From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: lersek@redhat.com) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Tue, 24 Sep 2019 04:59:11 -0700 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B76E7109EFC7; Tue, 24 Sep 2019 11:59:10 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-118.rdu2.redhat.com [10.10.120.118]) by smtp.corp.redhat.com (Postfix) with ESMTP id 91EC85D9CA; Tue, 24 Sep 2019 11:59:08 +0000 (UTC) Subject: Re: [edk2-devel] [RFC PATCH v2 03/44] OvmfPkg: Add support to perform SEV-ES initialization To: devel@edk2.groups.io, thomas.lendacky@amd.com Cc: Jordan Justen , Ard Biesheuvel , Michael D Kinney , Liming Gao , Eric Dong , Ray Ni , "Singh, Brijesh" References: From: "Laszlo Ersek" Message-ID: Date: Tue, 24 Sep 2019 13:59:07 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.65]); Tue, 24 Sep 2019 11:59:10 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 09/19/19 21:52, Lendacky, Thomas wrote: > From: Tom Lendacky > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198 > > When SEV-ES is active, then SEV is also active. Add support to the SEV > initialization function to also check for SEV-ES being active. If SEV-ES > is active, set the SEV-ES active PCD (PcdSevEsActive). > > Cc: Jordan Justen > Cc: Laszlo Ersek > Cc: Ard Biesheuvel > Signed-off-by: Tom Lendacky > --- > OvmfPkg/OvmfPkgIa32.dsc | 3 +++ > OvmfPkg/OvmfPkgIa32X64.dsc | 3 +++ > OvmfPkg/OvmfPkgX64.dsc | 3 +++ > OvmfPkg/PlatformPei/PlatformPei.inf | 1 + > OvmfPkg/PlatformPei/AmdSev.c | 26 ++++++++++++++++++++++++++ > 5 files changed, 36 insertions(+) > > diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc > index 6ab730018694..0ce5c01722ef 100644 > --- a/OvmfPkg/OvmfPkgIa32.dsc > +++ b/OvmfPkg/OvmfPkgIa32.dsc > @@ -558,6 +558,9 @@ [PcdsDynamicDefault] > # Set memory encryption mask > gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0 > > + # Set SEV-ES defaults > + gEfiMdeModulePkgTokenSpaceGuid.PcdSevEsActive|0 > + > !if $(SMM_REQUIRE) == TRUE > gUefiOvmfPkgTokenSpaceGuid.PcdQ35TsegMbytes|8 > gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmSyncMode|0x01 > diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc > index f163aa267132..e7455e35a55d 100644 > --- a/OvmfPkg/OvmfPkgIa32X64.dsc > +++ b/OvmfPkg/OvmfPkgIa32X64.dsc > @@ -570,6 +570,9 @@ [PcdsDynamicDefault] > # Set memory encryption mask > gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0 > > + # Set SEV-ES defaults > + gEfiMdeModulePkgTokenSpaceGuid.PcdSevEsActive|0 > + > !if $(SMM_REQUIRE) == TRUE > gUefiOvmfPkgTokenSpaceGuid.PcdQ35TsegMbytes|8 > gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmSyncMode|0x01 > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc > index fa98f16a3fb3..0b8305cd10a2 100644 > --- a/OvmfPkg/OvmfPkgX64.dsc > +++ b/OvmfPkg/OvmfPkgX64.dsc > @@ -569,6 +569,9 @@ [PcdsDynamicDefault] > # Set memory encryption mask > gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0 > > + # Set SEV-ES defaults > + gEfiMdeModulePkgTokenSpaceGuid.PcdSevEsActive|0 > + > !if $(SMM_REQUIRE) == TRUE > gUefiOvmfPkgTokenSpaceGuid.PcdQ35TsegMbytes|8 > gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmSyncMode|0x01 > diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf > index d9fd9c8f05b3..2736347a2e03 100644 > --- a/OvmfPkg/PlatformPei/PlatformPei.inf > +++ b/OvmfPkg/PlatformPei/PlatformPei.inf > @@ -100,6 +100,7 @@ [Pcd] > gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber > gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds > gUefiCpuPkgTokenSpaceGuid.PcdCpuApStackSize > + gEfiMdeModulePkgTokenSpaceGuid.PcdSevEsActive (1) Can you add this next to "gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask"? > > [FixedPcd] > gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress > diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c > index 2ae8126ccf8a..7ae2f26a2ba7 100644 > --- a/OvmfPkg/PlatformPei/AmdSev.c > +++ b/OvmfPkg/PlatformPei/AmdSev.c > @@ -19,6 +19,27 @@ > > #include "Platform.h" > > +/** > + > + Initialize SEV-ES support if running an SEV-ES guest. (2) s/an/in an/? (Just asking) > + > + **/ > +STATIC > +VOID > +AmdSevEsInitialize ( > + VOID > + ) > +{ > + RETURN_STATUS PcdStatus; > + > + if (!MemEncryptSevEsIsEnabled ()) { > + return; > + } > + > + PcdStatus = PcdSetBoolS (PcdSevEsActive, 1); (3) Please write TRUE, not 1. > + ASSERT_RETURN_ERROR (PcdStatus); > +} > + > /** > > Function checks if SEV support is available, if present then it sets > @@ -89,4 +110,9 @@ AmdSevInitialize ( > EfiBootServicesData // MemoryType > ); > } > + > + // > + // Check and perform SEV-ES initialization if required. > + // > + AmdSevEsInitialize (); > } > With (1) and (3) fixed: Reviewed-by: Laszlo Ersek Thanks Laszlo