public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [RFC PATCH v1 0/5] x86: Secure Encrypted Virtualization (AMD)
@ 2017-03-06 23:27 Brijesh Singh
  2017-03-06 23:27 ` [RFC PATCH v1 1/5] OvmfPkg/ResetVector: Set memory encryption when SEV is active Brijesh Singh
                   ` (4 more replies)
  0 siblings, 5 replies; 33+ messages in thread
From: Brijesh Singh @ 2017-03-06 23:27 UTC (permalink / raw)
  To: jordan.l.justen, edk2-devel, lersek
  Cc: Thomas.Lendacky, leo.duran, brijesh.sing

This RFC series provides support for AMD's new Secure Encrypted 
Virtualization (SEV) feature.

SEV is an extension to the AMD-V architecture which supports running
multiple VMs under the control of a hypervisor. The SEV feature allows
the memory contents of a virtual machine (VM) to be transparently encrypted
with a key unique to the guest VM. The memory controller contains a
high performance encryption engine which can be programmed with multiple
keys for use by a different VMs in the system. The programming and
management of these keys is handled by the AMD Secure Processor firmware
which exposes a commands for these tasks.

SEV guest VMs have the concept of private and shared memory.  Private memory is
encrypted with the guest-specific key, while shared memory may be encrypted
with hypervisor key.  Certain types of memory (namely instruction pages and
guest page tables) are always treated as private memory by the hardware.
For data memory, SEV guest VMs can choose which pages they would like to be
private. The choice is done using the standard CPU page tables using the C-bit,
and is fully controlled by the guest. Due to security reasons all the DMA
operations inside the  guest must be performed on shared pages (C-bit clear).
Note that since C-bit is only controllable by the guest OS when it is operating
in 64-bit or 32-bit PAE mode, in all other modes the SEV hardware forces the
C-bit to a 1.

KVM SEV RFC [1] extends the KVM_FEATURE cpuid instruction to indicate whether
SEV is enabled. When SEV is enabled then OVMF can use cpuid Fn8000_001F[BX]
to get the C-bit position in PTE.

The following links provide additional details:

AMD Memory Encryption whitepaper:
http://amd-dev.wpengine.netdna-cdn.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf

AMD64 Architecture Programmer's Manual:
    http://support.amd.com/TechDocs/24593.pdf
    SME is section 7.10
    SEV is section 15.34

Secure Encrypted Virutualization Key Management:
http://support.amd.com/TechDocs/55766_SEV-KM API_Specification.pdf

KVM Forum Presentation:
http://www.linux-kvm.org/images/7/74/02x08A-Thomas_Lendacky-AMDs_Virtualizatoin_Memory_Encryption_Technology.pdf

[1] http://marc.info/?l=linux-mm&m=148846752931115&w=2

---

Patch is based on commit a11928f (BaseTools/Source/C/Makefiles: Fix
NmakeSubdirs.bat always return 0)

TODO:
 - Unroll the IoFifo write function when SEV is active.
 - Clear the encryption attribute from VGA framebuffer memory so that hypervisor
   can read the guest framebuffer console
 - add DMA support when SEV is active

   Since the DMA operations must be performed on shread pages, I am thinking
   that once the DMA library patch [2] is accepted then I can import it in
   OvmfPkg and make the SEV specific changes (mainly clearing the C-bit on
   DMA addresses).

   [2] https://lists.01.org/pipermail/edk2-devel/2017-March/008109.html

 - investigate SMM/SMI support
 - add virtio support

Brijesh Singh (5):
      OvmfPkg/ResetVector: Set memory encryption when SEV is active
      OvmfPkg/MemcryptSevLib: Add SEV helper library
      OvmfPkg/PlatformPei: Initialize SEV support
      OvmfPkg/BaseIoLibIntrinsic: import BaseIoLibIntrinsic package
      OvmfPkg/BaseIoLibIntrinsic: Unroll String I/O when SEV is active


 OvmfPkg/Include/Library/MemcryptSevLib.h           |   42 ++++++
 .../BaseIoLibIntrinsic/BaseIoLibIntrinsic.inf      |    3 
 .../BaseIoLibIntrinsic/BaseIoLibIntrinsic.uni      |    0 
 .../BaseIoLibIntrinsicInternal.h                   |    0 
 OvmfPkg/Library/BaseIoLibIntrinsic/Ia32/IoFifo.asm |    0 
 .../Library/BaseIoLibIntrinsic/Ia32/IoFifo.nasm    |   19 +++
 .../Library/BaseIoLibIntrinsic/Ia32/SevIoFifo.nasm |  141 ++++++++++++++++++++
 OvmfPkg/Library/BaseIoLibIntrinsic/IoHighLevel.c   |    0 
 OvmfPkg/Library/BaseIoLibIntrinsic/IoLib.c         |    0 
 OvmfPkg/Library/BaseIoLibIntrinsic/IoLibArm.c      |    0 
 OvmfPkg/Library/BaseIoLibIntrinsic/IoLibEbc.c      |    0 
 OvmfPkg/Library/BaseIoLibIntrinsic/IoLibGcc.c      |    0 
 OvmfPkg/Library/BaseIoLibIntrinsic/IoLibIcc.c      |    0 
 OvmfPkg/Library/BaseIoLibIntrinsic/IoLibIpf.c      |    0 
 .../Library/BaseIoLibIntrinsic/IoLibMmioBuffer.c   |    0 
 OvmfPkg/Library/BaseIoLibIntrinsic/IoLibMsc.c      |    0 
 OvmfPkg/Library/BaseIoLibIntrinsic/X64/IoFifo.asm  |    0 
 OvmfPkg/Library/BaseIoLibIntrinsic/X64/IoFifo.nasm |   19 +++
 .../Library/BaseIoLibIntrinsic/X64/SevIoFifo.nasm  |  143 ++++++++++++++++++++
 OvmfPkg/Library/MemcryptSevLib/MemcryptSevLib.c    |   66 +++++++++
 OvmfPkg/Library/MemcryptSevLib/MemcryptSevLib.inf  |   44 ++++++
 OvmfPkg/OvmfPkgIa32X64.dsc                         |    6 +
 OvmfPkg/OvmfPkgX64.dsc                             |    6 +
 OvmfPkg/PlatformPei/Platform.c                     |    6 +
 OvmfPkg/PlatformPei/PlatformPei.inf                |    1 
 OvmfPkg/ResetVector/Ia32/PageTables64.asm          |   52 +++++++
 26 files changed, 545 insertions(+), 3 deletions(-)
 create mode 100644 OvmfPkg/Include/Library/MemcryptSevLib.h
 copy MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsic.inf => OvmfPkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsic.inf (94%)
 copy MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsic.uni => OvmfPkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsic.uni (100%)
 copy MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsicInternal.h => OvmfPkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsicInternal.h (100%)
 copy MdePkg/Library/BaseIoLibIntrinsic/Ia32/IoFifo.asm => OvmfPkg/Library/BaseIoLibIntrinsic/Ia32/IoFifo.asm (100%)
 copy MdePkg/Library/BaseIoLibIntrinsic/Ia32/IoFifo.nasm => OvmfPkg/Library/BaseIoLibIntrinsic/Ia32/IoFifo.nasm (87%)
 create mode 100644 OvmfPkg/Library/BaseIoLibIntrinsic/Ia32/SevIoFifo.nasm
 copy MdePkg/Library/BaseIoLibIntrinsic/IoHighLevel.c => OvmfPkg/Library/BaseIoLibIntrinsic/IoHighLevel.c (100%)
 copy MdePkg/Library/BaseIoLibIntrinsic/IoLib.c => OvmfPkg/Library/BaseIoLibIntrinsic/IoLib.c (100%)
 copy MdePkg/Library/BaseIoLibIntrinsic/IoLibArm.c => OvmfPkg/Library/BaseIoLibIntrinsic/IoLibArm.c (100%)
 copy MdePkg/Library/BaseIoLibIntrinsic/IoLibEbc.c => OvmfPkg/Library/BaseIoLibIntrinsic/IoLibEbc.c (100%)
 copy MdePkg/Library/BaseIoLibIntrinsic/IoLibGcc.c => OvmfPkg/Library/BaseIoLibIntrinsic/IoLibGcc.c (100%)
 copy MdePkg/Library/BaseIoLibIntrinsic/IoLibIcc.c => OvmfPkg/Library/BaseIoLibIntrinsic/IoLibIcc.c (100%)
 copy MdePkg/Library/BaseIoLibIntrinsic/IoLibIpf.c => OvmfPkg/Library/BaseIoLibIntrinsic/IoLibIpf.c (100%)
 copy MdePkg/Library/BaseIoLibIntrinsic/IoLibMmioBuffer.c => OvmfPkg/Library/BaseIoLibIntrinsic/IoLibMmioBuffer.c (100%)
 copy MdePkg/Library/BaseIoLibIntrinsic/IoLibMsc.c => OvmfPkg/Library/BaseIoLibIntrinsic/IoLibMsc.c (100%)
 copy MdePkg/Library/BaseIoLibIntrinsic/X64/IoFifo.asm => OvmfPkg/Library/BaseIoLibIntrinsic/X64/IoFifo.asm (100%)
 copy MdePkg/Library/BaseIoLibIntrinsic/X64/IoFifo.nasm => OvmfPkg/Library/BaseIoLibIntrinsic/X64/IoFifo.nasm (88%)
 create mode 100644 OvmfPkg/Library/BaseIoLibIntrinsic/X64/SevIoFifo.nasm
 create mode 100644 OvmfPkg/Library/MemcryptSevLib/MemcryptSevLib.c
 create mode 100644 OvmfPkg/Library/MemcryptSevLib/MemcryptSevLib.inf

-- 

Brijesh Singh



^ permalink raw reply	[flat|nested] 33+ messages in thread

end of thread, other threads:[~2017-03-17 14:08 UTC | newest]

Thread overview: 33+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-03-06 23:27 [RFC PATCH v1 0/5] x86: Secure Encrypted Virtualization (AMD) Brijesh Singh
2017-03-06 23:27 ` [RFC PATCH v1 1/5] OvmfPkg/ResetVector: Set memory encryption when SEV is active Brijesh Singh
     [not found]   ` <3ec1cf2d-952d-97fa-108d-a6c70e613277@amd.com>
2017-03-07 16:34     ` Brijesh Singh
2017-03-07 16:35     ` Laszlo Ersek
2017-03-08 18:38   ` Jordan Justen
2017-03-08 18:42     ` Brijesh Singh
2017-03-06 23:27 ` [RFC PATCH v1 2/5] OvmfPkg/MemcryptSevLib: Add SEV helper library Brijesh Singh
2017-03-07 17:06   ` Laszlo Ersek
2017-03-07 19:14     ` Brijesh Singh
2017-03-07 22:08       ` Laszlo Ersek
2017-03-07 22:36         ` Brijesh Singh
2017-03-08  8:40           ` Laszlo Ersek
2017-03-17  2:02             ` Brijesh Singh
2017-03-17 10:29               ` Laszlo Ersek
2017-03-17 14:08                 ` Brijesh Singh
2017-03-08 14:56         ` Duran, Leo
2017-03-08 15:19           ` Laszlo Ersek
2017-03-06 23:27 ` [RFC PATCH v1 3/5] OvmfPkg/PlatformPei: Initialize SEV support Brijesh Singh
2017-03-07 17:08   ` Laszlo Ersek
2017-03-07 19:17     ` Brijesh Singh
2017-03-06 23:27 ` [RFC PATCH v1 4/5] OvmfPkg/BaseIoLibIntrinsic: import BaseIoLibIntrinsic package Brijesh Singh
2017-03-07 17:20   ` Laszlo Ersek
2017-03-07 20:06     ` Jordan Justen
2017-03-07 22:18       ` Laszlo Ersek
2017-03-08 15:41       ` Gao, Liming
2017-03-08 16:26         ` Brijesh Singh
2017-03-09  1:43           ` Gao, Liming
2017-03-08 18:58         ` Jordan Justen
2017-03-09  1:48           ` Gao, Liming
2017-03-09 15:36             ` Duran, Leo
2017-03-09 16:36               ` Laszlo Ersek
2017-03-06 23:28 ` [RFC PATCH v1 5/5] OvmfPkg/BaseIoLibIntrinsic: Unroll String I/O when SEV is active Brijesh Singh
     [not found]   ` <5a66f334-27e1-3b49-150e-c01209ecb2f6@amd.com>
2017-03-07 18:43     ` Brijesh Singh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox