From: "Lendacky, Thomas" <thomas.lendacky@amd.com>
To: Laszlo Ersek <lersek@redhat.com>, devel@edk2.groups.io
Cc: Brijesh Singh <brijesh.singh@amd.com>,
James Bottomley <jejb@linux.ibm.com>,
Jordan Justen <jordan.l.justen@intel.com>,
Ard Biesheuvel <ard.biesheuvel@arm.com>,
Rebecca Cran <rebecca@bsdio.com>,
Peter Grehan <grehan@freebsd.org>,
Anthony Perard <anthony.perard@citrix.com>,
Julien Grall <julien@xen.org>
Subject: Re: [edk2-devel] [PATCH 05/12] OvmfPkg/MemEncryptSevLib: Add an interface to retrieve the encryption mask
Date: Mon, 4 Jan 2021 15:09:04 -0600 [thread overview]
Message-ID: <f42c261f-99a0-ab62-5244-45a3c639db0a@amd.com> (raw)
In-Reply-To: <2bbd9ca2-5759-412a-0ad5-1ee062818b67@redhat.com>
On 1/4/21 2:34 PM, Laszlo Ersek wrote:
> On 12/15/20 21:51, Lendacky, Thomas wrote:
>> From: Tom Lendacky <thomas.lendacky@amd.com>
>>
>> BZ: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D3108&data=04%7C01%7Cthomas.lendacky%40amd.com%7Ca6820182d19f4e0821d908d8b0f01c5f%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637453892632471236%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pXsRpEk6pQPZUiqtY1OUzmcsjflNq5nTN6I6%2F%2F1d8VI%3D&reserved=0
>>
>> The early assembler code performs validation for some of the SEV-related
>> information, specifically the encryption bit position. To avoid having to
>> re-validate the encryption bit position as the system proceeds through its
>> boot phases, use the saved information from the SEV-ES work area during
>> PEI and PcdPteMemoryEncryptionAddressOrMask (set during PEI) during DXE.
>
> (1) Please replace
>
> and
>
> on the last line, with
>
> , and
>
Will do.
> Without the comma, it's too easy to misread the message as "use [blah]
> during PEI and PcdPteMemoryEncryptionAddressOrMask" -- i.e., as if
> "during" applied to "PEI" and "PcdPteMemoryEncryptionAddressOrMask"
> alike. Which of course makes no sense.
>
>>
>> To ensure that we always use a validated encryption mask for an SEV-ES
>> guest, create a new interface in the MemEncryptSevLib library to return
>> the encryption mask. This avoids the multiple locations where CPUID is
>> used to retrieve the value and allows the validated mask to be returned.
>>
>> Update all locations that use CPUID to calculate the encryption mask to
>> use the new interface. Also, clean up some call areas where extra masking
>> was being performed and where a function call was being used instead of
>> the local variable that was just set using the function.
>>
>> Cc: Jordan Justen <jordan.l.justen@intel.com>
>> Cc: Laszlo Ersek <lersek@redhat.com>
>> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
>> Cc: Rebecca Cran <rebecca@bsdio.com>
>> Cc: Peter Grehan <grehan@freebsd.org>
>> Cc: Anthony Perard <anthony.perard@citrix.com>
>> Cc: Julien Grall <julien@xen.org>
>> Cc: Brijesh Singh <brijesh.singh@amd.com>
>> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
>> ---
>> OvmfPkg/AmdSev/AmdSevX64.dsc | 4 +-
>> OvmfPkg/Bhyve/BhyveX64.dsc | 4 +-
>> OvmfPkg/OvmfPkgIa32.dsc | 4 +-
>> OvmfPkg/OvmfPkgIa32X64.dsc | 4 +-
>> OvmfPkg/OvmfPkgX64.dsc | 4 +-
>> OvmfPkg/OvmfXen.dsc | 3 +-
>> ...SevLib.inf => DxeBaseMemEncryptSevLib.inf} | 13 +-
>> .../PeiBaseMemEncryptSevLib.inf | 56 ++++++
>> OvmfPkg/Include/Library/MemEncryptSevLib.h | 14 ++
>> OvmfPkg/Bhyve/PlatformPei/AmdSev.c | 12 +-
>> .../DxeMemEncryptSevLibInternal.c | 145 ++++++++++++++++
>> .../MemEncryptSevLibInternal.c | 91 +---------
>> .../PeiMemEncryptSevLibInternal.c | 159 ++++++++++++++++++
>> .../BaseMemEncryptSevLib/X64/VirtualMemory.c | 15 +-
>> OvmfPkg/PlatformPei/AmdSev.c | 12 +-
>> OvmfPkg/XenPlatformPei/AmdSev.c | 12 +-
>> OvmfPkg/ResetVector/Ia32/PageTables64.asm | 10 +-
>> OvmfPkg/ResetVector/ResetVector.nasmb | 1 +
>> 18 files changed, 422 insertions(+), 141 deletions(-)
>> rename OvmfPkg/Library/BaseMemEncryptSevLib/{BaseMemEncryptSevLib.inf => DxeBaseMemEncryptSevLib.inf} (67%)
>> create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf
>> create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
>> create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
>
> (2) "DxeBase" should be just "Dxe", and "PeiBase" should just be "Pei".
>
> The BASE_NAME defines in the INF files are correct already, but the
> names of those INF files, and the references to them in the DSC files,
> are not.
Yup, will fix.
>
>>
>> diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
>> index bb7697eb324b..c742ec54cb57 100644
>> --- a/OvmfPkg/AmdSev/AmdSevX64.dsc
>> +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
>> @@ -164,7 +164,7 @@ [LibraryClasses]
>> QemuFwCfgSimpleParserLib|OvmfPkg/Library/QemuFwCfgSimpleParserLib/QemuFwCfgSimpleParserLib.inf
>> VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf
>> LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf
>> - MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/BaseMemEncryptSevLib.inf
>> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeBaseMemEncryptSevLib.inf
>> LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf
>> CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf
>> FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf
>> @@ -285,6 +285,8 @@ [LibraryClasses.common.PEIM]
>> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
>> !endif
>>
>> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf
>> +
>> [LibraryClasses.common.DXE_CORE]
>> HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf
>> DxeCoreEntryPoint|MdePkg/Library/DxeCoreEntryPoint/DxeCoreEntryPoint.inf
>> diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc
>> index b93fe30ae4e0..27973bc940d5 100644
>> --- a/OvmfPkg/Bhyve/BhyveX64.dsc
>> +++ b/OvmfPkg/Bhyve/BhyveX64.dsc
>> @@ -163,7 +163,7 @@ [LibraryClasses]
>> QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/BaseQemuFwCfgS3LibNull.inf
>> BhyveFwCtlLib|OvmfPkg/Library/BhyveFwCtlLib/BhyveFwCtlLib.inf
>> VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf
>> - MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/BaseMemEncryptSevLib.inf
>> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeBaseMemEncryptSevLib.inf
>> LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf
>>
>> CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf
>> @@ -292,6 +292,8 @@ [LibraryClasses.common.PEIM]
>> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
>> !endif
>>
>> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf
>> +
>> [LibraryClasses.common.DXE_CORE]
>> HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf
>> DxeCoreEntryPoint|MdePkg/Library/DxeCoreEntryPoint/DxeCoreEntryPoint.inf
>> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
>> index 8eede796a8bd..e433e17dc807 100644
>> --- a/OvmfPkg/OvmfPkgIa32.dsc
>> +++ b/OvmfPkg/OvmfPkgIa32.dsc
>> @@ -169,7 +169,7 @@ [LibraryClasses]
>> QemuFwCfgSimpleParserLib|OvmfPkg/Library/QemuFwCfgSimpleParserLib/QemuFwCfgSimpleParserLib.inf
>> VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf
>> LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf
>> - MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/BaseMemEncryptSevLib.inf
>> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeBaseMemEncryptSevLib.inf
>> !if $(SMM_REQUIRE) == FALSE
>> LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf
>> !endif
>> @@ -309,6 +309,8 @@ [LibraryClasses.common.PEIM]
>> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
>> !endif
>>
>> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf
>> +
>> [LibraryClasses.common.DXE_CORE]
>> HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf
>> DxeCoreEntryPoint|MdePkg/Library/DxeCoreEntryPoint/DxeCoreEntryPoint.inf
>> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
>> index f9f82a48f4b9..2e2eefbe33f0 100644
>> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
>> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
>> @@ -173,7 +173,7 @@ [LibraryClasses]
>> QemuFwCfgSimpleParserLib|OvmfPkg/Library/QemuFwCfgSimpleParserLib/QemuFwCfgSimpleParserLib.inf
>> VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf
>> LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf
>> - MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/BaseMemEncryptSevLib.inf
>> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeBaseMemEncryptSevLib.inf
>> !if $(SMM_REQUIRE) == FALSE
>> LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf
>> !endif
>> @@ -313,6 +313,8 @@ [LibraryClasses.common.PEIM]
>> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
>> !endif
>>
>> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf
>> +
>> [LibraryClasses.common.DXE_CORE]
>> HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf
>> DxeCoreEntryPoint|MdePkg/Library/DxeCoreEntryPoint/DxeCoreEntryPoint.inf
>> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
>> index e59ae05b73aa..3e008855fbc1 100644
>> --- a/OvmfPkg/OvmfPkgX64.dsc
>> +++ b/OvmfPkg/OvmfPkgX64.dsc
>> @@ -173,7 +173,7 @@ [LibraryClasses]
>> QemuFwCfgSimpleParserLib|OvmfPkg/Library/QemuFwCfgSimpleParserLib/QemuFwCfgSimpleParserLib.inf
>> VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf
>> LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf
>> - MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/BaseMemEncryptSevLib.inf
>> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeBaseMemEncryptSevLib.inf
>> !if $(SMM_REQUIRE) == FALSE
>> LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf
>> !endif
>> @@ -313,6 +313,8 @@ [LibraryClasses.common.PEIM]
>> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
>> !endif
>>
>> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf
>> +
>> [LibraryClasses.common.DXE_CORE]
>> HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf
>> DxeCoreEntryPoint|MdePkg/Library/DxeCoreEntryPoint/DxeCoreEntryPoint.inf
>> diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc
>> index 12b7a87ee877..44fae364b423 100644
>> --- a/OvmfPkg/OvmfXen.dsc
>> +++ b/OvmfPkg/OvmfXen.dsc
>> @@ -161,7 +161,7 @@ [LibraryClasses]
>> SerializeVariablesLib|OvmfPkg/Library/SerializeVariablesLib/SerializeVariablesLib.inf
>> QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgDxeLib.inf
>> QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
>> - MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/BaseMemEncryptSevLib.inf
>> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeBaseMemEncryptSevLib.inf
>> LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf
>> CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf
>> FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf
>> @@ -273,6 +273,7 @@ [LibraryClasses.common.PEIM]
>> QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/PeiQemuFwCfgS3LibFwCfg.inf
>> PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
>> QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
>> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf
>>
>> [LibraryClasses.common.DXE_CORE]
>> HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf
>> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/BaseMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeBaseMemEncryptSevLib.inf
>> similarity index 67%
>> rename from OvmfPkg/Library/BaseMemEncryptSevLib/BaseMemEncryptSevLib.inf
>> rename to OvmfPkg/Library/BaseMemEncryptSevLib/DxeBaseMemEncryptSevLib.inf
>> index 7c44d0952815..2be6ca1fa737 100644
>> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/BaseMemEncryptSevLib.inf
>> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeBaseMemEncryptSevLib.inf
>> @@ -1,7 +1,7 @@
>> ## @file
>> # Library provides the helper functions for SEV guest
>> #
>> -# Copyright (c) 2017 Advanced Micro Devices. All rights reserved.<BR>
>> +# Copyright (c) 2017 - 2020, Advanced Micro Devices. All rights reserved.<BR>
>> #
>> # SPDX-License-Identifier: BSD-2-Clause-Patent
>> #
>> @@ -10,11 +10,11 @@
>>
>> [Defines]
>> INF_VERSION = 1.25
>> - BASE_NAME = MemEncryptSevLib
>> + BASE_NAME = DxeMemEncryptSevLib
>> FILE_GUID = c1594631-3888-4be4-949f-9c630dbc842b
>> MODULE_TYPE = BASE
>> VERSION_STRING = 1.0
>> - LIBRARY_CLASS = MemEncryptSevLib|PEIM DXE_DRIVER DXE_RUNTIME_DRIVER DXE_SMM_DRIVER UEFI_DRIVER
>> + LIBRARY_CLASS = MemEncryptSevLib|DXE_DRIVER DXE_RUNTIME_DRIVER DXE_SMM_DRIVER UEFI_DRIVER
>>
>> #
>> # The following information is for reference only and not required by the build
>> @@ -30,14 +30,16 @@ [Packages]
>> UefiCpuPkg/UefiCpuPkg.dec
>>
>> [Sources.X64]
>> + DxeMemEncryptSevLibInternal.c
>> MemEncryptSevLibInternal.c
>> X64/MemEncryptSevLib.c
>> X64/VirtualMemory.c
>> X64/VirtualMemory.h
>>
>> [Sources.IA32]
>> + DxeMemEncryptSevLibInternal.c
>> + MemEncryptSevLibInternal.c
>> Ia32/MemEncryptSevLib.c
>> - MemEncryptSevLibInternal.c
>>
>> [LibraryClasses]
>> BaseLib
>> @@ -49,3 +51,6 @@ [LibraryClasses]
>>
>> [FeaturePcd]
>> gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire
>> +
>> +[Pcd]
>> + gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask
>> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf
>> new file mode 100644
>> index 000000000000..7bdf8cb5210d
>> --- /dev/null
>> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf
>> @@ -0,0 +1,56 @@
>> +## @file
>> +# Library provides the helper functions for SEV guest
>> +#
>> +# Copyright (c) 2020 Advanced Micro Devices. All rights reserved.<BR>
>> +#
>> +# SPDX-License-Identifier: BSD-2-Clause-Patent
>> +#
>> +#
>> +##
>> +
>> +[Defines]
>> + INF_VERSION = 1.25
>> + BASE_NAME = PeiMemEncryptSevLib
>> + FILE_GUID = 15d9a694-3d2a-4184-9672-ba55c3070e07
>> + MODULE_TYPE = BASE
>> + VERSION_STRING = 1.0
>> + LIBRARY_CLASS = MemEncryptSevLib|PEIM
>> +
>> +#
>> +# The following information is for reference only and not required by the build
>> +# tools.
>> +#
>> +# VALID_ARCHITECTURES = IA32 X64
>> +#
>> +
>> +[Packages]
>> + MdeModulePkg/MdeModulePkg.dec
>> + MdePkg/MdePkg.dec
>> + OvmfPkg/OvmfPkg.dec
>> + UefiCpuPkg/UefiCpuPkg.dec
>> +
>> +[Sources.X64]
>> + PeiMemEncryptSevLibInternal.c
>> + MemEncryptSevLibInternal.c
>> + X64/MemEncryptSevLib.c
>> + X64/VirtualMemory.c
>> + X64/VirtualMemory.h
>> +
>> +[Sources.IA32]
>> + PeiMemEncryptSevLibInternal.c
>> + MemEncryptSevLibInternal.c
>> + Ia32/MemEncryptSevLib.c
>> +
>> +[LibraryClasses]
>> + BaseLib
>> + CacheMaintenanceLib
>> + CpuLib
>> + DebugLib
>> + MemoryAllocationLib
>> + PcdLib
>> +
>> +[FeaturePcd]
>> + gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire
>> +
>> +[FixedPcd]
>> + gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase
>
> (3) In each INF file:
>
> I suggest moving the files shared between X64 and IA32 to a plain
> [Sources] section (i.e., no architecture modifier). I do agree that the
> pre-patch status is already not ideal (as "MemEncryptSevLibInternal.c"
> is duplicated between the [Sources.IA32] and [Sources.X64] sections),
> but since you already move "MemEncryptSevLibInternal.c" a bit, we might
> as well move as much as possible under a new [Sources] section.
>
> Again this applies to both INF files.
Will do.
>
>> diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/Library/MemEncryptSevLib.h
>> index dc09c61e58bb..394065f15bc1 100644
>> --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h
>> +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h
>> @@ -29,6 +29,8 @@ typedef struct _SEC_SEV_ES_WORK_AREA {
>> UINT8 Reserved1[7];
>>
>> UINT64 RandomData;
>> +
>> + UINT64 EncryptionMask;
>> } SEC_SEV_ES_WORK_AREA;
>>
>> /**
>> @@ -133,4 +135,16 @@ MemEncryptSevLocateInitialSmramSaveStateMapPages (
>> OUT UINTN *BaseAddress,
>> OUT UINTN *NumberOfPages
>> );
>> +
>> +/**
>> + Returns the SEV encryption mask.
>> +
>> + @return The SEV pagtable encryption mask
>
> (4) Typo: "pagtable".
Will fix.
>
>> +**/
>> +UINT64
>> +EFIAPI
>> +MemEncryptSevGetEncryptionMask (
>> + VOID
>> + );
>> +
>> #endif // _MEM_ENCRYPT_SEV_LIB_H_
>
> (5) The contents of this patch makes sense, but the patch is too large
> for my taste. Please split it to 3 patches:
>
> - Save the mask in the reset vector to a new field in the work area.
>
> - Introduce the new API to the lib class (and introduce both lib
> instances too). Reworking "VirtualMemory.c" in this same patch is fine.
>
> - Migrate the consumers of the mask to the new API (as far as I can
> tell, these are the three PlatformPei modules).
Ok, I'll start working on that.
>
> (6) Please confirm that you've successfully built all six modified DSC
> files.
>
> For Bhyve, you need nothing extra (similarly to Xen).
>
> For test-building "OvmfPkg/AmdSev/AmdSevX64.dsc", you need to palce any
> random grub.efi binary at "OvmfPkg/AmdSev/Grub/grub.efi".
Will do.
Thanks,
Tom
>
> Thanks,
> Laszlo
>
>> diff --git a/OvmfPkg/Bhyve/PlatformPei/AmdSev.c b/OvmfPkg/Bhyve/PlatformPei/AmdSev.c
>> index e484f4b311fe..e3ed78581c1b 100644
>> --- a/OvmfPkg/Bhyve/PlatformPei/AmdSev.c
>> +++ b/OvmfPkg/Bhyve/PlatformPei/AmdSev.c
>> @@ -1,7 +1,7 @@
>> /**@file
>> Initialize Secure Encrypted Virtualization (SEV) support
>>
>> - Copyright (c) 2017, Advanced Micro Devices. All rights reserved.<BR>
>> + Copyright (c) 2017 - 2020, Advanced Micro Devices. All rights reserved.<BR>
>>
>> SPDX-License-Identifier: BSD-2-Clause-Patent
>>
>> @@ -15,8 +15,6 @@
>> #include <Library/MemEncryptSevLib.h>
>> #include <Library/PcdLib.h>
>> #include <PiPei.h>
>> -#include <Register/Amd/Cpuid.h>
>> -#include <Register/Cpuid.h>
>> #include <Register/Intel/SmramSaveStateMap.h>
>>
>> #include "Platform.h"
>> @@ -32,7 +30,6 @@ AmdSevInitialize (
>> VOID
>> )
>> {
>> - CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx;
>> UINT64 EncryptionMask;
>> RETURN_STATUS PcdStatus;
>>
>> @@ -43,15 +40,10 @@ AmdSevInitialize (
>> return;
>> }
>>
>> - //
>> - // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position)
>> - //
>> - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL);
>> - EncryptionMask = LShiftU64 (1, Ebx.Bits.PtePosBits);
>> -
>> //
>> // Set Memory Encryption Mask PCD
>> //
>> + EncryptionMask = MemEncryptSevGetEncryptionMask ();
>> PcdStatus = PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, EncryptionMask);
>> ASSERT_RETURN_ERROR (PcdStatus);
>>
>> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
>> new file mode 100644
>> index 000000000000..2816f859a0c4
>> --- /dev/null
>> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
>> @@ -0,0 +1,145 @@
>> +/** @file
>> +
>> + Secure Encrypted Virtualization (SEV) library helper function
>> +
>> + Copyright (c) 2017 - 2020, AMD Incorporated. All rights reserved.<BR>
>> +
>> + SPDX-License-Identifier: BSD-2-Clause-Patent
>> +
>> +**/
>> +
>> +#include <Library/BaseLib.h>
>> +#include <Library/DebugLib.h>
>> +#include <Library/MemEncryptSevLib.h>
>> +#include <Library/PcdLib.h>
>> +#include <Register/Amd/Cpuid.h>
>> +#include <Register/Amd/Msr.h>
>> +#include <Register/Cpuid.h>
>> +#include <Uefi/UefiBaseType.h>
>> +
>> +STATIC BOOLEAN mSevStatus = FALSE;
>> +STATIC BOOLEAN mSevEsStatus = FALSE;
>> +STATIC BOOLEAN mSevStatusChecked = FALSE;
>> +
>> +STATIC UINT64 mSevEncryptionMask = 0;
>> +STATIC BOOLEAN mSevEncryptionMaskSaved = FALSE;
>> +
>> +/**
>> + Reads and sets the status of SEV features.
>> +
>> + **/
>> +STATIC
>> +VOID
>> +EFIAPI
>> +InternalMemEncryptSevStatus (
>> + VOID
>> + )
>> +{
>> + UINT32 RegEax;
>> + MSR_SEV_STATUS_REGISTER Msr;
>> + CPUID_MEMORY_ENCRYPTION_INFO_EAX Eax;
>> + BOOLEAN ReadSevMsr;
>> + UINT64 EncryptionMask;
>> +
>> + ReadSevMsr = FALSE;
>> +
>> + EncryptionMask = PcdGet64 (PcdPteMemoryEncryptionAddressOrMask);
>> + if (EncryptionMask != 0) {
>> + //
>> + // The MSR has been read before, so it is safe to read it again and avoid
>> + // having to validate the CPUID information.
>> + //
>> + ReadSevMsr = TRUE;
>> + } else {
>> + //
>> + // Check if memory encryption leaf exist
>> + //
>> + AsmCpuid (CPUID_EXTENDED_FUNCTION, &RegEax, NULL, NULL, NULL);
>> + if (RegEax >= CPUID_MEMORY_ENCRYPTION_INFO) {
>> + //
>> + // CPUID Fn8000_001F[EAX] Bit 1 (Sev supported)
>> + //
>> + AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, &Eax.Uint32, NULL, NULL, NULL);
>> +
>> + if (Eax.Bits.SevBit) {
>> + ReadSevMsr = TRUE;
>> + }
>> + }
>> + }
>> +
>> + if (ReadSevMsr) {
>> + //
>> + // Check MSR_0xC0010131 Bit 0 (Sev Enabled)
>> + //
>> + Msr.Uint32 = AsmReadMsr32 (MSR_SEV_STATUS);
>> + if (Msr.Bits.SevBit) {
>> + mSevStatus = TRUE;
>> + }
>> +
>> + //
>> + // Check MSR_0xC0010131 Bit 1 (Sev-Es Enabled)
>> + //
>> + if (Msr.Bits.SevEsBit) {
>> + mSevEsStatus = TRUE;
>> + }
>> + }
>> +
>> + mSevStatusChecked = TRUE;
>> +}
>> +
>> +/**
>> + Returns a boolean to indicate whether SEV-ES is enabled.
>> +
>> + @retval TRUE SEV-ES is enabled
>> + @retval FALSE SEV-ES is not enabled
>> +**/
>> +BOOLEAN
>> +EFIAPI
>> +MemEncryptSevEsIsEnabled (
>> + VOID
>> + )
>> +{
>> + if (!mSevStatusChecked) {
>> + InternalMemEncryptSevStatus ();
>> + }
>> +
>> + return mSevEsStatus;
>> +}
>> +
>> +/**
>> + Returns a boolean to indicate whether SEV is enabled.
>> +
>> + @retval TRUE SEV is enabled
>> + @retval FALSE SEV is not enabled
>> +**/
>> +BOOLEAN
>> +EFIAPI
>> +MemEncryptSevIsEnabled (
>> + VOID
>> + )
>> +{
>> + if (!mSevStatusChecked) {
>> + InternalMemEncryptSevStatus ();
>> + }
>> +
>> + return mSevStatus;
>> +}
>> +
>> +/**
>> + Returns the SEV encryption mask.
>> +
>> + @return The SEV pagtable encryption mask
>> +**/
>> +UINT64
>> +EFIAPI
>> +MemEncryptSevGetEncryptionMask (
>> + VOID
>> + )
>> +{
>> + if (!mSevEncryptionMaskSaved) {
>> + mSevEncryptionMask = PcdGet64 (PcdPteMemoryEncryptionAddressOrMask);
>> + mSevEncryptionMaskSaved = TRUE;
>> + }
>> +
>> + return mSevEncryptionMask;
>> +}
>> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/MemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/MemEncryptSevLibInternal.c
>> index 02b8eb225d81..ec6d02eaefd0 100644
>> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/MemEncryptSevLibInternal.c
>> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/MemEncryptSevLibInternal.c
>> @@ -2,7 +2,7 @@
>>
>> Secure Encrypted Virtualization (SEV) library helper function
>>
>> - Copyright (c) 2017, AMD Incorporated. All rights reserved.<BR>
>> + Copyright (c) 2017 - 2020, AMD Incorporated. All rights reserved.<BR>
>>
>> SPDX-License-Identifier: BSD-2-Clause-Patent
>>
>> @@ -19,95 +19,6 @@
>> #include <Register/SmramSaveStateMap.h>
>> #include <Uefi/UefiBaseType.h>
>>
>> -STATIC BOOLEAN mSevStatus = FALSE;
>> -STATIC BOOLEAN mSevEsStatus = FALSE;
>> -STATIC BOOLEAN mSevStatusChecked = FALSE;
>> -
>> -/**
>> - Reads and sets the status of SEV features.
>> -
>> - **/
>> -STATIC
>> -VOID
>> -EFIAPI
>> -InternalMemEncryptSevStatus (
>> - VOID
>> - )
>> -{
>> - UINT32 RegEax;
>> - MSR_SEV_STATUS_REGISTER Msr;
>> - CPUID_MEMORY_ENCRYPTION_INFO_EAX Eax;
>> -
>> - //
>> - // Check if memory encryption leaf exist
>> - //
>> - AsmCpuid (CPUID_EXTENDED_FUNCTION, &RegEax, NULL, NULL, NULL);
>> - if (RegEax >= CPUID_MEMORY_ENCRYPTION_INFO) {
>> - //
>> - // CPUID Fn8000_001F[EAX] Bit 1 (Sev supported)
>> - //
>> - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, &Eax.Uint32, NULL, NULL, NULL);
>> -
>> - if (Eax.Bits.SevBit) {
>> - //
>> - // Check MSR_0xC0010131 Bit 0 (Sev Enabled)
>> - //
>> - Msr.Uint32 = AsmReadMsr32 (MSR_SEV_STATUS);
>> - if (Msr.Bits.SevBit) {
>> - mSevStatus = TRUE;
>> - }
>> -
>> - //
>> - // Check MSR_0xC0010131 Bit 1 (Sev-Es Enabled)
>> - //
>> - if (Msr.Bits.SevEsBit) {
>> - mSevEsStatus = TRUE;
>> - }
>> - }
>> - }
>> -
>> - mSevStatusChecked = TRUE;
>> -}
>> -
>> -/**
>> - Returns a boolean to indicate whether SEV-ES is enabled.
>> -
>> - @retval TRUE SEV-ES is enabled
>> - @retval FALSE SEV-ES is not enabled
>> -**/
>> -BOOLEAN
>> -EFIAPI
>> -MemEncryptSevEsIsEnabled (
>> - VOID
>> - )
>> -{
>> - if (!mSevStatusChecked) {
>> - InternalMemEncryptSevStatus ();
>> - }
>> -
>> - return mSevEsStatus;
>> -}
>> -
>> -/**
>> - Returns a boolean to indicate whether SEV is enabled.
>> -
>> - @retval TRUE SEV is enabled
>> - @retval FALSE SEV is not enabled
>> -**/
>> -BOOLEAN
>> -EFIAPI
>> -MemEncryptSevIsEnabled (
>> - VOID
>> - )
>> -{
>> - if (!mSevStatusChecked) {
>> - InternalMemEncryptSevStatus ();
>> - }
>> -
>> - return mSevStatus;
>> -}
>> -
>> -
>> /**
>> Locate the page range that covers the initial (pre-SMBASE-relocation) SMRAM
>> Save State Map.
>> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
>> new file mode 100644
>> index 000000000000..e2fd109d120f
>> --- /dev/null
>> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
>> @@ -0,0 +1,159 @@
>> +/** @file
>> +
>> + Secure Encrypted Virtualization (SEV) library helper function
>> +
>> + Copyright (c) 2020, AMD Incorporated. All rights reserved.<BR>
>> +
>> + SPDX-License-Identifier: BSD-2-Clause-Patent
>> +
>> +**/
>> +
>> +#include <Library/BaseLib.h>
>> +#include <Library/DebugLib.h>
>> +#include <Library/MemEncryptSevLib.h>
>> +#include <Library/PcdLib.h>
>> +#include <Register/Amd/Cpuid.h>
>> +#include <Register/Amd/Msr.h>
>> +#include <Register/Cpuid.h>
>> +#include <Uefi/UefiBaseType.h>
>> +
>> +STATIC BOOLEAN mSevStatus = FALSE;
>> +STATIC BOOLEAN mSevEsStatus = FALSE;
>> +STATIC BOOLEAN mSevStatusChecked = FALSE;
>> +
>> +STATIC UINT64 mSevEncryptionMask = 0;
>> +STATIC BOOLEAN mSevEncryptionMaskSaved = FALSE;
>> +
>> +/**
>> + Reads and sets the status of SEV features.
>> +
>> + **/
>> +STATIC
>> +VOID
>> +EFIAPI
>> +InternalMemEncryptSevStatus (
>> + VOID
>> + )
>> +{
>> + UINT32 RegEax;
>> + MSR_SEV_STATUS_REGISTER Msr;
>> + CPUID_MEMORY_ENCRYPTION_INFO_EAX Eax;
>> + BOOLEAN ReadSevMsr;
>> + SEC_SEV_ES_WORK_AREA *SevEsWorkArea;
>> +
>> + ReadSevMsr = FALSE;
>> +
>> + SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase);
>> + if (SevEsWorkArea != NULL && SevEsWorkArea->EncryptionMask != 0) {
>> + //
>> + // The MSR has been read before, so it is safe to read it again and avoid
>> + // having to validate the CPUID information.
>> + //
>> + ReadSevMsr = TRUE;
>> + } else {
>> + //
>> + // Check if memory encryption leaf exist
>> + //
>> + AsmCpuid (CPUID_EXTENDED_FUNCTION, &RegEax, NULL, NULL, NULL);
>> + if (RegEax >= CPUID_MEMORY_ENCRYPTION_INFO) {
>> + //
>> + // CPUID Fn8000_001F[EAX] Bit 1 (Sev supported)
>> + //
>> + AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, &Eax.Uint32, NULL, NULL, NULL);
>> +
>> + if (Eax.Bits.SevBit) {
>> + ReadSevMsr = TRUE;
>> + }
>> + }
>> + }
>> +
>> + if (ReadSevMsr) {
>> + //
>> + // Check MSR_0xC0010131 Bit 0 (Sev Enabled)
>> + //
>> + Msr.Uint32 = AsmReadMsr32 (MSR_SEV_STATUS);
>> + if (Msr.Bits.SevBit) {
>> + mSevStatus = TRUE;
>> + }
>> +
>> + //
>> + // Check MSR_0xC0010131 Bit 1 (Sev-Es Enabled)
>> + //
>> + if (Msr.Bits.SevEsBit) {
>> + mSevEsStatus = TRUE;
>> + }
>> + }
>> +
>> + mSevStatusChecked = TRUE;
>> +}
>> +
>> +/**
>> + Returns a boolean to indicate whether SEV-ES is enabled.
>> +
>> + @retval TRUE SEV-ES is enabled
>> + @retval FALSE SEV-ES is not enabled
>> +**/
>> +BOOLEAN
>> +EFIAPI
>> +MemEncryptSevEsIsEnabled (
>> + VOID
>> + )
>> +{
>> + if (!mSevStatusChecked) {
>> + InternalMemEncryptSevStatus ();
>> + }
>> +
>> + return mSevEsStatus;
>> +}
>> +
>> +/**
>> + Returns a boolean to indicate whether SEV is enabled.
>> +
>> + @retval TRUE SEV is enabled
>> + @retval FALSE SEV is not enabled
>> +**/
>> +BOOLEAN
>> +EFIAPI
>> +MemEncryptSevIsEnabled (
>> + VOID
>> + )
>> +{
>> + if (!mSevStatusChecked) {
>> + InternalMemEncryptSevStatus ();
>> + }
>> +
>> + return mSevStatus;
>> +}
>> +
>> +/**
>> + Returns the SEV encryption mask.
>> +
>> + @return The SEV pagtable encryption mask
>> +**/
>> +UINT64
>> +EFIAPI
>> +MemEncryptSevGetEncryptionMask (
>> + VOID
>> + )
>> +{
>> + if (!mSevEncryptionMaskSaved) {
>> + SEC_SEV_ES_WORK_AREA *SevEsWorkArea;
>> +
>> + SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase);
>> + if (SevEsWorkArea != NULL) {
>> + mSevEncryptionMask = SevEsWorkArea->EncryptionMask;
>> + } else {
>> + CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx;
>> +
>> + //
>> + // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position)
>> + //
>> + AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL);
>> + mSevEncryptionMask = LShiftU64 (1, Ebx.Bits.PtePosBits);
>> + }
>> +
>> + mSevEncryptionMaskSaved = TRUE;
>> + }
>> +
>> + return mSevEncryptionMask;
>> +}
>> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c
>> index 5e110c84ff81..6422bc53bd5d 100644
>> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c
>> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c
>> @@ -3,7 +3,7 @@
>> Virtual Memory Management Services to set or clear the memory encryption bit
>>
>> Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
>> - Copyright (c) 2017, AMD Incorporated. All rights reserved.<BR>
>> + Copyright (c) 2017 - 2020, AMD Incorporated. All rights reserved.<BR>
>>
>> SPDX-License-Identifier: BSD-2-Clause-Patent
>>
>> @@ -12,6 +12,7 @@
>> **/
>>
>> #include <Library/CpuLib.h>
>> +#include <Library/MemEncryptSevLib.h>
>> #include <Register/Amd/Cpuid.h>
>> #include <Register/Cpuid.h>
>>
>> @@ -39,17 +40,12 @@ GetMemEncryptionAddressMask (
>> )
>> {
>> UINT64 EncryptionMask;
>> - CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx;
>>
>> if (mAddressEncMaskChecked) {
>> return mAddressEncMask;
>> }
>>
>> - //
>> - // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position)
>> - //
>> - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL);
>> - EncryptionMask = LShiftU64 (1, Ebx.Bits.PtePosBits);
>> + EncryptionMask = MemEncryptSevGetEncryptionMask ();
>>
>> mAddressEncMask = EncryptionMask & PAGING_1G_ADDRESS_MASK_64;
>> mAddressEncMaskChecked = TRUE;
>> @@ -289,8 +285,7 @@ SetPageTablePoolReadOnly (
>> LevelSize[3] = SIZE_1GB;
>> LevelSize[4] = SIZE_512GB;
>>
>> - AddressEncMask = GetMemEncryptionAddressMask() &
>> - PAGING_1G_ADDRESS_MASK_64;
>> + AddressEncMask = GetMemEncryptionAddressMask();
>> PageTable = (UINT64 *)(UINTN)PageTableBase;
>> PoolUnitSize = PAGE_TABLE_POOL_UNIT_SIZE;
>>
>> @@ -437,7 +432,7 @@ Split1GPageTo2M (
>>
>> AddressEncMask = GetMemEncryptionAddressMask ();
>> ASSERT (PageDirectoryEntry != NULL);
>> - ASSERT (*PageEntry1G & GetMemEncryptionAddressMask ());
>> + ASSERT (*PageEntry1G & AddressEncMask);
>> //
>> // Fill in 1G page entry.
>> //
>> diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
>> index 4a515a484720..954d53eba4e8 100644
>> --- a/OvmfPkg/PlatformPei/AmdSev.c
>> +++ b/OvmfPkg/PlatformPei/AmdSev.c
>> @@ -1,7 +1,7 @@
>> /**@file
>> Initialize Secure Encrypted Virtualization (SEV) support
>>
>> - Copyright (c) 2017, Advanced Micro Devices. All rights reserved.<BR>
>> + Copyright (c) 2017 - 2020, Advanced Micro Devices. All rights reserved.<BR>
>>
>> SPDX-License-Identifier: BSD-2-Clause-Patent
>>
>> @@ -17,9 +17,7 @@
>> #include <Library/MemoryAllocationLib.h>
>> #include <Library/PcdLib.h>
>> #include <PiPei.h>
>> -#include <Register/Amd/Cpuid.h>
>> #include <Register/Amd/Msr.h>
>> -#include <Register/Cpuid.h>
>> #include <Register/Intel/SmramSaveStateMap.h>
>>
>> #include "Platform.h"
>> @@ -116,7 +114,6 @@ AmdSevInitialize (
>> VOID
>> )
>> {
>> - CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx;
>> UINT64 EncryptionMask;
>> RETURN_STATUS PcdStatus;
>>
>> @@ -127,15 +124,10 @@ AmdSevInitialize (
>> return;
>> }
>>
>> - //
>> - // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position)
>> - //
>> - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL);
>> - EncryptionMask = LShiftU64 (1, Ebx.Bits.PtePosBits);
>> -
>> //
>> // Set Memory Encryption Mask PCD
>> //
>> + EncryptionMask = MemEncryptSevGetEncryptionMask ();
>> PcdStatus = PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, EncryptionMask);
>> ASSERT_RETURN_ERROR (PcdStatus);
>>
>> diff --git a/OvmfPkg/XenPlatformPei/AmdSev.c b/OvmfPkg/XenPlatformPei/AmdSev.c
>> index 7ebbb5cc1fd2..4ed448632ae2 100644
>> --- a/OvmfPkg/XenPlatformPei/AmdSev.c
>> +++ b/OvmfPkg/XenPlatformPei/AmdSev.c
>> @@ -1,7 +1,7 @@
>> /**@file
>> Initialize Secure Encrypted Virtualization (SEV) support
>>
>> - Copyright (c) 2017, Advanced Micro Devices. All rights reserved.<BR>
>> + Copyright (c) 2017 - 2020, Advanced Micro Devices. All rights reserved.<BR>
>> Copyright (c) 2019, Citrix Systems, Inc.
>>
>> SPDX-License-Identifier: BSD-2-Clause-Patent
>> @@ -14,8 +14,6 @@
>> #include <Library/MemEncryptSevLib.h>
>> #include <Library/PcdLib.h>
>> #include <PiPei.h>
>> -#include <Register/Amd/Cpuid.h>
>> -#include <Register/Cpuid.h>
>>
>> #include "Platform.h"
>>
>> @@ -30,7 +28,6 @@ AmdSevInitialize (
>> VOID
>> )
>> {
>> - CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx;
>> UINT64 EncryptionMask;
>> RETURN_STATUS PcdStatus;
>>
>> @@ -41,15 +38,10 @@ AmdSevInitialize (
>> return;
>> }
>>
>> - //
>> - // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position)
>> - //
>> - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL);
>> - EncryptionMask = LShiftU64 (1, Ebx.Bits.PtePosBits);
>> -
>> //
>> // Set Memory Encryption Mask PCD
>> //
>> + EncryptionMask = MemEncryptSevGetEncryptionMask ();
>> PcdStatus = PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, EncryptionMask);
>> ASSERT_RETURN_ERROR (PcdStatus);
>>
>> diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
>> index b08f31157cbf..8c0d432050df 100644
>> --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm
>> +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
>> @@ -145,13 +145,21 @@ GetSevEncBit:
>>
>> ; The encryption bit position is always above 31
>> sub ebx, 32
>> - jns SevExit
>> + jns SevSaveMask
>>
>> ; Encryption bit was reported as 31 or below, enter a HLT loop
>> SevEncBitLowHlt:
>> hlt
>> jmp SevEncBitLowHlt
>>
>> +SevSaveMask:
>> + xor edx, edx
>> + bts edx, ebx
>> +
>> + mov dword[SEV_ES_WORK_AREA_ENC_MASK], 0
>> + mov dword[SEV_ES_WORK_AREA_ENC_MASK + 4], edx
>> + jmp SevExit
>> +
>> NoSev:
>> ;
>> ; Perform an SEV-ES sanity check by seeing if a #VC exception occurred.
>> diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb
>> index d3aa87982959..5fbacaed5f9d 100644
>> --- a/OvmfPkg/ResetVector/ResetVector.nasmb
>> +++ b/OvmfPkg/ResetVector/ResetVector.nasmb
>> @@ -74,6 +74,7 @@
>> %define GHCB_SIZE (FixedPcdGet32 (PcdOvmfSecGhcbSize))
>> %define SEV_ES_WORK_AREA (FixedPcdGet32 (PcdSevEsWorkAreaBase))
>> %define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 8)
>> + %define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 16)
>> %define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase) + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize))
>> %include "Ia32/Flat32ToFlat64.asm"
>> %include "Ia32/PageTables64.asm"
>>
>
next prev parent reply other threads:[~2021-01-04 21:09 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-15 20:50 [PATCH 00/12] SEV-ES security mitigations Lendacky, Thomas
2020-12-15 20:51 ` [PATCH 01/12] Ovmf/ResetVector: Simplify and consolidate the SEV features checks Lendacky, Thomas
2021-01-04 18:58 ` [edk2-devel] " Laszlo Ersek
2020-12-15 20:51 ` [PATCH 02/12] OvmfPkg/Sec: Move SEV-ES SEC workarea definition to common header file Lendacky, Thomas
2021-01-04 19:02 ` [edk2-devel] " Laszlo Ersek
2020-12-15 20:51 ` [PATCH 03/12] OvmfPkg/ResetVector: Validate the encryption bit position for SEV/SEV-ES Lendacky, Thomas
2021-01-04 19:59 ` [edk2-devel] " Laszlo Ersek
2021-01-04 20:45 ` Lendacky, Thomas
2020-12-15 20:51 ` [PATCH 04/12] OvmfPkg/ResetVector: Perform a simple SEV-ES sanity check Lendacky, Thomas
2021-01-04 20:00 ` [edk2-devel] " Laszlo Ersek
2021-01-04 20:48 ` Lendacky, Thomas
2020-12-15 20:51 ` [PATCH 05/12] OvmfPkg/MemEncryptSevLib: Add an interface to retrieve the encryption mask Lendacky, Thomas
2021-01-04 20:34 ` [edk2-devel] " Laszlo Ersek
2021-01-04 21:09 ` Lendacky, Thomas [this message]
2020-12-15 20:51 ` [PATCH 06/12] OvmfPkg/AmdSevDxe: Clear encryption bit on PCIe MMCONFIG range Lendacky, Thomas
2021-01-04 21:04 ` [edk2-devel] " Laszlo Ersek
2021-01-05 22:48 ` Lendacky, Thomas
2021-01-06 15:38 ` Laszlo Ersek
2020-12-15 20:51 ` [PATCH 07/12] OvmfPkg/VmgExitLib: Check for an explicit DR7 cached value Lendacky, Thomas
2021-01-04 21:05 ` [edk2-devel] " Laszlo Ersek
2020-12-15 20:51 ` [PATCH 08/12] OvmfPkg/MemEncryptSevLib: Make the MemEncryptSevLib available for SEC Lendacky, Thomas
2021-01-05 9:40 ` [edk2-devel] " Laszlo Ersek
2021-01-05 14:34 ` Lendacky, Thomas
2021-01-05 15:38 ` Lendacky, Thomas
2021-01-06 14:22 ` Laszlo Ersek
2021-01-06 14:21 ` Laszlo Ersek
2020-12-15 20:51 ` [PATCH 09/12] OvmfPkg/MemEncryptSevLib: Address range encryption state interface Lendacky, Thomas
2021-01-05 9:48 ` [edk2-devel] " Laszlo Ersek
2020-12-15 20:51 ` [PATCH 10/12] OvmfPkg/VmgExitLib: Support nested #VCs Lendacky, Thomas
2021-01-05 10:08 ` [edk2-devel] " Laszlo Ersek
2020-12-15 20:51 ` [PATCH 11/12] OvmfPkg/PlatformPei: Reserve GHCB backup pages if S3 is supported Lendacky, Thomas
2021-01-05 10:13 ` [edk2-devel] " Laszlo Ersek
2021-01-05 14:40 ` Lendacky, Thomas
2020-12-15 20:51 ` [PATCH 12/12] OvfmPkg/VmgExitLib: Validate #VC MMIO is to un-encrypted memory Lendacky, Thomas
2021-01-05 10:28 ` [edk2-devel] " Laszlo Ersek
2021-01-05 14:45 ` Lendacky, Thomas
2020-12-17 14:23 ` [PATCH 00/12] SEV-ES security mitigations Laszlo Ersek
2020-12-21 15:02 ` [edk2-devel] " Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f42c261f-99a0-ab62-5244-45a3c639db0a@amd.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox