From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (NAM12-BN8-obe.outbound.protection.outlook.com [40.107.237.57])
 by mx.groups.io with SMTP id smtpd.web09.2820.1608065497290686853
 for <devel@edk2.groups.io>;
 Tue, 15 Dec 2020 12:51:37 -0800
Authentication-Results: mx.groups.io;
 dkim=fail reason="body hash did not verify" header.i=@amdcloud.onmicrosoft.com header.s=selector2-amdcloud-onmicrosoft-com header.b=Mf22ezjT;
 spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.237.57, mailfrom: thomas.lendacky@amd.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=e/STQVZmP6oURvPHK+xw7skF+8PAhfaMoCpWJ68c0yP3jmKUnIVILiLWaLbVVP1nrSiPG2oQF9LthQRCwXcsW8N1hXgurqX1M1hBgYmjNuzbSSYrQRT+rOg/0+/hjXDiakfET0qO5o6JCm6UdadOu79lm1Wmzrmj4uqpq4Kiyzb9sI0JVRC9aV8iC/WSd9f5LOXmGGeC4UfItklpgvU+OfQS3Hyn0KflKJ4tilgSWh/Hiz9rLZycBO9B2dWGJrDwcuXKQwjOG+wZhLn0UjWAG7QJTMiSOPBwYx2A/FrDjWaYygK/qfntWanWz1ApPaxhlezXfCmv7M5PiQNuNYqzAw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=0oXVB4duNhaS871RW2TBNEW+znVp4ol8hYZpdhroXcg=;
 b=D0WpT0Mp5PhxJK6L2/kAC5wKKAcsbYiYgz4rEzXA5d5lF7ddCvaEf5TzEF06TQiQsLbkIim21B49Wi3xZudNn4267N+IsRc/aO3EMG2pNwagNfzuH25Bi9bUUPyc/dUJNn2c9z32txh0f553ZDcsyW6D15nNBSbRf7Uy0orlFXbMKT8r5D5g+aiPFlma1Mb+Y0nyQjgiHII71lFh8jd6Hg1GCfmkt9uYaz5+evpBtfPdMFUqOJBrquvUlmP9SxRNFJ/i6ydYBRHoF7+g5uNMNMIBQY5TGScgmjZH0iYXOAvVNsR+B8vsl5EszNDhkmD7sc36EJiAZ22qJaLCS+rmUA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass
 header.d=amd.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=amdcloud.onmicrosoft.com; s=selector2-amdcloud-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=0oXVB4duNhaS871RW2TBNEW+znVp4ol8hYZpdhroXcg=;
 b=Mf22ezjThF/aahjhBoIeKuXyBzMdPj6E9OjD/Vyk6a1AcPUK5KBh/qxAmmxH5uGtp+MlHl7vF1y+bu2dGSapdsvDyDIfhsF8V7Bh/TSDE+Tdiwh9CMRILPXPLT5xDJOik2vpkvShmxMb6p6hBQt93c7kwVy2NPDgJnVPeNwz6hs=
Authentication-Results: edk2.groups.io; dkim=none (message not signed)
 header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com;
Received: from DM5PR12MB1355.namprd12.prod.outlook.com (10.168.234.7) by
 DM6PR12MB4155.namprd12.prod.outlook.com (10.141.8.79) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.3654.15; Tue, 15 Dec 2020 20:51:34 +0000
Received: from DM5PR12MB1355.namprd12.prod.outlook.com
 ([fe80::d95e:b9d:1d6a:e845]) by DM5PR12MB1355.namprd12.prod.outlook.com
 ([fe80::d95e:b9d:1d6a:e845%12]) with mapi id 15.20.3654.025; Tue, 15 Dec 2020
 20:51:34 +0000
From: "Lendacky, Thomas" <thomas.lendacky@amd.com>
To: devel@edk2.groups.io
CC: Brijesh Singh <brijesh.singh@amd.com>,
	James Bottomley <jejb@linux.ibm.com>,
	Jordan Justen <jordan.l.justen@intel.com>,
	Laszlo Ersek <lersek@redhat.com>,
	Ard Biesheuvel <ard.biesheuvel@arm.com>
Subject: [PATCH 01/12] Ovmf/ResetVector: Simplify and consolidate the SEV features checks
Date: Tue, 15 Dec 2020 14:51:00 -0600
Message-ID: <edeb394ae1c339908f76d98c80573432f25cef1f.1608065471.git.thomas.lendacky@amd.com>
X-Mailer: git-send-email 2.28.0
In-Reply-To: <cover.1608065471.git.thomas.lendacky@amd.com>
References: <cover.1608065471.git.thomas.lendacky@amd.com>
X-Originating-IP: [165.204.77.1]
X-ClientProxiedBy: CH2PR10CA0004.namprd10.prod.outlook.com
 (2603:10b6:610:4c::14) To DM5PR12MB1355.namprd12.prod.outlook.com
 (2603:10b6:3:6e::7)
Return-Path: thomas.lendacky@amd.com
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from tlendack-t1.amd.com (165.204.77.1) by CH2PR10CA0004.namprd10.prod.outlook.com (2603:10b6:610:4c::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.12 via Frontend Transport; Tue, 15 Dec 2020 20:51:33 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: fa518678-8606-49f4-29a2-08d8a13b3584
X-MS-TrafficTypeDiagnostic: DM6PR12MB4155:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: 
	<DM6PR12MB415525661CD593ECA6854F1DECC60@DM6PR12MB4155.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:5236;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	Vh/czc0Hv0jQBv61zU/rYD3ZM2jaribxf7OHlV44s1tKgzHGQ1dxEriMZ+8H7cE/KpWEptKjuBHPE2ptcO+2l8FxNuXfdyOFVa9Gj2rqp+S5vkZpLO1bpFKt1Fqsbrfcyps1pVMZOBkU/i0+TNtRWebomVwHWC0sCQUF8/SEjjGSstCThIJ7C66n/gPQ0kabtE3Pk1OC8oLoDBJRA+d9S45WEf4pVWBi6oIQpZyoDsl9IE8zhHzYCiK5CV0Z/bAEFLc1sIjZCqqPWp2QskFlfT6n2tju42VLq9UfkJOGhmluRW0x0fs7NtamaUKhuz1hJDZeVoWMr7byz5xZKy5V27xNv56UQ1hDyM2KfT2bKCPv+0wZWCJaB1UIl8hx2nIVF5eZtf6aXMA5xdEwoccGGM9I0U8ppUG6DsCcvHx9GhpXaW7A9j+y74nhJJRCaon/dX+UIIfPNBITejQ1N0me8A==
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR12MB1355.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(376002)(366004)(136003)(346002)(66946007)(26005)(4326008)(19627235002)(16526019)(6916009)(8676002)(36756003)(508600001)(52116002)(6666004)(83380400001)(5660300002)(8936002)(966005)(186003)(54906003)(956004)(2616005)(66476007)(2906002)(86362001)(34490700003)(6486002)(66556008)(7696005);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: 
	=?us-ascii?Q?p6QrKuMj2esKVJz08PUl9tvLWSpQBZgtEOz/HrrEss0IgJDy7gA3OqC7aQDj?=
 =?us-ascii?Q?DhkrKznWDhTlmD5XxlkDPBsNQ1PfEm0u6op4ocmfTY2wAJXFnlrDnBKRdSJ0?=
 =?us-ascii?Q?V1aFn7312bbib87/QGvmNkXbCqSs9KwrC/lz8OV1T8O8tbmkpBvyIJfVzXPx?=
 =?us-ascii?Q?JWNWGG1rwTJmgo7uo8x6iJCfMgVVPwbRmjXyPW+1sUfSaFY6gSxid4TzZUlz?=
 =?us-ascii?Q?JDn50zonS2arLBO2/7rbvLITd481D1U0xiYH/4ADK/jF0jK8bO/Sbxtv5deK?=
 =?us-ascii?Q?vlLzm/N4sMK4XeBLOL4tlVM/AB8IbEcSZQ+Z1f5reUc5gJhylCj9XDzyatQm?=
 =?us-ascii?Q?EwtKtwAqYZYZyh91LTRU4IrbS2mA6nkcqJQXvJDAlg5oaF+dkCwwcXG5ID0q?=
 =?us-ascii?Q?QbUNnkUke61kV7vFWXihoKyyBMRC0kH4dW7AkX6gw+5EXCIm1PC5IyJLs2g0?=
 =?us-ascii?Q?DZu1btQPWV7Z1PFIwacxsmOSIq1ZUIGXiQtBiyMpAD4f9DW0sQDsFfe8eyNB?=
 =?us-ascii?Q?Gn+BMDCwA49FLYyvQ19jQWwKFeEysyBqODB55x1p0Kt5VUfzWhvAQo0yX3pR?=
 =?us-ascii?Q?8dE/t25Wo6pT3kmj8gPQVD/uxmKTaKfMyHBpH33ZrOqjKYemqifxOuvQbQgl?=
 =?us-ascii?Q?SYgfLFggKIjcEV6IDrGMo6JSSc9mmhyq14ZoXeWizb/bXtfJxcOE2K96y7wQ?=
 =?us-ascii?Q?4B2/ro1QykMSSgs2BrXcZcWP+B+oYMBxCY57gaUNrtw2AU51jKAcU25aFlTV?=
 =?us-ascii?Q?rlgeBT/gcSYjYsD6jainm1QcUyG7rDlf801pgKVe+4uHqI8nalJuLd35dPMd?=
 =?us-ascii?Q?O2dl/UztyuI3cnvSvYPwh6P6/M4aQWudOrF4TIq6pFmKLtVtbFJwtaSwwrIY?=
 =?us-ascii?Q?1mcQ9xlDy/M2e3LsHPpSkQXUgSZ5I8KxHU/WotYFUYOqG6FjdcZZO6chM6CF?=
 =?us-ascii?Q?CpXhJLJsulEe8TdOSkjLowTv4wtV+WYP8ajkaN5Fj4854mqR4RS1IJ66NgjK?=
 =?us-ascii?Q?Wu7U?=
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-AuthSource: DM5PR12MB1355.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Dec 2020 20:51:34.4512
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-Network-Message-Id: fa518678-8606-49f4-29a2-08d8a13b3584
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: VHYusUEVjRGh/CqxJyez5+F5jlqNHmbmxYv7y/Q2qkhoJZHR6wovQSR2XF17QIuJ20uc6pX4OCqBbpgsM8xTpA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB4155
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

From: Tom Lendacky <thomas.lendacky@amd.com>

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3108

Simplify and consolidate the SEV and SEV-ES checks into a single routine.
This new routine will use CPUID to check for the appropriate CPUID leaves
and the required values, as well as read the non-interceptable SEV status
MSR (0xc0010131) to check SEV and SEV-ES enablement.

Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
---
 OvmfPkg/ResetVector/Ia32/PageTables64.asm | 75 ++++++++++++++---------
 1 file changed, 45 insertions(+), 30 deletions(-)

diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVecto=
r/Ia32/PageTables64.asm
index 7c72128a84d6..4032719c3075 100644
--- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm
+++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
@@ -3,6 +3,7 @@
 ; Sets the CR3 register for 64-bit paging
 ;
 ; Copyright (c) 2008 - 2013, Intel Corporation. All rights reserved.<BR>
+; Copyright (c) 2017 - 2020, Advanced Micro Devices, Inc. All rights reser=
ved.<BR>
 ; SPDX-License-Identifier: BSD-2-Clause-Patent
 ;
 ;-------------------------------------------------------------------------=
-----
@@ -62,18 +63,22 @@ BITS    32
 %define CPUID_INSN_LEN              2
=20
=20
-; Check if Secure Encrypted Virtualization (SEV) feature is enabled
+; Check if Secure Encrypted Virtualization (SEV) features are enabled.
+;
+; Register usage is tight in this routine, so multiple calls for the
+; same CPUID and MSR data are performed to keep things simple.
 ;
 ; Modified:  EAX, EBX, ECX, EDX, ESP
 ;
 ; If SEV is enabled then EAX will be at least 32.
 ; If SEV is disabled then EAX will be zero.
 ;
-CheckSevFeature:
+CheckSevFeatures:
     ; Set the first byte of the workarea to zero to communicate to the SEC
     ; phase that SEV-ES is not enabled. If SEV-ES is enabled, the CPUID
     ; instruction will trigger a #VC exception where the first byte of the
-    ; workarea will be set to one.
+    ; workarea will be set to one or, if CPUID is not being intercepted,
+    ; the MSR check below will set the first byte of the workarea to one.
     mov     byte[SEV_ES_WORK_AREA], 0
=20
     ;
@@ -97,21 +102,41 @@ CheckSevFeature:
     cmp       eax, 0x8000001f
     jl        NoSev
=20
-    ; Check for memory encryption feature:
+    ; Check for SEV memory encryption feature:
     ; CPUID  Fn8000_001F[EAX] - Bit 1
     ;   CPUID raises a #VC exception if running as an SEV-ES guest
-    mov       eax,  0x8000001f
+    mov       eax, 0x8000001f
     cpuid
     bt        eax, 1
     jnc       NoSev
=20
-    ; Check if memory encryption is enabled
+    ; Check if SEV memory encryption is enabled
     ;  MSR_0xC0010131 - Bit 0 (SEV enabled)
     mov       ecx, 0xc0010131
     rdmsr
     bt        eax, 0
     jnc       NoSev
=20
+    ; Check for SEV-ES memory encryption feature:
+    ; CPUID  Fn8000_001F[EAX] - Bit 3
+    ;   CPUID raises a #VC exception if running as an SEV-ES guest
+    mov       eax, 0x8000001f
+    cpuid
+    bt        eax, 3
+    jnc       GetSevEncBit
+
+    ; Check if SEV-ES is enabled
+    ;  MSR_0xC0010131 - Bit 1 (SEV-ES enabled)
+    mov       ecx, 0xc0010131
+    rdmsr
+    bt        eax, 1
+    jnc       GetSevEncBit
+
+    ; Set the first byte of the workarea to one to communicate to the SEC
+    ; phase that SEV-ES is enabled.
+    mov       byte[SEV_ES_WORK_AREA], 1
+
+GetSevEncBit:
     ; Get pte bit position to enable memory encryption
     ; CPUID Fn8000_001F[EBX] - Bits 5:0
     ;
@@ -132,45 +157,35 @@ SevExit:
     pop       eax
     mov       esp, 0
=20
-    OneTimeCallRet CheckSevFeature
+    OneTimeCallRet CheckSevFeatures
=20
 ; Check if Secure Encrypted Virtualization - Encrypted State (SEV-ES) feat=
ure
 ; is enabled.
 ;
-; Modified:  EAX, EBX, ECX
+; Modified:  EAX
 ;
 ; If SEV-ES is enabled then EAX will be non-zero.
 ; If SEV-ES is disabled then EAX will be zero.
 ;
-CheckSevEsFeature:
+IsSevEsEnabled:
     xor       eax, eax
=20
-    ; SEV-ES can't be enabled if SEV isn't, so first check the encryption
-    ; mask.
-    test      edx, edx
-    jz        NoSevEs
+    ; During CheckSevFeatures, the SEV_ES_WORK_AREA was set to 1 if
+    ; SEV-ES is enabled.
+    cmp       byte[SEV_ES_WORK_AREA], 1
+    jne       SevEsDisabled
=20
-    ; Save current value of encryption mask
-    mov       ebx, edx
+    mov       eax, 1
=20
-    ; Check if SEV-ES is enabled
-    ;  MSR_0xC0010131 - Bit 1 (SEV-ES enabled)
-    mov       ecx, 0xc0010131
-    rdmsr
-    and       eax, 2
-
-    ; Restore encryption mask
-    mov       edx, ebx
-
-NoSevEs:
-    OneTimeCallRet CheckSevEsFeature
+SevEsDisabled:
+    OneTimeCallRet IsSevEsEnabled
=20
 ;
 ; Modified:  EAX, EBX, ECX, EDX
 ;
 SetCr3ForPageTables64:
=20
-    OneTimeCall   CheckSevFeature
+    OneTimeCall   CheckSevFeatures
     xor     edx, edx
     test    eax, eax
     jz      SevNotActive
@@ -229,7 +244,7 @@ pageTableEntriesLoop:
     mov     [(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], edx
     loop    pageTableEntriesLoop
=20
-    OneTimeCall   CheckSevEsFeature
+    OneTimeCall   IsSevEsEnabled
     test    eax, eax
     jz      SetCr3
=20
@@ -336,8 +351,8 @@ SevEsIdtVmmComm:
     ; If we're here, then we are an SEV-ES guest and this
     ; was triggered by a CPUID instruction
     ;
-    ; Set the first byte of the workarea to one to communicate to the SEC
-    ; phase that SEV-ES is enabled.
+    ; Set the first byte of the workarea to one to communicate that
+    ; a #VC was taken.
     mov     byte[SEV_ES_WORK_AREA], 1
=20
     pop     ecx                     ; Error code
--=20
2.28.0