From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (NAM12-BN8-obe.outbound.protection.outlook.com [40.107.237.46]) by mx.groups.io with SMTP id smtpd.web09.65804.1638212680671746134 for ; Mon, 29 Nov 2021 11:04:41 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=dGU1y/XP; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.237.46, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=U7teq823W721ooBPAOdF3ePzRd+8ilBljHvgLwc6HOvRuaJg28r5hPfx0KpGGgFzJphHzuFDu+DkE8TctHTyakJEjo4wz/e73ApZihFmZIyDh+/W1y/TsUBMmN+0KOEqH5s3vDdbaOzVxd0FZXe8zgKqdPtAUuNc2i6FS2QpSbKJwTgCPnnpnh9LCyYljZRbn2G2CGUxN4HoFCb+W8HBtc1PzD0OqNjf79M30GhMD2EzbswLgCBCSlHDuIpFNaNhBdP7fn1YBIXCMik9StzbFL/F943OcoZb3Nx583HX2x/mCtQCSZSP2y7oJKs61F8lmB+k+c+BV3QElzY2FA9wLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=P2pkir6xW2P3dWVj1ICsdYKggnCQ2K+0ciG+owE2D9U=; b=U9y5920WgQ3bbI2HKBrw/JpQMZue2SaQ4rUPyFRlenYV3G7N/zNwr3saXPHN+wNB95o+hJMRpvXm16SOsepmCj8nkqQzjbqJ7Kfk5oWmRUnnTkK8MyJlfMOIlj4yIwQolz87ZaymqYesiWRJt0qMp61vHfq1GTF4jPfRB12emJ1/+ZoVY2Y7jLADXUkBUQuy9mqWXaZEhqXLUaB0rozB+P0Y69eeN3hwleVG7/vg77Nq5L/jKk/z0HC4FIFjTosQx9pQFiJks4NhW8Alpmgxkuo/qSWW+ZWJwCvd62bMmmkwVVhguh8NIT1om/W6GLkiPK60pglmkBwOg2ZcBnYxGw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=P2pkir6xW2P3dWVj1ICsdYKggnCQ2K+0ciG+owE2D9U=; b=dGU1y/XP82dgZpEK6BX1ogUy2p8bf8qJQgZpCyMdusNxBaq7l+GamaFHIaSsDSvDbFxQpMG+s6bzbIf1LDODyc4kTrnHkls4GrPNeJ31RSsGaMtHHl28Yjxm0h+bnzFYijBwBnEynj6lxIjmGc+KVKJyzmkqBEI7BRRGWHL9rdo= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=amd.com; Received: from DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) by DM4PR12MB5120.namprd12.prod.outlook.com (2603:10b6:5:393::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4734.23; Mon, 29 Nov 2021 19:04:39 +0000 Received: from DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::1ddd:71e4:5803:e44a]) by DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::1ddd:71e4:5803:e44a%3]) with mapi id 15.20.4734.020; Mon, 29 Nov 2021 19:04:39 +0000 Subject: Re: [PATCH] OvmfPkg/MemEncryptSevLib: check CPUID when read msr during PEI phase To: qi zhou , "devel@edk2.groups.io" Cc: "brijesh.singh@amd.com" , "erdemaktas@google.com" , "jejb@linux.ibm.com" , "jiewen.yao@intel.com" , "min.m.xu@intel.com" References: From: "Lendacky, Thomas" Message-ID: Date: Mon, 29 Nov 2021 13:04:36 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 In-Reply-To: X-ClientProxiedBy: BLAPR03CA0116.namprd03.prod.outlook.com (2603:10b6:208:32a::31) To DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) Return-Path: Thomas.Lendacky@amd.com MIME-Version: 1.0 Received: from [10.236.30.241] (165.204.77.1) by BLAPR03CA0116.namprd03.prod.outlook.com (2603:10b6:208:32a::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4734.23 via Frontend Transport; Mon, 29 Nov 2021 19:04:37 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 68c862ce-ade7-4a0a-6277-08d9b36b178a X-MS-TrafficTypeDiagnostic: DM4PR12MB5120: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: nmQPFA5NyPX6A5JbD8vwgBisEM+tiRwKxEiSs1QkxoJCqnEihupBDf4Obb5AgfU5qP6PWW8yXocMQBSOK3+i3Ljev2jOtw8wCxqgpfdlhLK3uKlmzj4kh7tsNqFfH8yAZhGNA0TTw6w2r8Xtwr7Q5LWIkas9hFPC/t3DvOfWPK+2zCthxKZYO6n4WvhlrtLW6n3bgER3by5PfpnEKGg4ltNWdEgcelXGoJVS2mX6VhK/7xNG8XvAKEwPgse/S37pAW65CncguvDMPG2o4QjmnH0sYOw88PqBZbteNaS6JzHY2AHkGRGSLijbVal1TYniA6RtGTS91FXlql1RkWb0IZGGrIzsXugPHCF2roJ/EPUb8sJbIcLlfmJnVi8mHo3XPNfx3y9W6xH15kQimAV3WOC1qGz0H8dGyXXAdpDO0ZD0CEeBRa59UW1CME+90udZ6ze36nIkXrNzBKpDaGeWMJXLGPeinqI5l+iho6AANtx49tBhpTOiOnzpJ6vlWUkCUc5/JEnZz3L7tG3HvsKMoNO6Ofe2xj3GvFAoH7SfhOTWMcs94Yg1+r2Is/PKlTj7/YyPxdP0X4agT/BKvJjR1E3V7qcSpmtRNBXNfe7L16IHVh+1nhmL8YqBzZ80LB9lLXEgcKrE0CkgEB+Lb11Jsw0Qd28Lqh7bbG6AUmvGmceSWnvWHk0V4tzNhmmXZuCfWI7JcRCm03F+IUiLgB933z4Po+8ieDpJ9azEhFWIEMQ= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM4PR12MB5229.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(83380400001)(53546011)(31696002)(5660300002)(86362001)(66556008)(186003)(54906003)(31686004)(2906002)(508600001)(8936002)(16576012)(4326008)(316002)(38100700002)(26005)(6486002)(8676002)(66946007)(66476007)(2616005)(956004)(36756003)(45080400002)(110136005)(43740500002)(45980500001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?Q1B2RXJWM2VVTjR4WlBZNkFReDJLNzRmbHVBVDRJazJPM2E5UUE4U214bmUx?= =?utf-8?B?ck0yeFU2eFBhOTZDNWQ1a3AvaDI1aFZkaVdaVmx5ZEpyU2JjclAwMVMxOVhi?= =?utf-8?B?OEZ5Vlp3WXg2UkE0bjhyZElUVXZvZklyanBSM1JsSGJiWWd3Q3g4TVFDQ3dl?= =?utf-8?B?anlxa1owSHZlc21wYmdDclFvMkp5eHNUSmdjNWNqTGwxcXdKd0xGVFdOSzhE?= =?utf-8?B?S2xlbEx4Q1N1OGVObFZ3b1NxdjlybmZNc085Q2h6M0Y3cXlZL2NZdURzVjlB?= =?utf-8?B?Q3MvdE96cUpyZFlScjU2QkxnMWZJbDJhczdTWW0wdmZnWmo5eVBNRFkvQlgz?= =?utf-8?B?ZG1va1F1YXVMT1o5b1J5VjhpOUR2aCt5WDM3SEk0YlFUMklHUXM1cVRqWmpR?= =?utf-8?B?T3hIZUZWOHgyazY3L3FpdTB4VUMvajI1VDcvOVplM0pXREFQQ2s3MkRrYUtU?= =?utf-8?B?eitnaU90N2YvQ085ejA0NlpCMTU3aVE0OTJPY3dkUy83cDF6aGM5YjNJbGcv?= =?utf-8?B?U1Yvazg4WDZkdW8rbkVRdWExeFZDcytxWEpZN3dBdUZEdUg5ZmZrd0txR2ZV?= =?utf-8?B?akxUczhVOU5xRUorc2ZKL0VOVlR6SVAvZVRWbStCNWxvYWRscUwveDA4aFJB?= =?utf-8?B?MTQzM1FlK3VBbjhFbGgxelg4bS9ZNjUyMDVYemhmTUY4Zm1hU3dqRlV4TnpS?= =?utf-8?B?cXgrQWRzUEhhQmsydDNCQkNpcmNPRkxJZFRQWittd3ZKSDB1Y0xzWTg2eFFk?= =?utf-8?B?RzRaK2E3UkMxM3pSamg3MVZpeFNzODV6SGx5YUhwRXJlVlZkNStDcnIwRTFv?= =?utf-8?B?eXhyeEp6ZkVqMi9lZUVMMU5QMlZLdlE2WDJNSE1FT3J4SGwxTzdNTEc4UCtY?= =?utf-8?B?SWlOR2x5UlNaWnJYd3ZydUVZVDdOTVFPekUrbHN0aFhGV3FiRGhaYkE1d2tY?= =?utf-8?B?OFptdjc2UFE0ZnZPQ1lGcC9Idk1kN2VnWWh0UGRGT2dPaWRSTldPZ3BFZE92?= =?utf-8?B?cVFFems2cCtINHQ3azlJYlA5WGxaOW9vL1BDcTJ6TnRmeFlvUHFrUElkWG9h?= =?utf-8?B?OERYcjEwZVBsak51SDNzK0JJWThPUlgrVkZxdzlmRUh3SWk1blZPZWRzd0p6?= =?utf-8?B?OFQrMzZvakgydU00K1VjZGhjK2NXeHVzbVIyd2IvQ2N4T0k0cUFuR01GTS94?= =?utf-8?B?RDJUNGljR2Q3aFh5TG1iTWdmcFRQekxYb2pVaWJ2Mk8xcUZKZG01TmxGVUN3?= =?utf-8?B?a3hGWUY1dk5BanpkWVdrT0ZtTkFoWkpmbkNQZzFxaFBZZithMTNjc3kxaTRF?= =?utf-8?B?V3ZXcjEzb3FiZ213RFVPaHBVUW5hK2ZYZU5Ta0pVcU9qRXJJb0xLV3M0VDNE?= =?utf-8?B?K3pFTk5mZlpPOFMyaGJHZzVrSHBBRmdPV1ZsUGFwaWZTbHJqUkFDOVRYRDRL?= =?utf-8?B?aE9HWEthdFIvYUViN29FY2c0TC9aWXh3MlhUYXdMRU1LOC9vSThOejBHQUpw?= =?utf-8?B?VDc1enJ2c0Urb1RtWnQ1WTYxOUkybUdFb0x2MjVwbVdIM0MrMG5QMVBGOHVn?= =?utf-8?B?dFkvZFNEYnVORm5EU0pFSFlIaHRSUDRSam83Q1F0cnZRam5ya0Z2V0RVMVBr?= =?utf-8?B?TmlXc3gxQjk0UGZDZkQwMmE1MUZrU0hkRHkwU094UGM0MlZzdjdTS2lXZlhH?= =?utf-8?B?SDRsZk5UOWlIU3NwWkZNdHZqd3FuL3pxM2FWdUg5WjN0ZkFmQmQrZ3pXaEpW?= =?utf-8?B?QVVZOUpJNWpvOGVHeDIvNnZGRlVacXNVVDB2RWFsSGR0VHNISlhrSHR6VWQ0?= =?utf-8?B?b1hmbDlDUXNKd3RyVGR4WkdKakd0bU4vYWJNUWh5UVl1RllkeXVvMHhIMkFl?= =?utf-8?B?SEVXSzR6ZDNyNDkvQ1M1MzVtYVZVbWFHM2hGLzZDT1V1YXU1Q3R5Q1NSNDBW?= =?utf-8?B?c0NpZ2pZYWZIUmcyOE1IdUc2dktjOWJEUkkyZkpjamIzZW53elkzUW9WeEhk?= =?utf-8?B?NlZoTVE1SmloN3NIcVhlSW1WS1ppc2t4bVBWREFpN01wMURMNVlVdTVQWlpn?= =?utf-8?B?Q09XUUFTL3N3eWVJTGFmZHlna3JmWm4vYkU1NHVrOVNNaHpzaGo3M3MvSXNR?= =?utf-8?B?cEw3MGE5VHBkU2JMNFRUVzdnNXlmMzFTcEJFZmxnMUZJTVJXcHRMTzMydlR2?= =?utf-8?Q?4NT2dzskoQSjvZjOAXjrqms=3D?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 68c862ce-ade7-4a0a-6277-08d9b36b178a X-MS-Exchange-CrossTenant-AuthSource: DM4PR12MB5229.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Nov 2021 19:04:38.9633 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: D0nRbVvPKLmhPz69wslCwUezA7Fd4cpy6sCtW9GK5DCY5j2+jlbSnVxUwfcndoYica9HBtb9Aqnw+RdngrBkIA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB5120 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit On 11/25/21 7:12 AM, qi zhou wrote: > From 5b10265fa5c7b5ca728b4f18488089de6535ed28 Mon Sep 17 00:00:00 2001 > From: Qi Zhou > Date: Thu, 25 Nov 2021 20:25:55 +0800 > Subject: [PATCH] OvmfPkg/MemEncryptSevLib: check CPUID when read msr during > PEI phase > > Tested on Intel Platform, It is like 'SEV-ES work area' can be modified by > os(Windows etc), and will not restored on reboot, the > SevEsWorkArea->EncryptionMask may have a random value after reboot. then it > may casue fail on reboot. The msr bits already cached by mSevStatusChecked, > there is no need to try cache again in PEI phase. > > Signed-off-by: Qi Zhou > --- > .../PeiMemEncryptSevLibInternal.c | 55 +++++++------------ > 1 file changed, 19 insertions(+), 36 deletions(-) > > diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c > index e2fd109d12..0819f50669 100644 > --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c > +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c > @@ -38,49 +38,32 @@ InternalMemEncryptSevStatus ( > UINT32 RegEax; > MSR_SEV_STATUS_REGISTER Msr; > CPUID_MEMORY_ENCRYPTION_INFO_EAX Eax; > - BOOLEAN ReadSevMsr; > - SEC_SEV_ES_WORK_AREA *SevEsWorkArea; > > - ReadSevMsr = FALSE; > - > - SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase); > - if (SevEsWorkArea != NULL && SevEsWorkArea->EncryptionMask != 0) { > - // > - // The MSR has been read before, so it is safe to read it again and avoid > - // having to validate the CPUID information. > + // > + // Check if memory encryption leaf exist > + // > + AsmCpuid (CPUID_EXTENDED_FUNCTION, &RegEax, NULL, NULL, NULL); > + if (RegEax >= CPUID_MEMORY_ENCRYPTION_INFO) { This now defeats the purpose of the workarea the already validated CPUID information. This CPUID information will now require validating. Wouldn't the best thing be to clear the workarea in the early boot code? Thanks, Tom > // > - ReadSevMsr = TRUE; > - } else { > + // CPUID Fn8000_001F[EAX] Bit 1 (Sev supported) > // > - // Check if memory encryption leaf exist > - // > - AsmCpuid (CPUID_EXTENDED_FUNCTION, &RegEax, NULL, NULL, NULL); > - if (RegEax >= CPUID_MEMORY_ENCRYPTION_INFO) { > + AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, &Eax.Uint32, NULL, NULL, NULL); > + > + if (Eax.Bits.SevBit) { > // > - // CPUID Fn8000_001F[EAX] Bit 1 (Sev supported) > + // Check MSR_0xC0010131 Bit 0 (Sev Enabled) > // > - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, &Eax.Uint32, NULL, NULL, NULL); > - > - if (Eax.Bits.SevBit) { > - ReadSevMsr = TRUE; > + Msr.Uint32 = AsmReadMsr32 (MSR_SEV_STATUS); > + if (Msr.Bits.SevBit) { > + mSevStatus = TRUE; > } > - } > - } > - > - if (ReadSevMsr) { > - // > - // Check MSR_0xC0010131 Bit 0 (Sev Enabled) > - // > - Msr.Uint32 = AsmReadMsr32 (MSR_SEV_STATUS); > - if (Msr.Bits.SevBit) { > - mSevStatus = TRUE; > - } > > - // > - // Check MSR_0xC0010131 Bit 1 (Sev-Es Enabled) > - // > - if (Msr.Bits.SevEsBit) { > - mSevEsStatus = TRUE; > + // > + // Check MSR_0xC0010131 Bit 1 (Sev-Es Enabled) > + // > + if (Msr.Bits.SevEsBit) { > + mSevEsStatus = TRUE; > + } > } > } > >