From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.61]) by mx.groups.io with SMTP id smtpd.web11.501.1609968233083522825 for ; Wed, 06 Jan 2021 13:23:53 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amdcloud.onmicrosoft.com header.s=selector2-amdcloud-onmicrosoft-com header.b=ZmBHrPLV; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.94.61, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=agKf+vVavxQeRayoEYkJq5cLrDFriqNnv6yjyz+eANlrqsslV8wRZqCBhl3S9syXQUEEy1ycjABPiJ+4n43EBv2mXW4CCXHxru9k2bCFEnMDkXcSdqZG70zrkMrPZipntF0Ki6AHb4y6Su+7wrh5F9L3k+8C4ipjaF8TCvxDARkMVBiiY4U0JiDq69bHFX8Dh/j4LRkO9ZFTnX3tMmqzd97xvrbjukyCH0v0EGPtdTvKnfrT3my334fSP/l5DSzUABhMf2eAfiGDCnQC4B3OqB2taJk4jD+ZLsP7llTETjBqlTxYmua5m7isvfUqbP4qgO9rS1w50ZNTX3INke4oUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=C79H85DkKHQ8Nv81qry6VCkKz2H8uFDWt4cf/wrE4Qg=; b=LRviL7/lSqOG2WQHSlG9OulV1arCG/IKPdXeJRHEAdOFlQjMxy8yKML79Hnywt4g0q9FQydvOSo+xQezryi8ytDSAhdmf1a6rgrTjU37BYYW0YQGqQfit6yq4tKWyrtMZYIlZQlY9b7yHP0YtzQLiVQslJBuUYZWTSH7qIhbCFBqdlEXcQZ4ZMr/wxwimosX5V4K4TPYv2v09tDesvF3ii7nHdENE4TS5UCrPeJeMxOhqXbfwpxoDg3fy/pBE4ZLYVfqT4us7A5iLGvsMwID+7sNf529BqGs7hvD8HI4P4246QteRZpZj5D4pL2I7nXUBxl5bEX0OEY++DkHtS0TEw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector2-amdcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=C79H85DkKHQ8Nv81qry6VCkKz2H8uFDWt4cf/wrE4Qg=; b=ZmBHrPLVLzVC4as6iMkX16mA0qct7JQ3VaSxmac/sGEiy9CAxG11ePbsk/TirBvQPxQt96cTNCPlWwYxYSTO4CeLJDbHtcKHhsejUYkoral+Xx/ZDthjHw+iXZaaORKvXkK6Q9Md4/bQF6MNCUEF0lcfc7dh9rnQ7YOb73nY6yA= Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com; Received: from DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) by DM5PR12MB1259.namprd12.prod.outlook.com (2603:10b6:3:75::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3742.6; Wed, 6 Jan 2021 21:23:51 +0000 Received: from DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::d95e:b9d:1d6a:e845]) by DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::d95e:b9d:1d6a:e845%12]) with mapi id 15.20.3721.024; Wed, 6 Jan 2021 21:23:51 +0000 From: "Lendacky, Thomas" To: devel@edk2.groups.io CC: Brijesh Singh , James Bottomley , Jordan Justen , Laszlo Ersek , Ard Biesheuvel Subject: [PATCH v2 12/15] OvmfPkg/MemEncryptSevLib: Address range encryption state interface Date: Wed, 6 Jan 2021 15:21:38 -0600 Message-ID: X-Mailer: git-send-email 2.30.0 In-Reply-To: References: X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SN6PR05CA0009.namprd05.prod.outlook.com (2603:10b6:805:de::22) To DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from tlendack-t1.amd.com (165.204.77.1) by SN6PR05CA0009.namprd05.prod.outlook.com (2603:10b6:805:de::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3763.2 via Frontend Transport; Wed, 6 Jan 2021 21:23:50 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: c50fa821-3023-491d-fb19-08d8b2895d0c X-MS-TrafficTypeDiagnostic: DM5PR12MB1259: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:6108; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: HeOyNVIpH47ny2nrNLcM9yMWmSE/niHt9ViYNeVT1lLuyl1qQKwUMnnZ5uKzer7uDV2T7ypouUC9BKUR4L1PDtsGF2CM2e3gTUjgu3qtIM7k1hhu1NWx2QbJVkuaLbi0A1S57+4Nbjwycuwoc+iAD3HqHWNBUXRzI0KuzP7yOqwia91uEt3rtKsClGZG+eSmDZvocNhA7bQgKu9cZq70p05byD23va2kYXb02xNUb3LwfdTOnuHzIhaTOzWu8lVmG4cCYmXbalqxcLk2GFfXKfjfUI94zHN2/JPKVr942CKvfvoEeP0y7yN39aSJfy1qphrHjGDzalZhZLhJVaAaWRIQOcMdnlYvIt4+9l0Aum5t7WqYsv5a9UCXvpB8Cd9EpkNduHPKpEEZ2WYdfPHkNDAJE8LXGYD2kjjVwdEq5x4GHlyKs7WjQaDE0z22Acl0kMsx9f+FLgVSj1ngDD8V7A== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR12MB1355.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(376002)(136003)(366004)(346002)(39860400002)(396003)(19627235002)(6666004)(316002)(83380400001)(45954011)(5660300002)(2906002)(52116002)(7696005)(36756003)(8676002)(8936002)(478600001)(54906003)(30864003)(966005)(66946007)(86362001)(2616005)(186003)(16526019)(4326008)(66476007)(26005)(6486002)(956004)(6916009)(66556008);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?ZF0JF7dWWXWGo+z1gzqRboeznTmdR18hcfMedPpSfrMPBUT28IuFcCPIKkwZ?= =?us-ascii?Q?a4Xi/vHTIdECvNlQXBG5jg9tlAmgb5KNUkv/G8ZETSyC/Hj8VzCfdVLQRKvN?= =?us-ascii?Q?Hp90qAbG1N0WxraUcdvzYBhqv3EuT/ghcB9p1sQ/M0c3NRiYdYZKNGB5X4a2?= =?us-ascii?Q?ZPbymO3gqOyuIsy53ePYGFrmZvpzYnf/eKTthscBpnKkUV+IVead3Z/Gy3+i?= =?us-ascii?Q?osB19lUFbU0WHg0I0weFYwr7R7kl5jicTszh8+GOrLQEza/s+GmBIIIRFLgk?= =?us-ascii?Q?sSYSEs0wE1z3qYBwbqyAYKB7GWuWfLiti4FqdHJLT8R6BVnk2FvoqbRhFFHV?= =?us-ascii?Q?E1WER6ZiGIbp9vAUYffCijGxS8tk8eR4E/5vRAVFK0IVc8OVYHln+WKflSXC?= =?us-ascii?Q?RNrhyQtHP6GvHA96xZU1Zu1G0K6OsiUe7rvTWrK7KPaQlbV1zw7DlU8w1xZP?= =?us-ascii?Q?8/ITKzptVF3eMRbWbDNIMHVhXCdTJXooee3kbweriatPFmV3WXvO0D7ddylo?= =?us-ascii?Q?I7l2EY8aUjTpnh51GykhDbJXuPyk0tdZBf1DZES16ltRQuWQdeMB8Lu6tNlN?= =?us-ascii?Q?e/dAWtBoyxwQfn4LsD6vd3y7HUuuCcp/EigK93AxZNTfKvcDgU5xT3tYINy0?= =?us-ascii?Q?z55MXxT+IqbLKHCn3HepS9cf8fqIoL/NdgSPZUE/lRntVu+ESpwxsT1Uu+DT?= =?us-ascii?Q?Ai4cdhAws8fowRdi13RTuflUFo/9I+TKdGvDok2sd5RmXCoZxTPCarGNEIxS?= =?us-ascii?Q?S8TwGN6rw5ZYwBrSZFBnxErVzsXwXWDje4aPdIRL3KPMQztSj+1n5kcBPu5F?= =?us-ascii?Q?o8xqyfG4HghiMMItkEEl6lIHcsYDYNdtj2gsLJObLCoXAY4P/BQwMrNWL7IW?= =?us-ascii?Q?hL3ncxvNcwfAqEZ6bmVD96nQ/O2azuCCg8+0DDVb/tCByvVJD4l7NyxnrP9d?= =?us-ascii?Q?4B3z5B1jYE7E7Suw/UULPTp64dIssKshtgIviL8YGqWvTHNGvzyupAM3jpTA?= =?us-ascii?Q?33v2?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-AuthSource: DM5PR12MB1355.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Jan 2021 21:23:51.3061 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-Network-Message-Id: c50fa821-3023-491d-fb19-08d8b2895d0c X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: pbnplpG6t87vBeQLVUDTVL3pBXsx3d+nmIAzcg2P+YYac9KaILLT7YkzYIZvyDsH4ZBNJE4MH3ou3AHx3939eA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR12MB1259 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3108 Update the MemEncryptSevLib library to include an interface that can report the encryption state on a range of memory. The values will represent the range as being unencrypted, encrypted, a mix of unencrypted and encrypted, and error (e.g. ranges that aren't mapped). Cc: Jordan Justen Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Brijesh Singh Acked-by: Laszlo Ersek Signed-off-by: Tom Lendacky --- OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf | 1 + OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf | 1 + OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf | 1 + OvmfPkg/Include/Library/MemEncryptSevLib.h | 33 ++++ OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h | 35 +++- OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c | 31 ++- OvmfPkg/Library/BaseMemEncryptSevLib/X64/MemEncryptSevLib.c | 32 ++- OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c | 19 +- OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecVirtualMemory.c | 20 ++ OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c | 207 +++++= +++++++++++++++ 10 files changed, 368 insertions(+), 12 deletions(-) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf b= /OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf index 4480e4cc7c89..8e3b8ddd5a95 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf @@ -36,6 +36,7 @@ [Sources] [Sources.X64] X64/MemEncryptSevLib.c X64/PeiDxeVirtualMemory.c + X64/VirtualMemory.c X64/VirtualMemory.h =20 [Sources.IA32] diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf b= /OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf index faabd234e393..f30400a13cba 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf @@ -36,6 +36,7 @@ [Sources] [Sources.X64] X64/MemEncryptSevLib.c X64/PeiDxeVirtualMemory.c + X64/VirtualMemory.c X64/VirtualMemory.h =20 [Sources.IA32] diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf b= /OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf index 7cd0111fe47b..279c38bfbc2c 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf @@ -35,6 +35,7 @@ [Sources] [Sources.X64] X64/MemEncryptSevLib.c X64/SecVirtualMemory.c + X64/VirtualMemory.c X64/VirtualMemory.h =20 [Sources.IA32] diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/L= ibrary/MemEncryptSevLib.h index 872abe6725dc..ec470b8d0363 100644 --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h @@ -33,6 +33,16 @@ typedef struct _SEC_SEV_ES_WORK_AREA { UINT64 EncryptionMask; } SEC_SEV_ES_WORK_AREA; =20 +// +// Memory encryption address range states. +// +typedef enum { + MemEncryptSevAddressRangeUnencrypted, + MemEncryptSevAddressRangeEncrypted, + MemEncryptSevAddressRangeMixed, + MemEncryptSevAddressRangeError, +} MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE; + /** Returns a boolean to indicate whether SEV-ES is enabled. =20 @@ -147,4 +157,27 @@ MemEncryptSevGetEncryptionMask ( VOID ); =20 +/** + Returns the encryption state of the specified virtual address range. + + @param[in] Cr3BaseAddress Cr3 Base Address (if zero then use + current CR3) + @param[in] BaseAddress Base address to check + @param[in] Length Length of virtual address range + + @retval MemEncryptSevAddressRangeUnencrypted Address range is mapped + unencrypted + @retval MemEncryptSevAddressRangeEncrypted Address range is mapped + encrypted + @retval MemEncryptSevAddressRangeMixed Address range is mapped mi= xed + @retval MemEncryptSevAddressRangeError Address range is not mappe= d +**/ +MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE +EFIAPI +MemEncryptSevGetAddressRangeState ( + IN PHYSICAL_ADDRESS Cr3BaseAddress, + IN PHYSICAL_ADDRESS BaseAddress, + IN UINTN Length + ); + #endif // _MEM_ENCRYPT_SEV_LIB_H_ diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h b/Ovm= fPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h index 26d26cd922a4..996f94f07ebb 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h @@ -3,7 +3,7 @@ Virtual Memory Management Services to set or clear the memory encryption= bit =20 Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.
- Copyright (c) 2017, AMD Incorporated. All rights reserved.
+ Copyright (c) 2017 - 2020, AMD Incorporated. All rights reserved.
=20 SPDX-License-Identifier: BSD-2-Clause-Patent =20 @@ -178,7 +178,17 @@ typedef struct { UINTN FreePages; } PAGE_TABLE_POOL; =20 +/** + Return the pagetable memory encryption mask. =20 + @return The pagetable memory encryption mask. + +**/ +UINT64 +EFIAPI +InternalGetMemEncryptionAddressMask ( + VOID + ); =20 /** This function clears memory encryption bit for the memory region specifi= ed by @@ -234,4 +244,27 @@ InternalMemEncryptSevSetMemoryEncrypted ( IN BOOLEAN Flush ); =20 +/** + Returns the encryption state of the specified virtual address range. + + @param[in] Cr3BaseAddress Cr3 Base Address (if zero then use + current CR3) + @param[in] BaseAddress Base address to check + @param[in] Length Length of virtual address range + + @retval MemEncryptSevAddressRangeUnencrypted Address range is mapped + unencrypted + @retval MemEncryptSevAddressRangeEncrypted Address range is mapped + encrypted + @retval MemEncryptSevAddressRangeMixed Address range is mapped mi= xed + @retval MemEncryptSevAddressRangeError Address range is not mappe= d +**/ +MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE +EFIAPI +InternalMemEncryptSevGetAddressRangeState ( + IN PHYSICAL_ADDRESS Cr3BaseAddress, + IN PHYSICAL_ADDRESS BaseAddress, + IN UINTN Length + ); + #endif diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c b= /OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c index b4f6e5738e6e..12a5bf495bd7 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c @@ -2,7 +2,7 @@ =20 Secure Encrypted Virtualization (SEV) library helper function =20 - Copyright (c) 2017, AMD Incorporated. All rights reserved.
+ Copyright (c) 2017 - 2020, AMD Incorporated. All rights reserved.
=20 SPDX-License-Identifier: BSD-2-Clause-Patent =20 @@ -82,3 +82,32 @@ MemEncryptSevSetPageEncMask ( // return RETURN_UNSUPPORTED; } + +/** + Returns the encryption state of the specified virtual address range. + + @param[in] Cr3BaseAddress Cr3 Base Address (if zero then use + current CR3) + @param[in] BaseAddress Base address to check + @param[in] Length Length of virtual address range + + @retval MemEncryptSevAddressRangeUnencrypted Address range is mapped + unencrypted + @retval MemEncryptSevAddressRangeEncrypted Address range is mapped + encrypted + @retval MemEncryptSevAddressRangeMixed Address range is mapped mi= xed + @retval MemEncryptSevAddressRangeError Address range is not mappe= d +**/ +MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE +EFIAPI +MemEncryptSevGetAddressRangeState ( + IN PHYSICAL_ADDRESS Cr3BaseAddress, + IN PHYSICAL_ADDRESS BaseAddress, + IN UINTN Length + ) +{ + // + // Memory is always encrypted in 32-bit mode + // + return MemEncryptSevAddressRangeEncrypted; +} diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/MemEncryptSevLib.c b/= OvmfPkg/Library/BaseMemEncryptSevLib/X64/MemEncryptSevLib.c index cf0921e21464..4fea6a6be0ac 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/MemEncryptSevLib.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/MemEncryptSevLib.c @@ -2,7 +2,7 @@ =20 Secure Encrypted Virtualization (SEV) library helper function =20 - Copyright (c) 2017, AMD Incorporated. All rights reserved.
+ Copyright (c) 2017 - 2020, AMD Incorporated. All rights reserved.
=20 SPDX-License-Identifier: BSD-2-Clause-Patent =20 @@ -88,3 +88,33 @@ MemEncryptSevSetPageEncMask ( Flush ); } + +/** + Returns the encryption state of the specified virtual address range. + + @param[in] Cr3BaseAddress Cr3 Base Address (if zero then use + current CR3) + @param[in] BaseAddress Base address to check + @param[in] Length Length of virtual address range + + @retval MemEncryptSevAddressRangeUnencrypted Address range is mapped + unencrypted + @retval MemEncryptSevAddressRangeEncrypted Address range is mapped + encrypted + @retval MemEncryptSevAddressRangeMixed Address range is mapped mi= xed + @retval MemEncryptSevAddressRangeError Address range is not mappe= d +**/ +MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE +EFIAPI +MemEncryptSevGetAddressRangeState ( + IN PHYSICAL_ADDRESS Cr3BaseAddress, + IN PHYSICAL_ADDRESS BaseAddress, + IN UINTN Length + ) +{ + return InternalMemEncryptSevGetAddressRangeState ( + Cr3BaseAddress, + BaseAddress, + Length + ); +} diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c= b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c index 3a5bab657bd7..d3455e812bd1 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c @@ -28,14 +28,14 @@ typedef enum { } MAP_RANGE_MODE; =20 /** - Get the memory encryption mask + Return the pagetable memory encryption mask. =20 - @param[out] EncryptionMask contains the pte mask. + @return The pagetable memory encryption mask. =20 **/ -STATIC UINT64 -GetMemEncryptionAddressMask ( +EFIAPI +InternalGetMemEncryptionAddressMask ( VOID ) { @@ -200,7 +200,7 @@ Split2MPageTo4K ( =20 PageTableEntry1 =3D PageTableEntry; =20 - AddressEncMask =3D GetMemEncryptionAddressMask (); + AddressEncMask =3D InternalGetMemEncryptionAddressMask (); =20 ASSERT (PageTableEntry !=3D NULL); ASSERT (*PageEntry2M & AddressEncMask); @@ -286,7 +286,7 @@ SetPageTablePoolReadOnly ( LevelSize[3] =3D SIZE_1GB; LevelSize[4] =3D SIZE_512GB; =20 - AddressEncMask =3D GetMemEncryptionAddressMask(); + AddressEncMask =3D InternalGetMemEncryptionAddressMask(); PageTable =3D (UINT64 *)(UINTN)PageTableBase; PoolUnitSize =3D PAGE_TABLE_POOL_UNIT_SIZE; =20 @@ -431,7 +431,7 @@ Split1GPageTo2M ( =20 PageDirectoryEntry =3D AllocatePageTableMemory(1); =20 - AddressEncMask =3D GetMemEncryptionAddressMask (); + AddressEncMask =3D InternalGetMemEncryptionAddressMask (); ASSERT (PageDirectoryEntry !=3D NULL); ASSERT (*PageEntry1G & AddressEncMask); // @@ -485,7 +485,7 @@ SetOrClearCBit( { UINT64 AddressEncMask; =20 - AddressEncMask =3D GetMemEncryptionAddressMask (); + AddressEncMask =3D InternalGetMemEncryptionAddressMask (); =20 if (Mode =3D=3D SetCBit) { *PageTablePointer |=3D AddressEncMask; @@ -527,6 +527,7 @@ DisableReadOnlyPageWriteProtect ( /** Enable Write Protect on pages marked as read-only. **/ +STATIC VOID EnableReadOnlyPageWriteProtect ( VOID @@ -605,7 +606,7 @@ SetMemoryEncDec ( // // Check if we have a valid memory encryption mask // - AddressEncMask =3D GetMemEncryptionAddressMask (); + AddressEncMask =3D InternalGetMemEncryptionAddressMask (); if (!AddressEncMask) { return RETURN_ACCESS_DENIED; } diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecVirtualMemory.c b/= OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecVirtualMemory.c index 5c337ea0b820..bca5e3febb1b 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecVirtualMemory.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecVirtualMemory.c @@ -13,6 +13,26 @@ =20 #include "VirtualMemory.h" =20 +/** + Return the pagetable memory encryption mask. + + @return The pagetable memory encryption mask. + +**/ +UINT64 +EFIAPI +InternalGetMemEncryptionAddressMask ( + VOID + ) +{ + UINT64 EncryptionMask; + + EncryptionMask =3D MemEncryptSevGetEncryptionMask (); + EncryptionMask &=3D PAGING_1G_ADDRESS_MASK_64; + + return EncryptionMask; +} + /** This function clears memory encryption bit for the memory region specifi= ed by PhysicalAddress and Length from the current page table context. diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c b/Ovm= fPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c new file mode 100644 index 000000000000..36aabcf556a7 --- /dev/null +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c @@ -0,0 +1,207 @@ +/** @file + + Virtual Memory Management Services to test an address range encryption s= tate + + Copyright (c) 2020, AMD Incorporated. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include + +#include "VirtualMemory.h" + +/** + Returns the (updated) address range state based upon the page table + entry. + + @param[in] CurrentState The current address range state + @param[in] PageDirectoryEntry The page table entry to check + @param[in] AddressEncMask The encryption mask + + @retval MemEncryptSevAddressRangeUnencrypted Address range is mapped + unencrypted + @retval MemEncryptSevAddressRangeEncrypted Address range is mapped + encrypted + @retval MemEncryptSevAddressRangeMixed Address range is mapped mi= xed +**/ +STATIC +MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE +UpdateAddressState ( + IN MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE CurrentState, + IN UINT64 PageDirectoryEntry, + IN UINT64 AddressEncMask + ) +{ + if (CurrentState =3D=3D MemEncryptSevAddressRangeEncrypted) { + if ((PageDirectoryEntry & AddressEncMask) =3D=3D 0) { + CurrentState =3D MemEncryptSevAddressRangeMixed; + } + } else if (CurrentState =3D=3D MemEncryptSevAddressRangeUnencrypted) { + if ((PageDirectoryEntry & AddressEncMask) !=3D 0) { + CurrentState =3D MemEncryptSevAddressRangeMixed; + } + } else if (CurrentState =3D=3D MemEncryptSevAddressRangeError) { + // + // First address check, set initial state + // + if ((PageDirectoryEntry & AddressEncMask) =3D=3D 0) { + CurrentState =3D MemEncryptSevAddressRangeUnencrypted; + } else { + CurrentState =3D MemEncryptSevAddressRangeEncrypted; + } + } + + return CurrentState; +} + +/** + Returns the encryption state of the specified virtual address range. + + @param[in] Cr3BaseAddress Cr3 Base Address (if zero then use + current CR3) + @param[in] BaseAddress Base address to check + @param[in] Length Length of virtual address range + + @retval MemEncryptSevAddressRangeUnencrypted Address range is mapped + unencrypted + @retval MemEncryptSevAddressRangeEncrypted Address range is mapped + encrypted + @retval MemEncryptSevAddressRangeMixed Address range is mapped mi= xed + @retval MemEncryptSevAddressRangeError Address range is not mappe= d +**/ +MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE +EFIAPI +InternalMemEncryptSevGetAddressRangeState ( + IN PHYSICAL_ADDRESS Cr3BaseAddress, + IN PHYSICAL_ADDRESS BaseAddress, + IN UINTN Length + ) +{ + PAGE_MAP_AND_DIRECTORY_POINTER *PageMapLevel4Entry; + PAGE_MAP_AND_DIRECTORY_POINTER *PageUpperDirectoryPointerEntry; + PAGE_MAP_AND_DIRECTORY_POINTER *PageDirectoryPointerEntry; + PAGE_TABLE_1G_ENTRY *PageDirectory1GEntry; + PAGE_TABLE_ENTRY *PageDirectory2MEntry; + PAGE_TABLE_4K_ENTRY *PageTableEntry; + UINT64 AddressEncMask; + UINT64 PgTableMask; + PHYSICAL_ADDRESS Address; + PHYSICAL_ADDRESS AddressEnd; + MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE State; + + // + // If Cr3BaseAddress is not specified then read the current CR3 + // + if (Cr3BaseAddress =3D=3D 0) { + Cr3BaseAddress =3D AsmReadCr3(); + } + + AddressEncMask =3D MemEncryptSevGetEncryptionMask (); + AddressEncMask &=3D PAGING_1G_ADDRESS_MASK_64; + + PgTableMask =3D AddressEncMask | EFI_PAGE_MASK; + + State =3D MemEncryptSevAddressRangeError; + + // + // Encryption is on a page basis, so start at the beginning of the + // virtual address page boundary and walk page-by-page. + // + Address =3D (PHYSICAL_ADDRESS) (UINTN) BaseAddress & ~EFI_PAGE_MASK; + AddressEnd =3D (PHYSICAL_ADDRESS) + (UINTN) (BaseAddress + Length); + + while (Address < AddressEnd) { + PageMapLevel4Entry =3D (VOID*) (Cr3BaseAddress & ~PgTableMask); + PageMapLevel4Entry +=3D PML4_OFFSET (Address); + if (!PageMapLevel4Entry->Bits.Present) { + return MemEncryptSevAddressRangeError; + } + + PageDirectory1GEntry =3D (VOID *) ( + (PageMapLevel4Entry->Bits.PageTableBaseAddres= s << + 12) & ~PgTableMask + ); + PageDirectory1GEntry +=3D PDP_OFFSET (Address); + if (!PageDirectory1GEntry->Bits.Present) { + return MemEncryptSevAddressRangeError; + } + + // + // If the MustBe1 bit is not 1, it's not actually a 1GB entry + // + if (PageDirectory1GEntry->Bits.MustBe1) { + // + // Valid 1GB page + // + State =3D UpdateAddressState ( + State, + PageDirectory1GEntry->Uint64, + AddressEncMask + ); + + Address +=3D BIT30; + continue; + } + + // + // Actually a PDP + // + PageUpperDirectoryPointerEntry =3D + (PAGE_MAP_AND_DIRECTORY_POINTER *) PageDirectory1GEntry; + PageDirectory2MEntry =3D + (VOID *) ( + (PageUpperDirectoryPointerEntry->Bits.PageTableBaseAddress << + 12) & ~PgTableMask + ); + PageDirectory2MEntry +=3D PDE_OFFSET (Address); + if (!PageDirectory2MEntry->Bits.Present) { + return MemEncryptSevAddressRangeError; + } + + // + // If the MustBe1 bit is not a 1, it's not a 2MB entry + // + if (PageDirectory2MEntry->Bits.MustBe1) { + // + // Valid 2MB page + // + State =3D UpdateAddressState ( + State, + PageDirectory2MEntry->Uint64, + AddressEncMask + ); + + Address +=3D BIT21; + continue; + } + + // + // Actually a PMD + // + PageDirectoryPointerEntry =3D + (PAGE_MAP_AND_DIRECTORY_POINTER *)PageDirectory2MEntry; + PageTableEntry =3D + (VOID *)( + (PageDirectoryPointerEntry->Bits.PageTableBaseAddress << + 12) & ~PgTableMask + ); + PageTableEntry +=3D PTE_OFFSET (Address); + if (!PageTableEntry->Bits.Present) { + return MemEncryptSevAddressRangeError; + } + + State =3D UpdateAddressState ( + State, + PageTableEntry->Uint64, + AddressEncMask + ); + + Address +=3D EFI_PAGE_SIZE; + } + + return State; +} --=20 2.30.0