From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by mx.groups.io with SMTP id smtpd.web11.11922.1630290924309868789 for ; Sun, 29 Aug 2021 19:35:24 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.100, mailfrom: min.m.xu@intel.com) X-IronPort-AV: E=McAfee;i="6200,9189,10091"; a="281913407" X-IronPort-AV: E=Sophos;i="5.84,362,1620716400"; d="scan'208";a="281913407" Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Aug 2021 19:35:23 -0700 X-IronPort-AV: E=Sophos;i="5.84,362,1620716400"; d="scan'208";a="530034277" Received: from mxu9-mobl1.ccr.corp.intel.com ([10.238.4.4]) by fmsmga003-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Aug 2021 19:35:21 -0700 From: "Min Xu" To: devel@edk2.groups.io Cc: Min Xu , Ard Biesheuvel , Gerd Hoffmann , Jordan Justen , Brijesh Singh , Erdem Aktas , James Bottomley , Jiewen Yao , Tom Lendacky Subject: [PATCH V5 0/2] Add Intel TDX support in OvmfPkg/ResetVector Date: Mon, 30 Aug 2021 10:35:02 +0800 Message-Id: X-Mailer: git-send-email 2.29.2.windows.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3429 Intel's Trust Domain Extensions (Intel TDX) refers to an Intel technology that extends Virtual Machines Extensions (VMX) and Multi-Key Total Memory Encryption (MKTME) with a new kind of virutal machines guest called a Trust Domain (TD). A TD is desinged to run in a CPU mode that protects the confidentiality of TD memory contents and the TD's CPU state from other software, including the hosting Virtual-Machine Monitor (VMM), unless explicitly shared by the TD itself. The patch-sets to support Intel TDX in OvmfPkg is split into several waves. This is wave1 which adds Intel TDX support in OvmfPkg/ResetVector. Note: TDX only works in X64. Patch #1 add the PCDs of BFV/CFV. BFV is the code part of the image. CFV is the configuration part. BFV is measured by VMM and CFV is measured by TDVF itself. Patch #2 includes below major changes to add Intel TDX support in OVMF. 1) It adds TDX_WORK_AREA as a field of union OVMF_WORK_AREA. This work area holds Intel TDX information needed during SEC phase. 2) A new file (X64/IntelTdxMetadata.asm) is added to describes the information about the image for VMM use in TDX guest. 3) Ia32/IntelTdx.asm includes the TDX routines used in ResetVector. 4) Main.asm is newly added to replace the one in UefiCpuPkg/ResetVector/Vtf0/Main.asm. It adds a new entry point (Main32) because of Intel TDX. 5) Ia32/PageTables64.asm is updated to process the feature of Intel TDX which support GPAW 48 and 52. 6) Ia16/ResetVectorVtf0.asm address the TDX feature that all CPUs "reset" to run on 32-bit protected mode with flat descriptor (paging disabled). 7) ResetVector.nasmb is updated to include TDX related macros and files. [TDX]: https://software.intel.com/content/dam/develop/external/us/en/ documents/tdx-whitepaper-final9-17.pdf [TDVF]: https://software.intel.com/content/dam/develop/external/us/en/ documents/tdx-virtual-firmware-design-guide-rev-1.pdf Code is at https://github.com/mxu9/edk2/tree/tdvf_wave1.v5 v5 changes: - Remove the changes of OVMF_WORK_AREA because Commit ab77b60 covers those changes. - Refine the TDX related changes in PageTables64.asm and Flat32ToFlat64.asm. - Add CheckTdxFeaturesBeforeBuildPagetables to check Non-Tdx, Tdx-BSP or Tdx-APs. This routine is called before building page tables. v4 changes: - Refine the PageTables64.asm and Flat32ToFlat64.asm to enable TDX. - Refine SEV_ES_WORK_AREA so that SEV/TDX/Legach guest all can use this memory region. https://edk2.groups.io/g/devel/message/78345 is the discussion. - AmdSev.asm is removed because Brijesh Singh has done it in https://edk2.groups.io/g/devel/message/78241. v3 changes: - Refine PageTables64.asm and Flat32ToFlat64.asm based on the review comments in [ReviewComment-1] and [ReviewComment-2]. - SEV codes are in AmdSev.asm - TDX codes are in IntelTdx.asm - Main.asm is created in OvmfPkg/ResetVector. The one in UefiCpuPkg/ResetVector/Vtf0 is not used. - Init32.asm/ReloadFlat32.asm in UefiCpuPkg/ResetVector/Vtf0/Ia32 are deleted. They're moved to OvmfPkg/ResetVector/Ia32. - InitTdx.asm is renamed to InteTdx.asm v2 changes: - Move InitTdx.asm and ReloadFlat32.asm from UefiCpuPkg/ResetVector/Vtf0 to OvmfPkg/ResetVector. Init32.asm is created which is a null stub of 32-bit initialization. In Main32 just simply call Init32. It makes the Main.asm in UefiCpuPkg/ResetVector clean and clear. - Init32.asm/InitTdx.asm/ReloadFlat32.asm are created under OvmfPkg/ResetVector/Ia32. - Update some descriptions of the patch-sets. - Update the REF link in cover letter. - Add Ard Biesheuvel in Cc list. v1: https://edk2.groups.io/g/devel/message/77675 Cc: Ard Biesheuvel Cc: Gerd Hoffmann Cc: Jordan Justen Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Tom Lendacky Signed-off-by: Min Xu Min Xu (2): OvmfPkg: Introduce Tdx BFV/CFV PCDs and PcdOvmfImageSizeInKb OvmfPkg/ResetVector: Enable Intel TDX in ResetVector of Ovmf OvmfPkg/Include/WorkArea.h | 30 ++ OvmfPkg/OvmfPkg.dec | 12 + OvmfPkg/OvmfPkgDefines.fdf.inc | 10 + OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 39 +++ OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm | 10 + OvmfPkg/ResetVector/Ia32/IntelTdx.asm | 302 +++++++++++++++++++ OvmfPkg/ResetVector/Ia32/PageTables64.asm | 20 +- OvmfPkg/ResetVector/Main.asm | 119 ++++++++ OvmfPkg/ResetVector/ResetVector.inf | 10 + OvmfPkg/ResetVector/ResetVector.nasmb | 47 ++- OvmfPkg/ResetVector/X64/IntelTdxMetadata.asm | 110 +++++++ 11 files changed, 702 insertions(+), 7 deletions(-) create mode 100644 OvmfPkg/ResetVector/Ia32/IntelTdx.asm create mode 100644 OvmfPkg/ResetVector/Main.asm create mode 100644 OvmfPkg/ResetVector/X64/IntelTdxMetadata.asm -- 2.29.2.windows.2