public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Laszlo Ersek" <lersek@redhat.com>
To: Tom Lendacky <thomas.lendacky@amd.com>, devel@edk2.groups.io
Cc: Brijesh Singh <brijesh.singh@amd.com>,
	James Bottomley <jejb@linux.ibm.com>,
	Jordan Justen <jordan.l.justen@intel.com>,
	Ard Biesheuvel <ard.biesheuvel@arm.com>
Subject: Re: [edk2-devel] [PATCH 06/12] OvmfPkg/AmdSevDxe: Clear encryption bit on PCIe MMCONFIG range
Date: Wed, 6 Jan 2021 16:38:16 +0100	[thread overview]
Message-ID: <c35b9b95-2b0e-a45e-09b3-20cbb5cdfbfc@redhat.com> (raw)
In-Reply-To: <946164e0-38f4-aff6-b2dc-3f2348c0d97d@amd.com>

On 01/05/21 23:48, Tom Lendacky wrote:
> On 1/4/21 3:04 PM, Laszlo Ersek wrote:
>> On 12/15/20 21:51, Lendacky, Thomas wrote:
>>> From: Tom Lendacky <thomas.lendacky@amd.com>
>>>
>>> BZ: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D3108&amp;data=04%7C01%7Cthomas.lendacky%40amd.com%7Cf35ac4fb20264b713aa108d8b0f45717%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637453910773208310%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=wZg2UIdJ%2FZ2HLGbWcfli3SVzl1cSMkyI%2FvREVldOB9M%3D&amp;reserved=0
>>>
>>> The PCIe MMCONFIG range should be treated as an MMIO range. However,
>>> there is a comment in the code explaining why AddIoMemoryBaseSizeHob()
>>> is not called. The AmdSevDxe walks the GCD map looking for MemoryMappedIo
>>> or NonExistent type memory and will clear the encryption bit for these
>>> ranges.
>>>
>>> Since the MMCONFIG range does not have one of these types, the encryption
>>> bit is not cleared for this range. Add support to detect the presence of
>>> the MMCONFIG range and clear the encryption bit. This will be needed for
>>> follow-on support that will validate MMIO under SEV-ES.
>>>
>>> Cc: Jordan Justen <jordan.l.justen@intel.com>
>>> Cc: Laszlo Ersek <lersek@redhat.com>
>>> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
>>> Cc: Brijesh Singh <brijesh.singh@amd.com>
>>> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
>>> ---
>>>  OvmfPkg/AmdSevDxe/AmdSevDxe.inf |  8 +++++++-
>>>  OvmfPkg/AmdSevDxe/AmdSevDxe.c   | 20 +++++++++++++++++++-
>>>  2 files changed, 26 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
>>> index dd9ecc789a20..0676fcc5b6a4 100644
>>> --- a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
>>> +++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
>>> @@ -2,7 +2,7 @@
>>>  #
>>>  #  Driver clears the encryption attribute from MMIO regions when SEV is enabled
>>>  #
>>> -#  Copyright (c) 2017, AMD Inc. All rights reserved.<BR>
>>> +#  Copyright (c) 2017 - 2020, AMD Inc. All rights reserved.<BR>
>>>  #
>>>  #  SPDX-License-Identifier: BSD-2-Clause-Patent
>>>  #
>>> @@ -39,3 +39,9 @@ [Depex]
>>>  
>>>  [FeaturePcd]
>>>    gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire
>>> +
>>> +[FixedPcd]
>>> +  gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress
>>> +
>>> +[Pcd]
>>> +  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId
>>> diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c
>>> index 595586617882..ed516fcdf956 100644
>>> --- a/OvmfPkg/AmdSevDxe/AmdSevDxe.c
>>> +++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c
>>> @@ -4,7 +4,7 @@
>>>    in APRIORI. It clears C-bit from MMIO and NonExistent Memory space when SEV
>>>    is enabled.
>>>  
>>> -  Copyright (c) 2017, AMD Inc. All rights reserved.<BR>
>>> +  Copyright (c) 2017 - 2020, AMD Inc. All rights reserved.<BR>
>>>  
>>>    SPDX-License-Identifier: BSD-2-Clause-Patent
>>>  
>>> @@ -17,6 +17,7 @@
>>>  #include <Library/MemEncryptSevLib.h>
>>>  #include <Library/MemoryAllocationLib.h>
>>>  #include <Library/PcdLib.h>
>>> +#include <IndustryStandard/Q35MchIch9.h>
>>
>> (1) Please keep the #include list alphabetically sorted.
> 
> Will fix.
> 
>>
>>>  
>>>  EFI_STATUS
>>>  EFIAPI
>>> @@ -65,6 +66,23 @@ AmdSevDxeEntryPoint (
>>>      FreePool (AllDescMap);
>>>    }
>>>  
>>> +  //
>>> +  // If PCI Express is enabled, the MMCONFIG area has been reserved, rather
>>> +  // than marked as MMIO, and so the C-bit won't be cleared by the above walk
>>> +  // through the GCD map. Check for the MMCONFIG area and clear the C-bit for
>>> +  // the range.
>>> +  //
>>> +  if (PcdGet16 (PcdOvmfHostBridgePciDevId) == INTEL_Q35_MCH_DEVICE_ID) {
>>> +    Status = MemEncryptSevClearPageEncMask (
>>> +               0,
>>> +               FixedPcdGet64 (PcdPciExpressBaseAddress),
>>> +               EFI_SIZE_TO_PAGES (SIZE_256MB),
>>> +               FALSE
>>> +               );
>>> +
>>> +    ASSERT_EFI_ERROR (Status);
>>> +  }
>>> +
>>>    //
>>>    // When SMM is enabled, clear the C-bit from SMM Saved State Area
>>>    //
>>>
>>
>> Very interesting. One wonders why, without this change, MMCONFIG
>> accesses work at all on SEV.
>>
>> But then... this guest phys area is not backed by RAM in the first
>> place. Whenever the guest accesses it, we trap to QEMU unconditionally.
>> And so memory encryption plays no role in practice, I must think.
>>
>> It's different for the flash, because the flash is backed by RAM, and
>> whether an access to it traps to QEMU or not depends on both the access
>> (r/w/x) and the mode the flash is in (programming mode on vs. off).
>>
>> I now wonder whether the comment in the leading context (not visible
>> above), namely the one that references the root bridge MMIO aperture,
>> from which the PCI MMIO BARs are allocated, is accurate. Perhaps that
>> area would work in fact even if we didn't clear the C bit for them
>> (considering just the accesses themselves under SEV; not SEV-ES).
>>
>> (2) Please include a sentence in the commit message about the fact that
>> MMCONFIG is not backed by a KVM memory slot, and so actual memory
>> encryption does not take place, and that's why MMCONFIG accesses do not
>> break currently under SEV / SEV-ES. (This is at least what I think happens.)
> 
> Since that address range is marked as MMIO in the nested page tables by
> KVM (reserved bits set), accessing that address range will always trigger
> a nested page fault (NPF).
> 
> For SEV, the hardware clears the encryption bit from the GPA provided for
> the NPF, so KVM/Qemu see the base address and everything just works.
> 
> For SEV-ES, the NPF triggers a #VC. Since we run identity mapped (VA ==
> PA), I use the virtual address in the VMGEXIT, which doesn't contain the
> encryption bit, so, again, everything just works. The SEV-ES check for the
> encryption bit being set is what uncovered this condition.
> 
> I'll write that up in the commit.

Thank you!
Laszlo


  reply	other threads:[~2021-01-06 15:38 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-15 20:50 [PATCH 00/12] SEV-ES security mitigations Lendacky, Thomas
2020-12-15 20:51 ` [PATCH 01/12] Ovmf/ResetVector: Simplify and consolidate the SEV features checks Lendacky, Thomas
2021-01-04 18:58   ` [edk2-devel] " Laszlo Ersek
2020-12-15 20:51 ` [PATCH 02/12] OvmfPkg/Sec: Move SEV-ES SEC workarea definition to common header file Lendacky, Thomas
2021-01-04 19:02   ` [edk2-devel] " Laszlo Ersek
2020-12-15 20:51 ` [PATCH 03/12] OvmfPkg/ResetVector: Validate the encryption bit position for SEV/SEV-ES Lendacky, Thomas
2021-01-04 19:59   ` [edk2-devel] " Laszlo Ersek
2021-01-04 20:45     ` Lendacky, Thomas
2020-12-15 20:51 ` [PATCH 04/12] OvmfPkg/ResetVector: Perform a simple SEV-ES sanity check Lendacky, Thomas
2021-01-04 20:00   ` [edk2-devel] " Laszlo Ersek
2021-01-04 20:48     ` Lendacky, Thomas
2020-12-15 20:51 ` [PATCH 05/12] OvmfPkg/MemEncryptSevLib: Add an interface to retrieve the encryption mask Lendacky, Thomas
2021-01-04 20:34   ` [edk2-devel] " Laszlo Ersek
2021-01-04 21:09     ` Lendacky, Thomas
2020-12-15 20:51 ` [PATCH 06/12] OvmfPkg/AmdSevDxe: Clear encryption bit on PCIe MMCONFIG range Lendacky, Thomas
2021-01-04 21:04   ` [edk2-devel] " Laszlo Ersek
2021-01-05 22:48     ` Lendacky, Thomas
2021-01-06 15:38       ` Laszlo Ersek [this message]
2020-12-15 20:51 ` [PATCH 07/12] OvmfPkg/VmgExitLib: Check for an explicit DR7 cached value Lendacky, Thomas
2021-01-04 21:05   ` [edk2-devel] " Laszlo Ersek
2020-12-15 20:51 ` [PATCH 08/12] OvmfPkg/MemEncryptSevLib: Make the MemEncryptSevLib available for SEC Lendacky, Thomas
2021-01-05  9:40   ` [edk2-devel] " Laszlo Ersek
2021-01-05 14:34     ` Lendacky, Thomas
2021-01-05 15:38       ` Lendacky, Thomas
2021-01-06 14:22         ` Laszlo Ersek
2021-01-06 14:21       ` Laszlo Ersek
2020-12-15 20:51 ` [PATCH 09/12] OvmfPkg/MemEncryptSevLib: Address range encryption state interface Lendacky, Thomas
2021-01-05  9:48   ` [edk2-devel] " Laszlo Ersek
2020-12-15 20:51 ` [PATCH 10/12] OvmfPkg/VmgExitLib: Support nested #VCs Lendacky, Thomas
2021-01-05 10:08   ` [edk2-devel] " Laszlo Ersek
2020-12-15 20:51 ` [PATCH 11/12] OvmfPkg/PlatformPei: Reserve GHCB backup pages if S3 is supported Lendacky, Thomas
2021-01-05 10:13   ` [edk2-devel] " Laszlo Ersek
2021-01-05 14:40     ` Lendacky, Thomas
2020-12-15 20:51 ` [PATCH 12/12] OvfmPkg/VmgExitLib: Validate #VC MMIO is to un-encrypted memory Lendacky, Thomas
2021-01-05 10:28   ` [edk2-devel] " Laszlo Ersek
2021-01-05 14:45     ` Lendacky, Thomas
2020-12-17 14:23 ` [PATCH 00/12] SEV-ES security mitigations Laszlo Ersek
2020-12-21 15:02 ` [edk2-devel] " Laszlo Ersek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c35b9b95-2b0e-a45e-09b3-20cbb5cdfbfc@redhat.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox