for new non-leaf entries
>> since CpuPageTableLib doesn't consume the EncMask PCD.
> 
> I'm really not a fan of removing the encryption mask, because technically 
> it is correct to have it present in non-leaf entries. I really think the 
> pagetable library should be able to work correctly with or without the 
> encryption mask.

Or if we do go this route, there needs to be a really big, informative 
comment above the areas where the AddressEncMask is now being removed to 
explain why the code isn't setting the encryption mask (SEV pagetable walk 
behavior and the fact that the pagetable library is unaware of the 
encryption bit and encounters errors when trying to walk the entries, etc.).

Thanks,
Tom

> 
> What would it take to make the pagetable library aware of the mask?
> 
> Thanks,
> Tom
> 
>>
>> Signed-off-by: Dun Tan <dun.tan@intel.com>
>> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
>> Cc: Jiewen Yao <jiewen.yao@intel.com>
>> Cc: Jordan Justen <jordan.l.justen@intel.com>
>> Cc: Gerd Hoffmann <kraxel@redhat.com>
>> Cc: Tom Lendacky <thomas.lendacky@amd.com>
>> Cc: Ray Ni <ray.ni@intel.com>
>> ---
>>   OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c | 6 +++---
>>   1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git 
>> a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c 
>> b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c
>> index a1f6e61c1e..f2b821f6d9 100644
>> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c
>> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c
>> @@ -233,7 +233,7 @@ Split2MPageTo4K (
>>     // Fill in 2M page entry.
>>     //
>>     *PageEntry2M = ((UINT64)(UINTN)PageTableEntry1 |
>> -                  IA32_PG_P | IA32_PG_RW | AddressEncMask);
>> +                  IA32_PG_P | IA32_PG_RW);
>>   }
>>   /**
>> @@ -352,7 +352,7 @@ SetPageTablePoolReadOnly (
>>           PhysicalAddress += LevelSize[Level - 1];
>>         }
>> -      PageTable[Index] = (UINT64)(UINTN)NewPageTable | AddressEncMask |
>> +      PageTable[Index] = (UINT64)(UINTN)NewPageTable |
>>                            IA32_PG_P | IA32_PG_RW;
>>         PageTable = NewPageTable;
>>       }
>> @@ -440,7 +440,7 @@ Split1GPageTo2M (
>>     // Fill in 1G page entry.
>>     //
>>     *PageEntry1G = ((UINT64)(UINTN)PageDirectoryEntry |
>> -                  IA32_PG_P | IA32_PG_RW | AddressEncMask);
>> +                  IA32_PG_P | IA32_PG_RW);
>>     PhysicalAddress2M = PhysicalAddress;
>>     for (IndexOfPageDirectoryEntries = 0;