From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.81]) by mx.groups.io with SMTP id smtpd.web10.61516.1595871827692640263 for ; Mon, 27 Jul 2020 10:43:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=emzSfZm/; spf=pass (domain: redhat.com, ip: 207.211.31.81, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1595871826; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tpWuBKBJcytA6s/d+a4rP9nN1jx+Ctk1wZM6esbuh4s=; b=emzSfZm/NHJutANvesFYQgDGLGgWsxHEJvKhOZ9QZvUyPwjw1xUVIVMf0s3vqi8yrCNeDH hEVXWLKnAqWSqIHvdnOdWPSsS7ruBYhZDuIf6k+E+HgH2NIAa//F7lA69MUxyBCEHK4gPH GxTHFG8lgpr3+pluN85zPWRsEGDBX8s= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-271-soBO-tK5N4SU2a3FE8eTUA-1; Mon, 27 Jul 2020 13:43:42 -0400 X-MC-Unique: soBO-tK5N4SU2a3FE8eTUA-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 2C81919057A1; Mon, 27 Jul 2020 17:43:40 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-112-183.ams2.redhat.com [10.36.112.183]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4B1FF5C1BD; Mon, 27 Jul 2020 17:43:36 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH v12 00/46] SEV-ES guest support From: "Laszlo Ersek" To: devel@edk2.groups.io, thomas.lendacky@amd.com Cc: Brijesh Singh , Ard Biesheuvel , Eric Dong , Jordan Justen , Liming Gao , Michael D Kinney , Ray Ni , Andrew Fish , Anthony Perard , Benjamin You , Dandan Bi , Guo Dong , Hao A Wu , Jian J Wang , Julien Grall , Leif Lindholm , Maurice Ma References: <78601308-ff64-3af4-ffdd-2fccfd49f64a@redhat.com> Message-ID: Date: Mon, 27 Jul 2020 19:43:35 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <78601308-ff64-3af4-ffdd-2fccfd49f64a@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit On 07/27/20 19:41, Laszlo Ersek wrote: > Hi Tom, > > On 07/27/20 17:25, Lendacky, Thomas wrote: >> From: Tom Lendacky >> >> This patch series provides support for running EDK2/OVMF under SEV-ES. >> >> Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the >> SEV support to protect the guest register state from the hypervisor. See >> "AMD64 Architecture Programmer's Manual Volume 2: System Programming", >> section "15.35 Encrypted State (SEV-ES)" [1]. >> >> In order to allow a hypervisor to perform functions on behalf of a guest, >> there is architectural support for notifying a guest's operating system >> when certain types of VMEXITs are about to occur. This allows the guest to >> selectively share information with the hypervisor to satisfy the requested >> function. The notification is performed using a new exception, the VMM >> Communication exception (#VC). The information is shared through the >> Guest-Hypervisor Communication Block (GHCB) using the VMGEXIT instruction. >> The GHCB format and the protocol for using it is documented in "SEV-ES >> Guest-Hypervisor Communication Block Standardization" [2]. >> >> The main areas of the EDK2 code that are updated to support SEV-ES are >> around the exception handling support and the AP boot support. >> >> Exception support is required starting in Sec, continuing through Pei >> and into Dxe in order to handle #VC exceptions that are generated. Each >> AP requires it's own GHCB page as well as a page to hold values specific >> to that AP. >> >> AP booting poses some interesting challenges. The INIT-SIPI-SIPI sequence >> is typically used to boot the APs. However, the hypervisor is not allowed >> to update the guest registers. The GHCB document [2] talks about how SMP >> booting under SEV-ES is performed. >> >> Since the GHCB page must be a shared (unencrypted) page, the processor >> must be running in long mode in order for the guest and hypervisor to >> communicate with each other. As a result, SEV-ES is only supported under >> the X64 architecture. >> >> [1] https://www.amd.com/system/files/TechDocs/24593.pdf >> [2] https://developer.amd.com/wp-content/resources/56421.pdf >> >> --- >> >> These patches are based on commit: >> 6074f57e5b19 ("MdePkg/Include/IndustryStandard: Main CXL header") >> >> A version of the tree can be found at: >> https://github.com/AMDESE/ovmf/tree/sev-es-v20 >> >> Cc: Andrew Fish >> Cc: Anthony Perard >> Cc: Ard Biesheuvel >> Cc: Benjamin You >> Cc: Dandan Bi >> Cc: Eric Dong >> Cc: Guo Dong >> Cc: Hao A Wu >> Cc: Jian J Wang >> Cc: Jordan Justen >> Cc: Julien Grall >> Cc: Laszlo Ersek >> Cc: Leif Lindholm >> Cc: Liming Gao >> Cc: Maurice Ma >> Cc: Michael D Kinney >> Cc: Ray Ni >> >> Changes since v11: >> - Make the XGETBV and VMGEXIT .nasm files buildable for all environments >> and remove the updates that add these instructions to GccInline.c > > Patches 40-46 (inclusive) seem to be missing from my mailbox (and the > list archive on groups.io lacks them too, apparently). > > Did you get rate-limited by some component when sending the series, perhaps? On a second / closer look, that seems quite likely, because my INBOX does have all the (directly delivered) patches; only my list folder is missing the tail. Thanks Laszlo