Re: [edk2-devel] [PATCH RFC v2 05/28] MdePkg: Add AsmPvalidate() support

["Laszlo Ersek" <lersek@redhat.com>]

On 04/30/21 13:51, Brijesh Singh wrote:
> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
>
> The PVALIDATE instruction validates or rescinds validation of a guest
> page RMP entry. Upon completion, a return code is stored in EAX, rFLAGS
> bits OF, ZF, AF, PF and SF are set based on this return code. If the
> instruction completed succesfully, the rFLAGS bit CF indicates if the
> contents of the RMP entry were changed or not.
>
> For more information about the instruction see AMD APM volume 3.
>
> Cc: James Bottomley <jejb@linux.ibm.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Erdem Aktas <erdemaktas@google.com>
> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
> ---
>  MdePkg/Include/Library/BaseLib.h          | 37 +++++++++++++++++
>  MdePkg/Library/BaseLib/BaseLib.inf        |  1 +
>  MdePkg/Library/BaseLib/X64/Pvalidate.nasm | 43 ++++++++++++++++++++
>  3 files changed, 81 insertions(+)
>
> diff --git a/MdePkg/Include/Library/BaseLib.h b/MdePkg/Include/Library/BaseLib.h
> index 7253997a6f..92ce695e93 100644
> --- a/MdePkg/Include/Library/BaseLib.h
> +++ b/MdePkg/Include/Library/BaseLib.h
> @@ -7518,5 +7518,42 @@ PatchInstructionX86 (
>    IN  UINTN                    ValueSize
>    );
>
> +/**
> + Execute a PVALIDATE instruction to validate or rescnids validation of a guest

(1) typo: "rescnids"


> + page's RMP entry.
> +
> + Upon completion, in addition to the return value the instruction also updates
> + the eFlags. A caller must check both the return code as well as eFlags to
> + determine if the RMP entry has been updated.
> +
> + The function is available on x64.

(2) Please write "X64"; that's how the architecture is usually mentioned
in both the UEFI spec and in edk2.


> +
> + @param[in]    Address        The guest virtual address to validate.
> + @param[in]    PageSize       The page size to use.
> + @param[i]     Validate       Validate or rescinds.
> + @param[out]   Eflags         The value of Eflags after PVALIDATE completion.

(3) Typo: "[i]" should be "[in]".


(4) The order of parameters listed in this comment block differs from
the actual parameter list.

The ECC plugin of the edk2 CI will catch this issue anyway. So, before
submitting the patch set to the list, please submit a personal PR on
github.com against the main repo, just to run CI on your patches.


> +
> + @retval       PvalidateRetValue  The return value from the PVALIDATE instruction.

More on the return value / type later, below.

> +**/
> +typedef enum {
> +  PvalidatePageSize4K = 0,
> +  PvalidatePageSize2MB,
> +} PVALIDATE_PAGE_SIZE;
> +
> +typedef enum {
> +  PvalidateRetSuccess = 0,
> +  PvalidateRetFailInput = 1,
> +  PvalidateRetFailSizemismatch = 6,
> +} PVALIDATE_RET_VALUE;
> +

(5) These typedefs do not belong between the function leading comment
and the function declaration. Please hoist the typedefs just above the
leading comment, and add a separate comment for the typedefs -- using
the proper comment style for typedefs, too.


> +PVALIDATE_RET_VALUE

(6) In my opinion, using an enum for an EFIAPI function's return type is
problematic. According to the UEFI spec (v2.9), "Table 2-3 Common UEFI
Data Types", <Enumerated Type> may correspond to INT32 or UINT32. I
don't like that ambiguity here. The spec also says that such types
should never be used at least as structure fields.

I'm perfectly fine with functions in standard (ISO) C programs returning
enums, but I think the situation is less clear in UEFI. I don't recall
standard interfaces (spec-level, or even edk2 / MdePkg interfaces) that
return enums.

I suggest the following instead. Drop the PVALIDATE_RET_VALUE enum
altogether. Specify EFI_STATUS as the return type, in the declaration of
the function.

In the UEFI spec, Appendix D specifies the numeric values of the status
codes. Furthermore, there are examples for NASM sources using EFI_*
status codes *numerically* in edk2; minimally:

- IntelFsp2Pkg/FspSecCore/Ia32/FspApiEntryT.nasm
- IntelFsp2WrapperPkg/Library/SecFspWrapperPlatformSecLibSample/Ia32/SecEntry.nasm

Thus, please modify the assembly source code in this patch to return
EFI_SUCCESS (already value 0, conveniently) if the instruction succeeds.

Return EFI_INVALID_PARAMETER (0x8000_0002) in case the instruction fails
with error code 1 (FAIL_INPUT).

Return EFI_UNSUPPORTED (0x8000_0003), or even EFI_NO_MAPPING
(0x8000_0017), for value 6 (FAIL_SIZEMISMATCH).

The leading comment block of the function is supposed to explain these
associations:

  @retval EFI_SUCCESS        Successful completion (regardless of
                             whether the Validated bit changed state).
  @retval INVALID_PARAMETER  Invalid input parameters (FAIL_INPUT).
  @retval EFI_UNSUPPORTED    Page size mismatch between guest (2M) and
                             RMP entry (4K) (FAIL_SIZEMISMATCH).

(Passing in the PVALIDATE_PAGE_SIZE enum, as a parameter, should be
fine, BTW)


(7) According to the AMD APM, "Support for this instruction is indicated
by CPUID Fn8000_001F_EAX[SNP]=1".

Presumably, if the (physical, or emulated) hardware does not support
PVALIDATE, an #UD is raised. That condition should be explained in the
function's leading comment. (Mention the CPUID and the #UD, I guess.)


> +EFIAPI
> +AsmPvalidate (
> +  IN   PVALIDATE_PAGE_SIZE     PageSize,
> +  IN   BOOLEAN                 Validate,
> +  IN   UINTN                   Address,

(8) This should be EFI_PHYSICAL_ADDRESS, not UINTN.


> +  OUT  IA32_EFLAGS32           *Eflags
> +  );
> +
>  #endif // defined (MDE_CPU_IA32) || defined (MDE_CPU_X64)
>  #endif // !defined (__BASE_LIB__)

(9) Unless you foresee particular uses for eflags *other than* CF, I
would suggest replacing the Eflags output parameter with

  OUT BOOLEAN   *RmpEntryUpdated

The function would still only have 4 parameters, which shouldn't be
difficult to handle in the assembly implementation (i.e. write to the
UINT8 (= BOOLEAN) object referenced by "RmpEntryUpdated"). EFIAPI means
that the first four params are passed in RCX, RDX, R8, R9.

Thus far, I can see only one AsmPvalidate() call: in IssuePvalidate(),
from patch #21 ("OvmfPkg/MemEncryptSevLib: Add support to validate
system RAM"). And there, CF looks sufficient.


(10) The instruction is X64 only, but you are providing the declaration
even if MDE_CPU_IA32 is #defined. That seems wrong; even the declaration
should be invisible in that case. Please declare the function for
MDE_CPU_X64 only.


> diff --git a/MdePkg/Library/BaseLib/BaseLib.inf b/MdePkg/Library/BaseLib/BaseLib.inf
> index b76f3af380..d33b4a8f7d 100644
> --- a/MdePkg/Library/BaseLib/BaseLib.inf
> +++ b/MdePkg/Library/BaseLib/BaseLib.inf
> @@ -321,6 +321,7 @@
>    X64/XGetBv.nasm
>    X64/XSetBv.nasm
>    X64/VmgExit.nasm
> +  X64/Pvalidate.nasm
>    ChkStkGcc.c  | GCC
>
>  [Sources.EBC]

(11) This list of source files is already not sorted alphabetically,
unfortunately. But we can still do better than this: I suggest inserting
"X64/Pvalidate.nasm" just before "X64/RdRand.nasm".


(12) Your git setup seems less than ideal for formatting edk2 patches.
The @@ hunk header above does not show the INF file section being
modified. It should look something like this:

  @@ -317,6 +317,7 @@ [Sources.X64]
                      ^^^^^^^^^^^^^

Please run the "BaseTools/Scripts/SetupGit.py" script in your working
tree.

Alternatively, please see "xfuncname" at
<https://github.com/tianocore/tianocore.github.io/wiki/Laszlo%27s-unkempt-git-guide-for-edk2-contributors-and-maintainers#contrib-05>.

This is of course not a bug in the patch, but fixing your setup will
help with the next round of review.


> diff --git a/MdePkg/Library/BaseLib/X64/Pvalidate.nasm b/MdePkg/Library/BaseLib/X64/Pvalidate.nasm
> new file mode 100644
> index 0000000000..f2aba114ac
> --- /dev/null
> +++ b/MdePkg/Library/BaseLib/X64/Pvalidate.nasm
> @@ -0,0 +1,43 @@
> +;-----------------------------------------------------------------------------
> +;
> +; Copyright (c) 2020-2021, AMD. All rights reserved.<BR>

(13) I believe we don't introduce new files with copyright notices
referring to the past. IOW, I think you should only say "2021" here.


> +; SPDX-License-Identifier: BSD-2-Clause-Patent
> +;
> +; Module Name:
> +;
> +;   Pvalidate.Asm
> +;
> +; Abstract:
> +;
> +;   AsmPvalidate function
> +;
> +; Notes:
> +;

(14) I defer to the MdePkg maintainers on this, but "Module Name" is
plain wrong, and the Abstract is useless. Either fix those up please
("Abstract" could be a copy of the corrected leading comment block), or
just drop them both.


> +;-----------------------------------------------------------------------------
> +
> +    SECTION .text
> +
> +;-----------------------------------------------------------------------------
> +;  PvalidateRetValue
> +;  EFIAPI
> +;  AsmPvalidate (
> +;    IN   UINT32  RmpPageSize
> +;    IN   UINT32  Validate,
> +;    IN   UINTN   Address,
> +;    OUT  UINTN  *Eflags,
> +;    )
> +;-----------------------------------------------------------------------------

(15) Please update this accordingly to the corrected function
specification.


> +global ASM_PFX(AsmPvalidate)
> +ASM_PFX(AsmPvalidate):
> +  mov     rax, r8
> +
> +  ; PVALIDATE instruction opcode
> +  DB      0xF2, 0x0F, 0x01, 0xFF

This is bad practice; we make every effort to avoid DB-encoded
instructions.

We have two PVALIDATE instances in the patch set (... that I can see
immediateyl); the first here, and the other in
"OvmfPkg/ResetVector/Ia32/PageTables64.asm" (from patch #17,
"OvmfPkg/ResetVector: Invalidate the GHCB page"). Therefore, hiding the
encoding of PVALIDATE behind a NASM macro definitely makes sense.

(16a) Please file a NASM feature request for PVALIDATE at
<https://bugzilla.nasm.us>.

(16b) In the present MdePkg patch, please extend the file

  MdePkg/Include/X64/Nasm.inc

as follows:

> diff --git a/MdePkg/Include/X64/Nasm.inc b/MdePkg/Include/X64/Nasm.inc
> index 527f71e9eb4d..ff37f1e35707 100644
> --- a/MdePkg/Include/X64/Nasm.inc
> +++ b/MdePkg/Include/X64/Nasm.inc
> @@ -33,6 +33,15 @@
>      DB 0xF3, 0x48, 0x0F, 0xAE, 0xE8
>  %endmacro
>
> +;
> +; Macro for the PVALIDATE instruction, defined in AMD publication #24594
> +; revision 3.32. NASM feature request URL:
> +; <https://bugzilla.nasm.us/show_bug.cgi?id=FIXME>.
> +;
> +%macro PVALIDATE       0
> +    DB 0xF2, 0x0F, 0x01, 0xFF
> +%endmacro
> +
>  ; NASM provides built-in macros STRUC and ENDSTRUC for structure definition.
>  ; For example, to define a structure called mytype containing a longword,
>  ; a word, a byte and a string of bytes, you might code

(16c) Please replace the FIXME placeholder above with the actual NASM BZ
number (from (16a)).

(16d) In the "MdePkg/Library/BaseLib/X64/Pvalidate.nasm" source file,
and also (later) in the "OvmfPkg/ResetVector/Ia32/PageTables64.asm"
source file, please use the PVALIDATE macro, in place of the naked DBs.


Back to your patch:

On 04/30/21 13:51, Brijesh Singh wrote:
> +
> +  ; Read the Eflags
> +  pushfq
> +  pop     r8
> +  mov     [r9], r8
> +
> +  ; The PVALIDATE instruction returns the status in rax register.
> +  ret
>

(17) The assembly code should be updated to match the new interface
contract (parameter order, parameter types, return values).


I'll continue reviewing the series later this week (hopefully tomorrow).

Thanks,
Laszlo