public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Laszlo Ersek" <lersek@redhat.com>
To: "Lendacky, Thomas" <Thomas.Lendacky@amd.com>,
	"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Jordan Justen" <jordan.l.justen@intel.com>,
	"Ard Biesheuvel" <ard.biesheuvel@linaro.org>,
	"Michael D Kinney" <michael.d.kinney@intel.com>,
	"Liming Gao" <liming.gao@intel.com>,
	"Eric Dong" <eric.dong@intel.com>, "Ray Ni" <ray.ni@intel.com>,
	"Singh, Brijesh" <brijesh.singh@amd.com>,
	"Philippe Mathieu-Daudé" <philmd@redhat.com>
Subject: Re: [edk2-devel] [RFC PATCH v2 38/44] UefiCpuPkg: Allow AP booting under SEV-ES
Date: Thu, 3 Oct 2019 12:12:51 +0200	[thread overview]
Message-ID: <d533b2e9-1b0c-ec2c-d628-80dc4628761d@redhat.com> (raw)
In-Reply-To: <f666920b-483b-9a5a-2a28-11415c5fe080@amd.com>

On 10/02/19 20:07, Lendacky, Thomas wrote:
> On 10/2/19 10:26 AM, Laszlo Ersek wrote:
>> On 10/02/19 17:15, Laszlo Ersek wrote:
>>> Adding Phil.
>>>
>>> I'm looking at this patch only because one thing caught my attention in
>>> the previous one, "OvmfPkg: Add support for SEV-ES AP reset vector
>>> re-directing":
>>>
>>> On 09/19/19 21:53, Lendacky, Thomas wrote:
>>>> From: Tom Lendacky <thomas.lendacky@amd.com>
>>>>
>>>> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
>>>>
>>>> Typically, an AP is booted using the INIT-SIPI-SIPI sequence. This
>>>> sequence is intercepted by the hypervisor, which sets the AP's registers
>>>> to the values requested by the sequence. At that point, the hypervisor can
>>>> start the AP, which will then begin execution at the appropriate location.
>>>>
>>>> Under SEV-ES, AP booting presents some challenges since the hypervisor is
>>>> not allowed to alter the AP's register state. In this situation, we have
>>>> to distinguish between the AP's first boot and AP's subsequent boots.
>>>>
>>>> First boot:
>>>>  Once the AP's register state has been defined (which is before the guest
>>>>  is first booted) it cannot be altered. Should the hypervisor attempt to
>>>>  alter the register state, the change would be detected by the hardware
>>>>  and the VMRUN instruction would fail. Given this, the first boot for the
>>>>  AP is required to begin execution with this initial register state, which
>>>>  is typically the reset vector. This prevents the BSP from directing the
>>>>  AP startup location through the INIT-SIPI-SIPI sequence.
>>>>
>>>>  To work around this, provide a four-byte field at offset 0xffffffd0 that
>>>>  can contain an IP / CS register combination, that if non-zero, causes
>>>>  the AP to perform a far jump to that location instead of a near jump to
>>>>  EarlyBspInitReal16. Before booting the AP for the first time, the BSP
>>>>  should set the IP / CS value for the AP based on the value that would be
>>>>  derived from the INIT-SIPI-SIPI sequence.
>>>
>>> I don't understand how this can work: the guest-phys address 0xffffffd0
>>> is backed by read-only pflash in most OVMF deployments.
>>>
>>> In addition:
>>>
>>> [...]
>>>
>>>> @@ -1002,6 +1204,7 @@ WakeUpAP (
>>>>        CpuMpData->InitFlag   != ApInitDone) {
>>>>      ResetVectorRequired = TRUE;
>>>>      AllocateResetVector (CpuMpData);
>>>> +    AllocateSevEsAPMemory (CpuMpData);
>>>>      FillExchangeInfoData (CpuMpData);
>>>>      SaveLocalApicTimerSetting (CpuMpData);
>>>>    }
>>>> @@ -1038,6 +1241,15 @@ WakeUpAP (
>>>>        }
>>>>      }
>>>>      if (ResetVectorRequired) {
>>>> +      //
>>>> +      // For SEV-ES, set the jump address for initial AP boot
>>>> +      //
>>>> +      if (CpuMpData->SevEsActive) {
>>>> +        SEV_ES_AP_JMP_FAR *JmpFar = (SEV_ES_AP_JMP_FAR *)0xFFFFFFD0;
>>>> +
>>>> +        JmpFar->ApStart.Rip = 0;
>>>> +        JmpFar->ApStart.Segment = (UINT16) (ExchangeInfo->BufferStart >> 4);
>>>> +      }
>>>
>>> Even if the address is backed by a single "unified" pflash, mapped r/w
>>> -- which we can call a "non-standard OVMF deployment" nowadays --, a
>>> normal store doesn't appear sufficient to me. The first write to pflash
>>> will flip it to "programming mode", and the values stored are supposed
>>> to be pflash commands (not just the raw data we intend to put in place).
>>>
>>> See for example the QemuFlashWrite() function in
>>> "OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c". (But, again, that
>>> is used with the pflash chip that hosts the variable store, and is
>>> therefore mapped r/w.)
>>>
>>>
>>> Taking a step back... I don't think APs execute any code from pflash,
>>> when MpInitLib boots them.
>>>
>>> In OVMF, PcdCpuApLoopMode is ApInHltLoop (value 1), therefore
>>> "CpuMpData->WakeUpByInitSipiSipi" should be TRUE, and
>>> "ResetVectorRequired" too should be TRUE, at first AP boot.
>>> Consequently, the reset vector seems to be allocated with
>>> AllocateResetVector().
>>>
>>> AllocateResetVector() has separate implementations for PEI and DXE, but
>>> in both cases, it returns RAM. So I don't see where the AP accesses (or
>>> executes) pflash.
>>
>> ... I believe I understand that this is precisely what cannot work under
>> SEV-ES -- because we cannot launch an AP at an address that's
>> dynamically chosen by the firmware (and passed to the hypervisor), like
>> with INIT-SIPI-SIPI.
> 
> Correct.
> 
>>
>> And so firmware and hypervisor have to agree upon a *constant* AP reset
>> vector address, in advance.
>>
>> We have two options:
>>
>> - pick the reset vector address *constant* such that it falls into RAM, or
>>
>> - let the AP reset vector reside in pflash, but then the code in pflash
>> has to look for a parameter block at a fixed address in RAM.
>>
>> So in the end, both options require the same -- we need a RAM address
>> constant that is determined at firmware build time. Either for the reset
>> vector itself, or for the reset vector's parameter block.
> 
> As long as the hypervisor has a way to determine a build time address,
> that would be the preferred method. I couldn't come up with a way (or at
> least don't know of a way) to allow the hypervisor to discover that build
> time address. Hopefully someone else does and we can eliminate the need
> to map the ROM read/write and just program the vCPUs initial registers to
> the build time value.
> 
> I think the address should be for the AP reset vector itself, otherwise
> you would have to guarantee that the reset vector parameter block is zero
> for the initial BSP boot.

Rough idea:

(1) Introduce a new fixed PCD (UINT32) pointing into RAM -- the AP reset
vector address. You could carve it out from another unused part of
FD.MEMFD, and set the PCD in the FDF files.

(2) In PlatformPei, reserve the area.

(3) In "ResetVectorVtf0.asm", we should introduce a packed structure as
follows, so that it end at label "applicationProcessorEntryPoint":

  UINT32   ApEntryPoint;
  EFI_GUID SevEsFooterGuid;
  UINT16   Size;

I think the assembly source code could populate this structure with DD /
DB / DW pseudo-instructions.

- The "ApEntryPoint" field would be filled from FixedPcdGet32.

- The SevEsFooterGuid field would be open-coded with DB. We'd pick a new
GUID with uuidgen for this.

- The "Size" field would cover the entire structure. I think we should
be able to auto-calculate it for a DW pseudo-instruction, placing a
label at the top of the structure, and then using ($ - ThatLabel) or
similar.

(4) The following information would be fixed (by convention) and known
to QEMU:
- the address of the SevEsFooterGuid field (offset backwards from the
end of flash / 4GB)
- the value of SevEsFooterGuid.

(5) Whenever QEMU finds the GUID, it can check the Size field. Given the
Size field, QEMU can check fields *prepended* to the footer structure.
Incompatible changes to the structure (i.e. any change other than
prepending new fields) require a new GUID to be generated for
SevEsFooterGuid.

(6) Thus QEMU could read ApEntryPoint out of the pflash image.

Thanks
Laszlo

  reply	other threads:[~2019-10-03 10:12 UTC|newest]

Thread overview: 106+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-19 19:52 [RFC PATCH v2 00/44] SEV-ES guest support Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 01/44] MdePkg: Create PCDs to be used in support of SEV-ES Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 02/44] OvmfPkg/MemEncryptSevLib: Add an SEV-ES guest indicator function Lendacky, Thomas
2019-09-24 11:53   ` [edk2-devel] " Laszlo Ersek
2019-09-19 19:52 ` [RFC PATCH v2 03/44] OvmfPkg: Add support to perform SEV-ES initialization Lendacky, Thomas
2019-09-24 11:59   ` [edk2-devel] " Laszlo Ersek
2019-09-24 14:43     ` Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 04/44] OvmfPkg/ResetVector: Add support for a 32-bit SEV check Lendacky, Thomas
2019-09-24 13:42   ` [edk2-devel] " Laszlo Ersek
2019-09-24 13:50     ` Laszlo Ersek
2019-09-24 18:57     ` Lendacky, Thomas
2019-09-25 14:45       ` Laszlo Ersek
2019-09-30 19:29       ` Laszlo Ersek
2019-09-30 19:55         ` Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 05/44] MdePkg: Add the MSR definition for the GHCB register Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 06/44] OvmfPkg: Create a GHCB page for use during Sec phase Lendacky, Thomas
2019-09-25  8:09   ` [edk2-devel] " Laszlo Ersek
2019-09-25 17:36     ` Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 07/44] OvmfPkg/PlatformPei: Reserve GHCB-related areas if S3 is supported Lendacky, Thomas
2019-09-25  8:27   ` [edk2-devel] " Laszlo Ersek
2019-09-25 17:52     ` Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 08/44] OvmfPkg: Create GHCB pages for use during Pei and Dxe phase Lendacky, Thomas
2019-09-26  8:00   ` [edk2-devel] " Laszlo Ersek
2019-09-26 14:00     ` Lendacky, Thomas
2019-09-30 18:52       ` Laszlo Ersek
2019-09-30 19:49         ` Lendacky, Thomas
2019-09-30 19:12       ` Laszlo Ersek
2019-09-30 19:51         ` Lendacky, Thomas
2019-10-02 10:23   ` Laszlo Ersek
2019-10-02 14:43     ` Lendacky, Thomas
2019-10-02 15:55       ` Laszlo Ersek
2019-09-19 19:52 ` [RFC PATCH v2 09/44] MdeModulePkg/DxeIplPeim: Support GHCB pages when creating page tables Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 10/44] OvmfPkg: A per-CPU variable area for #VC usage Lendacky, Thomas
2019-09-26  8:17   ` [edk2-devel] " Laszlo Ersek
2019-09-26 14:46     ` Lendacky, Thomas
2019-09-30 19:15       ` Laszlo Ersek
2019-09-30 19:52         ` Lendacky, Thomas
2019-10-02 11:51   ` Laszlo Ersek
2019-10-02 16:06     ` Lendacky, Thomas
2019-10-03  9:06       ` Laszlo Ersek
2019-09-19 19:52 ` [RFC PATCH v2 11/44] OvmfPkg/PlatformPei: Move early GDT into ram when SEV-ES is enabled Lendacky, Thomas
2019-10-02 12:05   ` [edk2-devel] " Laszlo Ersek
2019-10-02 16:10     ` Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 12/44] MdePkg: Add a structure definition for the GHCB Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 13/44] MdePkg/BaseLib: Add support for the VMGEXIT instruction Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 14/44] UefiCpuPkg: Implement library support for VMGEXIT Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 15/44] UefiCpuPkg/CpuExceptionHandler: Add base support for the #VC exception Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 16/44] OvmfPkg/MemEncryptSevLib: Make MemEncryptSevLib available during SEC Lendacky, Thomas
2019-10-02 12:24   ` [edk2-devel] " Laszlo Ersek
2019-10-02 12:30     ` Laszlo Ersek
2019-10-02 16:16       ` Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 17/44] UefiCpuPkg/CpuExceptionHandler: Add #VC exception handling for Sec phase Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 18/44] OvmfPkg/Sec: Enable cache early to speed up booting Lendacky, Thomas
2019-10-02 12:31   ` [edk2-devel] " Laszlo Ersek
2019-09-19 19:52 ` [RFC PATCH v2 19/44] UefiCpuPkg/CpuExceptionHandler: Add support for IOIO_PROT NAE events Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 20/44] UefiCpuPkg/CpuExceptionHandler: Support string IO " Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 21/44] MdePkg: Add support for the XGETBV instruction Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 22/44] UefiCpuPkg/CpuExceptionHandler: Add support for CPUID NAE events Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 23/44] UefiCpuPkg/CpuExceptionHandler: Add support for MSR_PROT " Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 24/44] UefiCpuPkg/CpuExceptionHandler: Add support for NPF NAE events (MMIO) Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 25/44] UefiCpuPkg/CpuExceptionHandler: Add support for WBINVD NAE events Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 26/44] UefiCpuPkg/CpuExceptionHandler: Add support for RDTSC " Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 27/44] UefiCpuPkg/CpuExceptionHandler: Add support for RDPMC " Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 28/44] UefiCpuPkg/CpuExceptionHandler: Add support for INVD " Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 29/44] UefiCpuPkg/CpuExceptionHandler: Add support for VMMCALL " Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 30/44] UefiCpuPkg/CpuExceptionHandler: Add support for RDTSCP " Lendacky, Thomas
2019-09-19 19:52 ` [RFC PATCH v2 31/44] UefiCpuPkg/CpuExceptionHandler: Add support for MONITOR/MONITORX " Lendacky, Thomas
2019-09-19 19:53 ` [RFC PATCH v2 32/44] UefiCpuPkg/CpuExceptionHandler: Add support for MWAIT/MWAITX " Lendacky, Thomas
2019-09-19 19:53 ` [RFC PATCH v2 33/44] UefiCpuPkg/CpuExceptionHandler: Add support for DR7 Read/Write " Lendacky, Thomas
2019-09-19 19:53 ` [RFC PATCH v2 34/44] UefiCpuPkg/MpInitLib: Update CPU MP data with a flag to indicate if SEV-ES is active Lendacky, Thomas
2019-09-19 19:53 ` [RFC PATCH v2 36/44] UefiCpuPkg: Add a 16-bit protected mode code segment descriptor Lendacky, Thomas
2019-09-19 19:53 ` [RFC PATCH v2 35/44] MdeModulePkg: Reserve " Lendacky, Thomas
2019-09-19 19:53 ` [RFC PATCH v2 37/44] OvmfPkg: Add support for SEV-ES AP reset vector re-directing Lendacky, Thomas
2019-10-02 14:54   ` [edk2-devel] " Laszlo Ersek
2019-10-02 17:33     ` Lendacky, Thomas
2019-10-03  9:09       ` Laszlo Ersek
2019-09-19 19:53 ` [RFC PATCH v2 38/44] UefiCpuPkg: Allow AP booting under SEV-ES Lendacky, Thomas
2019-10-02 15:15   ` [edk2-devel] " Laszlo Ersek
2019-10-02 15:26     ` Laszlo Ersek
2019-10-02 18:07       ` Lendacky, Thomas
2019-10-03 10:12         ` Laszlo Ersek [this message]
2019-10-03 10:32           ` Laszlo Ersek
2019-10-03 15:12             ` Lendacky, Thomas
2019-10-10 23:17               ` Lendacky, Thomas
2019-10-10 23:56                 ` Andrew Fish
2019-10-11  8:56                 ` Laszlo Ersek
2019-10-12  6:42                   ` Andrew Fish
2019-10-12  7:46                     ` Liming Gao
2019-10-12 18:50                       ` Andrew Fish
2019-10-14 13:11                     ` Laszlo Ersek
2019-10-14 19:11                       ` Andrew Fish
2019-10-02 17:58     ` Lendacky, Thomas
2019-10-03  9:21       ` Laszlo Ersek
2019-09-19 19:53 ` [RFC PATCH v2 40/44] MdePkg: Add a finalization function to the CPU protocol Lendacky, Thomas
2019-09-20 13:16 ` [RFC PATCH v2 39/44] OvmfPkg: Move the GHCB allocations into reserved memory Lendacky, Thomas
2019-10-02 14:38   ` [edk2-devel] " Laszlo Ersek
2019-09-20 13:16 ` [RFC PATCH v2 42/44] UefiCpuPkg/MpInitLib: Prepare SEV-ES guest APs for OS use Lendacky, Thomas
2019-12-12  8:24   ` Ni, Ray
2019-12-13 16:35     ` Lendacky, Thomas
2019-09-20 13:16 ` [RFC PATCH v2 41/44] UefiCpuPkg/MpInitLib: Add MP finalization interface to MpInitLib Lendacky, Thomas
2019-09-20 13:16 ` [RFC PATCH v2 43/44] UefiCpuPkg/CpuDxe: Provide an DXE MP finalization routine to support SEV-ES Lendacky, Thomas
2019-09-20 13:16 ` [RFC PATCH v2 44/44] MdeModulePkg/DxeCore: Perform the CPU protocol finalization support Lendacky, Thomas
2019-09-20 19:24 ` [RFC PATCH v2 00/44] SEV-ES guest support Lendacky, Thomas
2019-09-24  1:55   ` [edk2-devel] " Dong, Eric
2019-09-24 14:31     ` Lendacky, Thomas
2019-09-25 22:31       ` Ni, Ray

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d533b2e9-1b0c-ec2c-d628-80dc4628761d@redhat.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox