From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (NAM12-DM6-obe.outbound.protection.outlook.com [40.107.243.82]) by mx.groups.io with SMTP id smtpd.web10.9439.1619535497686439348 for ; Tue, 27 Apr 2021 07:58:17 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=NHjgIyr9; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.243.82, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FoxOeLKp5bF6Av70jYIJfqNHP0lKlcmGu+rv5GtX+LD0IYO5RLu6PiHpladAXewSiw6xeJNxia4vfoNRUyNP6I7DRtAXMdKRAcWRCQjETtL8luNtG/G09JKnDMSwfHYZLkhHXxSQdKQ3QN7hbN9y85u/Uq33MrevYDlQNhjvSlpEF4FyJKejElQg3p1H5yQNJEh3udWCjjiMKrorFg/l4VajMpZvbd+/Bw3rHm2Kg/qTygGtxbb86xNEu9mIGmDxHnqVQBZo94TS3iUBiTevrV3a2cet6YNdDwmlDTsfZrDREizFxns8Sv+qIolg1Uwl8mAFkBjmYOxiEE1W8jhsGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aWy0b0Kp+cs0UQY22pkHYRsnv7dziUjhYQ3UqSZ39AM=; b=cMycHP59X69OPUnqhvL3sS3UzJuggthg9FwM5d8gH2A8guRPV2dxPr+AylQpDbp6ALo64NkTSjs5O2gL/lLFVafwX/7bbJZoU3pBGB6nEcriWa6Zr1PmxClbVmu/TP+yZgWslj/aZZHCIW+T1YjXy+eegJsFcLUBm/nEEd7j44Wy1Pf/R9kJ+iyokcMTtAWoO81iWNGMPxLmRmdB1W8qajL/kbzkeLducjo1GPhe1ydsalD38mICyMmMH9GVdBKfalKf5ZKAyDSYzibNdjuisMempHkvSgY7nupi8nwKMQShn/2B/WjBrpAk3A0qX1SVbPbdqYkh0lTK+ejSq2WqiA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aWy0b0Kp+cs0UQY22pkHYRsnv7dziUjhYQ3UqSZ39AM=; b=NHjgIyr99agmg0MTxEaMqcUGD8UzbGIu0Vp+6vRQIouDUdJHS/vOBhTXnhzG4e11ZOBoimfAahSxMBVu1kmcD9zXkfHLUc7vZ7sC2gVWvzZ53o+vrn/j7ZEqtog7B6wNb4Kg54XZHYYnHgKQhfGPpIxsG/aihwQEU0tP4bLGaY4= Authentication-Results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=amd.com; Received: from DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) by DM6PR12MB4043.namprd12.prod.outlook.com (2603:10b6:5:216::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.23; Tue, 27 Apr 2021 14:58:11 +0000 Received: from DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::b914:4704:ad6f:aba9]) by DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::b914:4704:ad6f:aba9%12]) with mapi id 15.20.4065.026; Tue, 27 Apr 2021 14:58:11 +0000 Subject: Re: [edk2-devel] [PATCH 3/3] OvmfPkg/PlatformPei: Mark TPM MMIO range as unencrypted for SEV From: "Lendacky, Thomas" To: Laszlo Ersek , devel@edk2.groups.io Cc: Joerg Roedel , Borislav Petkov , Ard Biesheuvel , Jordan Justen , Brijesh Singh , James Bottomley , Jiewen Yao , Min Xu References: <1f64ca5689ec86c427e4db8c41da598896dca4ba.1618959281.git.thomas.lendacky@amd.com> <8417023b-b3d6-5268-e92a-0c6f5ebfff6b@redhat.com> <4261e15a-84a0-11a7-2981-9eeb538f6da9@redhat.com> <311cdc78-d818-bea4-16a1-01077bfc1140@amd.com> <21f40236-88f6-5886-1345-5a8b9ac1f732@amd.com> <0ad9369d-d863-5bfc-1326-ff4b631bd04e@amd.com> Message-ID: Date: Tue, 27 Apr 2021 09:58:08 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 In-Reply-To: <0ad9369d-d863-5bfc-1326-ff4b631bd04e@amd.com> X-Originating-IP: [67.79.209.213] X-ClientProxiedBy: SA9PR03CA0030.namprd03.prod.outlook.com (2603:10b6:806:20::35) To DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from office-linux.texastahm.com (67.79.209.213) by SA9PR03CA0030.namprd03.prod.outlook.com (2603:10b6:806:20::35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.20 via Frontend Transport; Tue, 27 Apr 2021 14:58:10 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: f7771f81-23f1-43fa-0723-08d9098cdff8 X-MS-TrafficTypeDiagnostic: DM6PR12MB4043: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: qu1DzaWfjBHhK1Wn0PQ1bGN0S7sYzXh7mIUxw6GvJZVHXYaPnqRJ77zAICs/vU3nRA5RNl05eTPTriNKYtS8MRm1gI7nVgiFgujDzmouoYlzNZG68RtrLp7DfJbaB50NKVrbJd+vCcNsHGBlSL1tQ3IAsyn5hBmG3qGhGhiy50xjjUiQPB0/zYIKCO1J9aBPasz5PbOuo5+PEefwPJFdim6jDAzJf5ScvNwSCMdZGNeIExGjYSlArW9WA3l6EdPufu1KJDB6q6i6qFFeWVod2GgNMExb/QUHvgeeWYkCIjFnj4TV0JBuNXUxCJjzsM3+Orb8fxV+CetAaibhcVpnFzDG1XseY/dGGyLOJVgfX9G7hmwBL1c7jB07+JuYK3V9AElef2fr5TBzCjRrdS6pvCsbf8jU4GIcwCVkPl5ZxSIW7iWI+k2SUjYSA0/Q/3E/zfh1SkyylZ6Pr8dSrw1rf50e7hjw4AX9gEaF8s5DJKKK03vDaNJjPCuh84Y1fSmHddc8pL6kA4QqBR7OMTuyXoS/ELGG/HowTxYuy222FvMkPl8IgPAcVFl6o+KQF5nm4lAo6EJUm3vI1XCJpAiugMadgUJJGPwW7wh2y1MBD3DxMOLswLe7SfHDrnZxMqydnC+2P8+OPKLov6UtXOCY/oMwn4zsDbxsy80E1q4EzonXh0Eo/Pf4uOW+SbeRoZPI X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR12MB1355.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(346002)(39860400002)(396003)(376002)(136003)(366004)(186003)(66946007)(26005)(38100700002)(316002)(83380400001)(6506007)(16526019)(66556008)(6486002)(66476007)(86362001)(53546011)(36756003)(478600001)(6512007)(54906003)(2616005)(31696002)(31686004)(8676002)(8936002)(4326008)(2906002)(956004)(5660300002)(45980500001)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?VWtOdXl3eVRMQ2I2Q2NUVFR1TGphVjhWSDJPQjJsZjdhYzYvdFIxTnhCQ3Vi?= =?utf-8?B?elpMVStocXZsOHNEV2JtdzBYSElwMjNxQlVIeWFoSUpKdDhDdlhxeDNqcWVh?= =?utf-8?B?TU4xYUhzTFB3UTNNTTJzVHhEMjVUckMwQW9aZVk4M0tDVGQxRFdaOHVUa0Ri?= =?utf-8?B?Q01rU2lROWtKQjhBaG82M0RCajBHYUNRa3VPSGNMcWtPdjQ5N1QvNENhSDdL?= =?utf-8?B?TUp6YWpnd1NEUkFscFVJd2o2UlZ3eTVnVXpmOVBWU0VkbFRCRGFJMitMdW4w?= =?utf-8?B?Z3h2ZEV3WmtzK09lUld5OC9YY3A5OCt0QlJqYU1wRVZNU2E4QTUxK0xubUhO?= =?utf-8?B?WXpEYWJvUjZLMXJJT0UyZVd2TytpNCtnR0lmN1ZxdWdQQmdLejF5ZXoxT3I5?= =?utf-8?B?c0R3WkF2UHNYL1I1d2x4amwxM080Q0pVejVNZFRIYitpVmM2alVoZW5CVUJo?= =?utf-8?B?dE5WWUEzam90cjg1aFBwWGZCcDRWekNZUG1WcVE0dEk5czZEUTlubHBOR2w0?= =?utf-8?B?TWFlZ2lieUFGRSt1U0RlQlZoQzlwQUNRUDQ1dVk0UlFNMTZXL2MyMW1iMUty?= =?utf-8?B?ZExaRW9PMzhNYVkvd0lwbzdsVDE3V2lTZGoxcHQ5WFJpVXdHb2VOcTF0dytE?= =?utf-8?B?VG15aFJLUEU2TkRmNENGMEFTazlsU0ZtVUtFbUVEcGw0dm42NDVtUnM5TklO?= =?utf-8?B?cmVtK1RxelY1VUMvRmhGYUxwUW1OTG5Pbm9vMmdySEVURWQ0eFNtQ3JLS2Y2?= =?utf-8?B?YjNDWHByWnNrZ1puVWZwaVFYY29sTnZ4UGVoUjZjTlJ0dlYwa1V4amxoQ3pv?= =?utf-8?B?NGlqRzYyWjFNYlplbit6QnMvcW5xUzBOTkxtUXNGTFgxSWJ6eVI3M1B0Uk13?= =?utf-8?B?UDRMU3V3SVVkUFlFMXJ4NkpyTG1SUDdPVjNHdVl2ZkRYak0rRHVDRWpTa1hn?= =?utf-8?B?Q0ZyL01vNTFFdXlnSVVKT1N2amp2QUkyYk83czNUeE5PL1JIOTlZcEl4eWpt?= =?utf-8?B?czYwbkQ1UUpZbHNsUGxKdWIrYlNZOWxxdXF5Q1dyYjRUczR1ZzducXlkeDl1?= =?utf-8?B?cXVxWkhTZmZVN2MvdFB4Z0x6U3VOSnZ0VE9reW9LRlAzUWg5THNLQVdkVytR?= =?utf-8?B?Z0hDT1dQS2pLc2I3Wk5PSWpNZ2dJU0F5dEZPQXZFNUV3bWcxT0lTOEcyTG8y?= =?utf-8?B?aTRHWWxvZkdnaHhCcTRMTXoxRlBwZXZObTF6YkkyUVNPTGpBZHZBdUxxaCtU?= =?utf-8?B?aTNMckwyMjJwQ1dULzVWeXBheFliQ3N0NWR1aXprdmtRU3ltZnNmRUpNM1l0?= =?utf-8?B?WTRsQlZ0dE51VXRJTndsQVpXSm95U1RQSmtzU2xiSjV2UTExMzVMbENtRkdh?= =?utf-8?B?U0dmQ3BkS2JrdUcrSldPbGV3UU4vYUpIblY5dFZ3Z1k5SXBDcDFuREJIcFBK?= =?utf-8?B?RnIrN1UxR1pZblJvUkl0MVBUZ2RoL3d3emRFY2JEaitRVEJ0Y1pkVVIxaWtD?= =?utf-8?B?Q1RJd3NBT05oN1c1ekVXaENoYWUzM1lVcTJIWVlZRGtRcHdYRW5vWFYyaHJI?= =?utf-8?B?VW0wbWFWYVpDZnh2TVJNa2pqRWJrcTUwV3JGa25zcHVPcFhya0RWM0dIYm80?= =?utf-8?B?aWFYcHdSU2swbFN3eUlIcXpsd0lxcTdhRlBTNzBkUnA4NDJoa3lESU1hb0hC?= =?utf-8?B?RzFTb1lsU1ZZMHdKOVJpWWgwdGlJN2NKam1nZEYyQU9vODF3SXliaHNQeGtK?= =?utf-8?Q?3Pz5SGMPUURxJPKuBYChM5Oz5KXvgs6ZEf3wHbI?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: f7771f81-23f1-43fa-0723-08d9098cdff8 X-MS-Exchange-CrossTenant-AuthSource: DM5PR12MB1355.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Apr 2021 14:58:10.8990 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: y0awN5iVc2KuKtmdAJl2gYxvOZ2AUnmSue2a+56O9qNIhd44rCCXay3fL4T9iydSOwFXU2c9yx+7DcmR/axKjA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB4043 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 4/26/21 9:21 AM, Tom Lendacky wrote: > On 4/26/21 7:07 AM, Laszlo Ersek wrote: >> On 04/23/21 22:02, Tom Lendacky wrote: >>> On 4/23/21 12:41 PM, Tom Lendacky wrote: >>>> On 4/23/21 8:04 AM, Laszlo Ersek wrote: >>>>> On 04/23/21 12:26, Laszlo Ersek wrote: >>>>>> review#2 from scratch: >>>>>> >>>>>> On 04/21/21 00:54, Tom Lendacky wrote: >>>>>>> From: Tom Lendacky ... >>>>> >>>>> I've had a further idea on this. >>>>> >>>>> You could add an entirely new PEIM just for this. The entry point >>>>> function of the PEIM would check for SEV, decrypt the TPM range if SEV >>>>> were active, and then install gOvmfTpmMmioAccessiblePpiGuid >>>>> (unconditionally). The exit status of the PEIM would always be >>>>> EFI_ABORTED, because there would be no need to keep the PEIM resident. >>>>> >>>>> The new PEIM would have a DEPEX on gEfiPeiMemoryDiscoveredPpiGuid, to >>>>> make sure that potential page table splitting for the potential MMIO >>>>> range decryption could be satisfied from permanent PEI RAM. >>>>> >>>>> The new PEIM would be included in the DSC and FDF files of the usual >>>>> three OVMF platforms, and in the Bhyve platform -- dependent on the >>>>> TPM_ENABLE build flag. >>>>> >>>>> There are several advantages to such a separate PEIM: >>>>> >>>>> - For Bhyve, the update is minimal. Just include one line in each of the >>>>> FDF and the DSC files. No need to customize an existent >>>>> platform-specific PEIM, no code duplication between two PlatformPei modules. >>>>> >>>>> - The new PEIM would depend on the TPM_ENABLE build flag, so it would >>>>> only be included in the firmware binaries if and only if Tcg2ConfigPei >>>>> were. No useless PPI installation would occur in the absence of TPM_ENABLE. >>>>> >>>>> - No need to check PcdTpmBaseAddress for nullity in the new PEIM, before >>>>> the decryption, as TPM_ENABLE guarantees (on IA32/X64) that the PCD >>>>> already has the right value. >>>>> >>>>> - The new logic would be properly ordered between PlatformPei and >>>>> Tcg2ConfigPei, namely due to the use of two such PPI GUIDs in DEPEXes >>>>> that actually make sense. PlatformPei -> TPM MMIO decryptor PEIM ordered >>>>> via "memory discovered" (needed for potential page table splitting), TPM >>>>> MMIO decryptor PEIM -> Tcg2ConfigPei ordered via "TPM MMIO decrypted". >>>>> >>>>> You could place the new PEIM at: >>>>> >>>>> OvmfPkg/Tcg/TpmMmioSevDecryptPei >>>>> >>>>> If you haven't lost your patience with me yet, I'd really appreciate if >>>>> you could investigate this! >>>>> >>>> >>>> So far, this appears to be working nicely. I'm new at the whole PEIM >>>> thing, so hopefully I haven't missed anything. I should be submitting the >>>> patches soon for review. >>> >>> So one thing I failed to do before submitting my previous patch was to >>> complete my testing against the IA32 and X64 combination build. In this >>> build, PEI is built as Ia32, and MemEncryptSevClearPageEncMask() will >>> return UNSUPPORTED causing an ASSERT (since I check the return code). So >>> there are a few options: >>> >>> 1. SEV works with the current encrypted mapping, it is only the SEV-ES >>> support that fails because of the ValidateMmioMemory() check. I can do >>> the mapping change just for SEV-ES since it is X64 only. This works, >>> because MemEncryptSevClearPageEncMask() will not return UNSUPPORTED >>> when running in 64-bit. >> >> Can we really say "SEV works" though? Because, even using an X64 PEI >> phase, and enabling only SEV (not SEV-ES), TPM access will be broken in >> the PEI phase. Is my understanding correct? > > Because the memory range is marked as MMIO, we'll take a nested page fault > (NPF). The GPA passed as part of the NPF does not include the c-bit. So we > do in fact work properly with a TPM in SEV. SEV-ES would also work > properly if the mitigation for accessing an encrypted address was removed > from the #VC handler. It is only this added mitigation to protect MMIO > that results in an issue with the TPM in PEI. So I'm thinking that I can have TpmMmioSevDecryptPeim.c do this: // // If SEV or SEV-ES is active, MMIO succeeds against an encrypted physical // address because the nested page fault (NPF) that occurs on access does not // include the encryption bit in the guest physical address provided to the // hypervisor. // // However, if SEV-ES is active, before performing the actual MMIO, an // additional MMIO mitigation check is performed in the #VC handler to ensure // that MMIO is being done to an unencrypted address. To prevent guest // termination in this scenario, mark the range unencrypted ahead of access. // if (MemEncryptSevEsIsEnabled ()) { // Do MemEncryptSevClearPageEncMask() ... } Let me submit the next version with this and see what you think. Thanks, Tom > >> >> I think the behavior you currently see is actually what we want, we >> should double down on it -- if MemEncryptSevClearPageEncMask() fails, >> report an explicit DEBUG_ERROR, and call CpuDeadLoop(). If the firmware >> is built with TPM_ENABLE, and SEV is active, then an IA32 PEI phase is >> simply unusable. Silently pretending that the TPM is not there, even >> though it may have been configured on the QEMU command line, we just >> failed to communicate with it, is not a good idea, IMO. > > However, because the c-bit is not part of the NPF, we do communicate > successfully with the TPM. > > So we could actually do following: > - For IA32: > - Remove the Depex on gOvmfTpmMmioAccessiblePpiGuid > - Do not add OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf > > - For X64: > - Add the Depex on gOvmfTpmMmioAccessiblePpiGuid > - Add OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf > > That might be confusing, though. So we could just do option #3 below. > > Thanks, > Tom > >> >> This is somewhat similar IMO to the S3Verification() function in >> "OvmfPkg/PlatformPei/Platform.c". >> >> TPM_ENABLE, SEV, IA32 PEI phase: pick any two. >> >> Thanks, >> Laszlo >> >>> >>> 2. Call MemEncryptSevClearPageEncMask() for SEV or SEV-ES, but don't check >>> the return status. >>> >>> 3. Create Ia32 and X64 versions of internal functions, where the Ia32 >>> version simply returns SUCCESS because it can't do anything and the X64 >>> version calls MemEncryptSevClearPageEncMask(), allowing the main code >>> to ASSERT on any errors. >>> >>> I'm leaning towards #1, because this is an SEV-ES only issue. Thoughts? >>> >>> Thanks, >>> Tom >>> >>>> >>>> One thing I found is that the Bhyve package makes reference to the >>>> OvmfPkg/Bhyve/Tcg directory, but that directory does not exist. So I don't >>>> think that TPM enablement has been tested. I didn't update the Bhyve >>>> support for that reason. >>>> >>>> Thanks, >>>> Tom >>>> >>>>> Thanks! >>>>> Laszlo >>>>> >>> >>