From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (NAM12-BN8-obe.outbound.protection.outlook.com [40.107.237.54]) by mx.groups.io with SMTP id smtpd.web08.201.1609794549322942384 for ; Mon, 04 Jan 2021 13:09:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@amdcloud.onmicrosoft.com header.s=selector2-amdcloud-onmicrosoft-com header.b=eLvbnapn; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.237.54, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ic6PJL3LmRYC3aG1sD7sLFI9L5f1HY2FMX/2qjsaaG0TEIaKGGLOjFVj7ehlkCx4xUx6P0FR924O/AcEBz39+9vtMeT7ToU0jldlooTxjMyxX7Yrvss5PHP0Kq17ZefN5Xgle4v9Ruc91WkraCntc8I5F3s0WYRR0iMv2KifP4xRWvZmrSGMzi8DcrEWIjd4sImro8bEx+IFkVbvBL66BpVpo9T/lWufmpJmr3z80yKu7iLN0GN5USalTWSxmVZK+eKlZtlCcXDt/3i4uEEgDCScsmIRKCbm7u1o7brVmn0gJyya5iFExFfyfNNf/7sw7nkIW0DITV8duxnZVwL1Iw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=V+ijj4rwfXS2+b/RD8L6ieUKSeS/BmzzHO+pCZ7c+qw=; b=mrx5ccQOTuVgDZHIK6S8OZVn2/79WhtcaMsMSA9emTEl6EES6JS7dwgMLKUBo+rqM3DSGS2M32QukMNZDG7X7D3F+K/qq5zf7t5VXmbjWNEVJKCbZj7g0a5mg1EZgwA1PwymdLlRgbfqTtVQnTmME9kmjlAbN0+3YG+HhOCs0cBEdi4sTY6Tsf3FxJxaS5C46pzRlHihNwDpymfXv1MbbThcqnatvpGJywJITNmiX5wgLWvQuC0rLVCP4nbjgc+y+zBhrjSfJ89a3F/c7TThqanT1E3agU3ADNda9XHhyvWclxsAI9ihh7XJY6RsVcWcjI6UvmcR0EmFg0tuWfBGEg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector2-amdcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=V+ijj4rwfXS2+b/RD8L6ieUKSeS/BmzzHO+pCZ7c+qw=; b=eLvbnapn2Jn287csmiqxEG02p/FZBS2MijnE1grqzEiAc1YL2M9TxxaHtTZD4ALQEvfs2Nb+5q8ssknkVRgptJxSBEYLLP0yUz56wdgbzyMqlaqLVZT7adel+sD8TbeQANdw6lLWaIIJlEpM3eFEnzgUdPUPAIRc7RUEPs5N/GM= Authentication-Results: xen.org; dkim=none (message not signed) header.d=none;xen.org; dmarc=none action=none header.from=amd.com; Received: from DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) by DM6PR12MB3084.namprd12.prod.outlook.com (2603:10b6:5:117::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3721.22; Mon, 4 Jan 2021 21:09:06 +0000 Received: from DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::d95e:b9d:1d6a:e845]) by DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::d95e:b9d:1d6a:e845%12]) with mapi id 15.20.3721.024; Mon, 4 Jan 2021 21:09:06 +0000 Subject: Re: [edk2-devel] [PATCH 05/12] OvmfPkg/MemEncryptSevLib: Add an interface to retrieve the encryption mask To: Laszlo Ersek , devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Jordan Justen , Ard Biesheuvel , Rebecca Cran , Peter Grehan , Anthony Perard , Julien Grall References: <2bbd9ca2-5759-412a-0ad5-1ee062818b67@redhat.com> From: "Lendacky, Thomas" Message-ID: Date: Mon, 4 Jan 2021 15:09:04 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 In-Reply-To: <2bbd9ca2-5759-412a-0ad5-1ee062818b67@redhat.com> X-Originating-IP: [67.79.209.213] X-ClientProxiedBy: SA0PR11CA0059.namprd11.prod.outlook.com (2603:10b6:806:d0::34) To DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from office-linux.texastahm.com (67.79.209.213) by SA0PR11CA0059.namprd11.prod.outlook.com (2603:10b6:806:d0::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3721.20 via Frontend Transport; Mon, 4 Jan 2021 21:09:05 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: ce7d9eb2-09a6-438d-4f75-08d8b0f4f8ea X-MS-TrafficTypeDiagnostic: DM6PR12MB3084: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: zpUdQuN3wicaZpGz6ugIg2AqKo3vdf7MkGt2+oH145cBR5/u5Fpg0P4cREj+p4xgbd+MYEuuLXqI6rNvjtyTuIEvhvHYXYGvunOZ90T+hXY3O5wq93OlThnK7pjjhaQoGFy3oE+K1r8W6bn0LMjh3TfYnMBavWw7JkfUmgDUuSyHijN3wLCf2LsoSMSuSzSSfLwGkKUhcEPxjfr+Q+v4BnIHh49Q5o12Fy9VBTeBaXZMvLPlblS/aO2oiiDL6S22yIPEVAUPPs/sMNG97gAqo6hcyBl0o1aDaHTlM2iv3D/KtR47I4kY3vJz0Q4Hn6yIREwDCNNNp63kJkUuK/O9cWsbr4vYGELSR7jZ289hTuQDAXB9M318NwRmSpItEBqOtsFojcVU9Nt4bU04eQb79i+92uFu+4m00R0ig4+/vxYhVqQ+g4tJtH+8CWzf5oWmafb+moh2r/uLE7sqakXw0qpQH+NV7cwXoh4LS5gnxyAboaj1bWPY4pTWd8vZ9/DH7KcUFncPJDh30JINuZ5ogph3iMt9UDqVpRdZEQvMlj/np9RtxqjqSLQ18Dm/Z5PY X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR12MB1355.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(396003)(136003)(39860400002)(376002)(366004)(346002)(966005)(4326008)(36756003)(83380400001)(19627235002)(52116002)(86362001)(31686004)(8936002)(5660300002)(2906002)(316002)(31696002)(478600001)(8676002)(45080400002)(2616005)(956004)(66556008)(66476007)(30864003)(66946007)(16526019)(54906003)(6486002)(186003)(26005)(6512007)(53546011)(6506007)(43740500002)(45980500001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?Zm10SkhLYnhJM1JpdVJBM1FsVXhLYjdMNlVhQW1WamYySGdiMUhyQTdXNkxU?= =?utf-8?B?SkpkRVZUcXk0NllFZGk1L2M1eENId0hVLzhOd0I5cjkxVkpnSEdRK0JIbDhZ?= =?utf-8?B?ZGNSd2o5L2plRUZRdWlKTENzNy9wYmxCOFVyMndtTkxKWER2bmp6L0JvR0xY?= =?utf-8?B?ZXAwWFRDQzNFTWtPR2gyR29iaVhTR0JJU3ZOeGlqK3N2TzBFdGdJT1lHaDcr?= =?utf-8?B?VG1hSjVVSStGZndheWZldVdRNXNuWjFHN3A1dzA5ZlQwUlFGejVrTmE5Q2hu?= =?utf-8?B?MlcvcEdrR0lpMys5OXlLVkMzeFc2VHhyRG5VTDY1cGRWOFBwdGtYUVI5SDFE?= =?utf-8?B?eDBTY1JZblc0NmZhMXdLb1Q2Vm9tQ3dqaUJKU2wxK2NiMHJSbE91cDFIOGcw?= =?utf-8?B?a2pSQ1N5eHkrQjQ5cFNaNFQrRUJZSVBUZzN5SkNrMG1MZjlrUURsS2toMmth?= =?utf-8?B?N0ZhUGxFVXU2K3hBdWVDdTl0ZjlLSTFOQ25pZWgxVm9UWnlzdkltMTJUeTlJ?= =?utf-8?B?L2hhTzNwb2ZJeUpIOXhTUkJvalB4eVlCZmxwK0ZKWWE2akxIbUtDVDRySlhu?= =?utf-8?B?S1AvL3E0WVJEek1sK0NsbDJQVThkdVd2cno1ZVE4ZjNNWVgzek1EeGRyTkpj?= =?utf-8?B?dUh3bllndTB2N1VkUUFpdUZCNVBjanFIckhJa3NTbFFkR2JJYkE2R3IwZnph?= =?utf-8?B?ckVVdVRrL3JvNSszV3B6Y012ODJ6NU1yZWkrZGtsZGpRSlh0KzkvREZ6SlpC?= =?utf-8?B?aUdNaUxkS1gxTWI0dmd4V01pakxkaUIvd3UrSFF0MStScVMycXNwRHhkVHdX?= =?utf-8?B?cDl3dGxxSjQ5TGlPVzdlVnJxVWZzMlE4Ri8zazFYUGZ0VWNiL1hiNytWZFVs?= =?utf-8?B?Nml6SGFDZmUzdXRZZFpic2UvZmtBVHl5K1haTnVGWGVCS3hjMENXN2xZZk9s?= =?utf-8?B?WVRJYVhNY1o3NitQVnBxM0cwZ2RaSExzeU4zTXhvbHFPSk5ZRU96NHNSQUFN?= =?utf-8?B?L05Fa0greEZRT0RTbkxCZ0hyVWV3dlI2ekZZbGJreDNLd3FxcWcvS3dFQjds?= =?utf-8?B?NjEwVHB1RnA2R0x6WWlMMFRWbm92dGhpV0htR2NIVlpkeUlyQlpDV1l6QStk?= =?utf-8?B?UTZkTUs4aDdMVUxvVUs1dXpPN3VMNXdzcGZzWXllMC9SbUF5Zk1jaHZ3bk1N?= =?utf-8?B?aHhTS3JFZnd1ay9jN1JvYlc2R1JLdVhUTlFac1hZNjVGVm5KREVDMDdRVmxE?= =?utf-8?B?ZlVSTFRLYmF0N0lBL0NGUmFGM0UvWUVRNjkrREFRTzFXOEw0ZE9MS1JTek1C?= =?utf-8?Q?7S09BeWopmWgVs+GsMYTyK1ylx501Y121S?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-AuthSource: DM5PR12MB1355.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Jan 2021 21:09:06.6369 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-Network-Message-Id: ce7d9eb2-09a6-438d-4f75-08d8b0f4f8ea X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: JGoUCm2IPlOM5CqtlLQ4B1RmbJOusC6mkrUqEisyt3DmUkQHva2X36Viraf2BLTxNCpB0A1FHryjtw4CPb2uJg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB3084 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit On 1/4/21 2:34 PM, Laszlo Ersek wrote: > On 12/15/20 21:51, Lendacky, Thomas wrote: >> From: Tom Lendacky >> >> BZ: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D3108&data=04%7C01%7Cthomas.lendacky%40amd.com%7Ca6820182d19f4e0821d908d8b0f01c5f%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637453892632471236%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pXsRpEk6pQPZUiqtY1OUzmcsjflNq5nTN6I6%2F%2F1d8VI%3D&reserved=0 >> >> The early assembler code performs validation for some of the SEV-related >> information, specifically the encryption bit position. To avoid having to >> re-validate the encryption bit position as the system proceeds through its >> boot phases, use the saved information from the SEV-ES work area during >> PEI and PcdPteMemoryEncryptionAddressOrMask (set during PEI) during DXE. > > (1) Please replace > > and > > on the last line, with > > , and > Will do. > Without the comma, it's too easy to misread the message as "use [blah] > during PEI and PcdPteMemoryEncryptionAddressOrMask" -- i.e., as if > "during" applied to "PEI" and "PcdPteMemoryEncryptionAddressOrMask" > alike. Which of course makes no sense. > >> >> To ensure that we always use a validated encryption mask for an SEV-ES >> guest, create a new interface in the MemEncryptSevLib library to return >> the encryption mask. This avoids the multiple locations where CPUID is >> used to retrieve the value and allows the validated mask to be returned. >> >> Update all locations that use CPUID to calculate the encryption mask to >> use the new interface. Also, clean up some call areas where extra masking >> was being performed and where a function call was being used instead of >> the local variable that was just set using the function. >> >> Cc: Jordan Justen >> Cc: Laszlo Ersek >> Cc: Ard Biesheuvel >> Cc: Rebecca Cran >> Cc: Peter Grehan >> Cc: Anthony Perard >> Cc: Julien Grall >> Cc: Brijesh Singh >> Signed-off-by: Tom Lendacky >> --- >> OvmfPkg/AmdSev/AmdSevX64.dsc | 4 +- >> OvmfPkg/Bhyve/BhyveX64.dsc | 4 +- >> OvmfPkg/OvmfPkgIa32.dsc | 4 +- >> OvmfPkg/OvmfPkgIa32X64.dsc | 4 +- >> OvmfPkg/OvmfPkgX64.dsc | 4 +- >> OvmfPkg/OvmfXen.dsc | 3 +- >> ...SevLib.inf => DxeBaseMemEncryptSevLib.inf} | 13 +- >> .../PeiBaseMemEncryptSevLib.inf | 56 ++++++ >> OvmfPkg/Include/Library/MemEncryptSevLib.h | 14 ++ >> OvmfPkg/Bhyve/PlatformPei/AmdSev.c | 12 +- >> .../DxeMemEncryptSevLibInternal.c | 145 ++++++++++++++++ >> .../MemEncryptSevLibInternal.c | 91 +--------- >> .../PeiMemEncryptSevLibInternal.c | 159 ++++++++++++++++++ >> .../BaseMemEncryptSevLib/X64/VirtualMemory.c | 15 +- >> OvmfPkg/PlatformPei/AmdSev.c | 12 +- >> OvmfPkg/XenPlatformPei/AmdSev.c | 12 +- >> OvmfPkg/ResetVector/Ia32/PageTables64.asm | 10 +- >> OvmfPkg/ResetVector/ResetVector.nasmb | 1 + >> 18 files changed, 422 insertions(+), 141 deletions(-) >> rename OvmfPkg/Library/BaseMemEncryptSevLib/{BaseMemEncryptSevLib.inf => DxeBaseMemEncryptSevLib.inf} (67%) >> create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf >> create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c >> create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c > > (2) "DxeBase" should be just "Dxe", and "PeiBase" should just be "Pei". > > The BASE_NAME defines in the INF files are correct already, but the > names of those INF files, and the references to them in the DSC files, > are not. Yup, will fix. > >> >> diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc >> index bb7697eb324b..c742ec54cb57 100644 >> --- a/OvmfPkg/AmdSev/AmdSevX64.dsc >> +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc >> @@ -164,7 +164,7 @@ [LibraryClasses] >> QemuFwCfgSimpleParserLib|OvmfPkg/Library/QemuFwCfgSimpleParserLib/QemuFwCfgSimpleParserLib.inf >> VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf >> LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf >> - MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/BaseMemEncryptSevLib.inf >> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeBaseMemEncryptSevLib.inf >> LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf >> CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf >> FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf >> @@ -285,6 +285,8 @@ [LibraryClasses.common.PEIM] >> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf >> !endif >> >> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf >> + >> [LibraryClasses.common.DXE_CORE] >> HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf >> DxeCoreEntryPoint|MdePkg/Library/DxeCoreEntryPoint/DxeCoreEntryPoint.inf >> diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc >> index b93fe30ae4e0..27973bc940d5 100644 >> --- a/OvmfPkg/Bhyve/BhyveX64.dsc >> +++ b/OvmfPkg/Bhyve/BhyveX64.dsc >> @@ -163,7 +163,7 @@ [LibraryClasses] >> QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/BaseQemuFwCfgS3LibNull.inf >> BhyveFwCtlLib|OvmfPkg/Library/BhyveFwCtlLib/BhyveFwCtlLib.inf >> VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf >> - MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/BaseMemEncryptSevLib.inf >> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeBaseMemEncryptSevLib.inf >> LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf >> >> CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf >> @@ -292,6 +292,8 @@ [LibraryClasses.common.PEIM] >> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf >> !endif >> >> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf >> + >> [LibraryClasses.common.DXE_CORE] >> HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf >> DxeCoreEntryPoint|MdePkg/Library/DxeCoreEntryPoint/DxeCoreEntryPoint.inf >> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc >> index 8eede796a8bd..e433e17dc807 100644 >> --- a/OvmfPkg/OvmfPkgIa32.dsc >> +++ b/OvmfPkg/OvmfPkgIa32.dsc >> @@ -169,7 +169,7 @@ [LibraryClasses] >> QemuFwCfgSimpleParserLib|OvmfPkg/Library/QemuFwCfgSimpleParserLib/QemuFwCfgSimpleParserLib.inf >> VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf >> LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf >> - MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/BaseMemEncryptSevLib.inf >> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeBaseMemEncryptSevLib.inf >> !if $(SMM_REQUIRE) == FALSE >> LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf >> !endif >> @@ -309,6 +309,8 @@ [LibraryClasses.common.PEIM] >> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf >> !endif >> >> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf >> + >> [LibraryClasses.common.DXE_CORE] >> HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf >> DxeCoreEntryPoint|MdePkg/Library/DxeCoreEntryPoint/DxeCoreEntryPoint.inf >> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc >> index f9f82a48f4b9..2e2eefbe33f0 100644 >> --- a/OvmfPkg/OvmfPkgIa32X64.dsc >> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc >> @@ -173,7 +173,7 @@ [LibraryClasses] >> QemuFwCfgSimpleParserLib|OvmfPkg/Library/QemuFwCfgSimpleParserLib/QemuFwCfgSimpleParserLib.inf >> VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf >> LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf >> - MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/BaseMemEncryptSevLib.inf >> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeBaseMemEncryptSevLib.inf >> !if $(SMM_REQUIRE) == FALSE >> LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf >> !endif >> @@ -313,6 +313,8 @@ [LibraryClasses.common.PEIM] >> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf >> !endif >> >> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf >> + >> [LibraryClasses.common.DXE_CORE] >> HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf >> DxeCoreEntryPoint|MdePkg/Library/DxeCoreEntryPoint/DxeCoreEntryPoint.inf >> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc >> index e59ae05b73aa..3e008855fbc1 100644 >> --- a/OvmfPkg/OvmfPkgX64.dsc >> +++ b/OvmfPkg/OvmfPkgX64.dsc >> @@ -173,7 +173,7 @@ [LibraryClasses] >> QemuFwCfgSimpleParserLib|OvmfPkg/Library/QemuFwCfgSimpleParserLib/QemuFwCfgSimpleParserLib.inf >> VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf >> LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf >> - MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/BaseMemEncryptSevLib.inf >> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeBaseMemEncryptSevLib.inf >> !if $(SMM_REQUIRE) == FALSE >> LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf >> !endif >> @@ -313,6 +313,8 @@ [LibraryClasses.common.PEIM] >> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf >> !endif >> >> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf >> + >> [LibraryClasses.common.DXE_CORE] >> HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf >> DxeCoreEntryPoint|MdePkg/Library/DxeCoreEntryPoint/DxeCoreEntryPoint.inf >> diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc >> index 12b7a87ee877..44fae364b423 100644 >> --- a/OvmfPkg/OvmfXen.dsc >> +++ b/OvmfPkg/OvmfXen.dsc >> @@ -161,7 +161,7 @@ [LibraryClasses] >> SerializeVariablesLib|OvmfPkg/Library/SerializeVariablesLib/SerializeVariablesLib.inf >> QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgDxeLib.inf >> QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf >> - MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/BaseMemEncryptSevLib.inf >> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeBaseMemEncryptSevLib.inf >> LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf >> CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf >> FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf >> @@ -273,6 +273,7 @@ [LibraryClasses.common.PEIM] >> QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/PeiQemuFwCfgS3LibFwCfg.inf >> PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf >> QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf >> + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf >> >> [LibraryClasses.common.DXE_CORE] >> HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf >> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/BaseMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeBaseMemEncryptSevLib.inf >> similarity index 67% >> rename from OvmfPkg/Library/BaseMemEncryptSevLib/BaseMemEncryptSevLib.inf >> rename to OvmfPkg/Library/BaseMemEncryptSevLib/DxeBaseMemEncryptSevLib.inf >> index 7c44d0952815..2be6ca1fa737 100644 >> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/BaseMemEncryptSevLib.inf >> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeBaseMemEncryptSevLib.inf >> @@ -1,7 +1,7 @@ >> ## @file >> # Library provides the helper functions for SEV guest >> # >> -# Copyright (c) 2017 Advanced Micro Devices. All rights reserved.
>> +# Copyright (c) 2017 - 2020, Advanced Micro Devices. All rights reserved.
>> # >> # SPDX-License-Identifier: BSD-2-Clause-Patent >> # >> @@ -10,11 +10,11 @@ >> >> [Defines] >> INF_VERSION = 1.25 >> - BASE_NAME = MemEncryptSevLib >> + BASE_NAME = DxeMemEncryptSevLib >> FILE_GUID = c1594631-3888-4be4-949f-9c630dbc842b >> MODULE_TYPE = BASE >> VERSION_STRING = 1.0 >> - LIBRARY_CLASS = MemEncryptSevLib|PEIM DXE_DRIVER DXE_RUNTIME_DRIVER DXE_SMM_DRIVER UEFI_DRIVER >> + LIBRARY_CLASS = MemEncryptSevLib|DXE_DRIVER DXE_RUNTIME_DRIVER DXE_SMM_DRIVER UEFI_DRIVER >> >> # >> # The following information is for reference only and not required by the build >> @@ -30,14 +30,16 @@ [Packages] >> UefiCpuPkg/UefiCpuPkg.dec >> >> [Sources.X64] >> + DxeMemEncryptSevLibInternal.c >> MemEncryptSevLibInternal.c >> X64/MemEncryptSevLib.c >> X64/VirtualMemory.c >> X64/VirtualMemory.h >> >> [Sources.IA32] >> + DxeMemEncryptSevLibInternal.c >> + MemEncryptSevLibInternal.c >> Ia32/MemEncryptSevLib.c >> - MemEncryptSevLibInternal.c >> >> [LibraryClasses] >> BaseLib >> @@ -49,3 +51,6 @@ [LibraryClasses] >> >> [FeaturePcd] >> gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire >> + >> +[Pcd] >> + gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask >> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf >> new file mode 100644 >> index 000000000000..7bdf8cb5210d >> --- /dev/null >> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf >> @@ -0,0 +1,56 @@ >> +## @file >> +# Library provides the helper functions for SEV guest >> +# >> +# Copyright (c) 2020 Advanced Micro Devices. All rights reserved.
>> +# >> +# SPDX-License-Identifier: BSD-2-Clause-Patent >> +# >> +# >> +## >> + >> +[Defines] >> + INF_VERSION = 1.25 >> + BASE_NAME = PeiMemEncryptSevLib >> + FILE_GUID = 15d9a694-3d2a-4184-9672-ba55c3070e07 >> + MODULE_TYPE = BASE >> + VERSION_STRING = 1.0 >> + LIBRARY_CLASS = MemEncryptSevLib|PEIM >> + >> +# >> +# The following information is for reference only and not required by the build >> +# tools. >> +# >> +# VALID_ARCHITECTURES = IA32 X64 >> +# >> + >> +[Packages] >> + MdeModulePkg/MdeModulePkg.dec >> + MdePkg/MdePkg.dec >> + OvmfPkg/OvmfPkg.dec >> + UefiCpuPkg/UefiCpuPkg.dec >> + >> +[Sources.X64] >> + PeiMemEncryptSevLibInternal.c >> + MemEncryptSevLibInternal.c >> + X64/MemEncryptSevLib.c >> + X64/VirtualMemory.c >> + X64/VirtualMemory.h >> + >> +[Sources.IA32] >> + PeiMemEncryptSevLibInternal.c >> + MemEncryptSevLibInternal.c >> + Ia32/MemEncryptSevLib.c >> + >> +[LibraryClasses] >> + BaseLib >> + CacheMaintenanceLib >> + CpuLib >> + DebugLib >> + MemoryAllocationLib >> + PcdLib >> + >> +[FeaturePcd] >> + gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire >> + >> +[FixedPcd] >> + gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase > > (3) In each INF file: > > I suggest moving the files shared between X64 and IA32 to a plain > [Sources] section (i.e., no architecture modifier). I do agree that the > pre-patch status is already not ideal (as "MemEncryptSevLibInternal.c" > is duplicated between the [Sources.IA32] and [Sources.X64] sections), > but since you already move "MemEncryptSevLibInternal.c" a bit, we might > as well move as much as possible under a new [Sources] section. > > Again this applies to both INF files. Will do. > >> diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/Library/MemEncryptSevLib.h >> index dc09c61e58bb..394065f15bc1 100644 >> --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h >> +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h >> @@ -29,6 +29,8 @@ typedef struct _SEC_SEV_ES_WORK_AREA { >> UINT8 Reserved1[7]; >> >> UINT64 RandomData; >> + >> + UINT64 EncryptionMask; >> } SEC_SEV_ES_WORK_AREA; >> >> /** >> @@ -133,4 +135,16 @@ MemEncryptSevLocateInitialSmramSaveStateMapPages ( >> OUT UINTN *BaseAddress, >> OUT UINTN *NumberOfPages >> ); >> + >> +/** >> + Returns the SEV encryption mask. >> + >> + @return The SEV pagtable encryption mask > > (4) Typo: "pagtable". Will fix. > >> +**/ >> +UINT64 >> +EFIAPI >> +MemEncryptSevGetEncryptionMask ( >> + VOID >> + ); >> + >> #endif // _MEM_ENCRYPT_SEV_LIB_H_ > > (5) The contents of this patch makes sense, but the patch is too large > for my taste. Please split it to 3 patches: > > - Save the mask in the reset vector to a new field in the work area. > > - Introduce the new API to the lib class (and introduce both lib > instances too). Reworking "VirtualMemory.c" in this same patch is fine. > > - Migrate the consumers of the mask to the new API (as far as I can > tell, these are the three PlatformPei modules). Ok, I'll start working on that. > > (6) Please confirm that you've successfully built all six modified DSC > files. > > For Bhyve, you need nothing extra (similarly to Xen). > > For test-building "OvmfPkg/AmdSev/AmdSevX64.dsc", you need to palce any > random grub.efi binary at "OvmfPkg/AmdSev/Grub/grub.efi". Will do. Thanks, Tom > > Thanks, > Laszlo > >> diff --git a/OvmfPkg/Bhyve/PlatformPei/AmdSev.c b/OvmfPkg/Bhyve/PlatformPei/AmdSev.c >> index e484f4b311fe..e3ed78581c1b 100644 >> --- a/OvmfPkg/Bhyve/PlatformPei/AmdSev.c >> +++ b/OvmfPkg/Bhyve/PlatformPei/AmdSev.c >> @@ -1,7 +1,7 @@ >> /**@file >> Initialize Secure Encrypted Virtualization (SEV) support >> >> - Copyright (c) 2017, Advanced Micro Devices. All rights reserved.
>> + Copyright (c) 2017 - 2020, Advanced Micro Devices. All rights reserved.
>> >> SPDX-License-Identifier: BSD-2-Clause-Patent >> >> @@ -15,8 +15,6 @@ >> #include >> #include >> #include >> -#include >> -#include >> #include >> >> #include "Platform.h" >> @@ -32,7 +30,6 @@ AmdSevInitialize ( >> VOID >> ) >> { >> - CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx; >> UINT64 EncryptionMask; >> RETURN_STATUS PcdStatus; >> >> @@ -43,15 +40,10 @@ AmdSevInitialize ( >> return; >> } >> >> - // >> - // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position) >> - // >> - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL); >> - EncryptionMask = LShiftU64 (1, Ebx.Bits.PtePosBits); >> - >> // >> // Set Memory Encryption Mask PCD >> // >> + EncryptionMask = MemEncryptSevGetEncryptionMask (); >> PcdStatus = PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, EncryptionMask); >> ASSERT_RETURN_ERROR (PcdStatus); >> >> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c >> new file mode 100644 >> index 000000000000..2816f859a0c4 >> --- /dev/null >> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c >> @@ -0,0 +1,145 @@ >> +/** @file >> + >> + Secure Encrypted Virtualization (SEV) library helper function >> + >> + Copyright (c) 2017 - 2020, AMD Incorporated. All rights reserved.
>> + >> + SPDX-License-Identifier: BSD-2-Clause-Patent >> + >> +**/ >> + >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> + >> +STATIC BOOLEAN mSevStatus = FALSE; >> +STATIC BOOLEAN mSevEsStatus = FALSE; >> +STATIC BOOLEAN mSevStatusChecked = FALSE; >> + >> +STATIC UINT64 mSevEncryptionMask = 0; >> +STATIC BOOLEAN mSevEncryptionMaskSaved = FALSE; >> + >> +/** >> + Reads and sets the status of SEV features. >> + >> + **/ >> +STATIC >> +VOID >> +EFIAPI >> +InternalMemEncryptSevStatus ( >> + VOID >> + ) >> +{ >> + UINT32 RegEax; >> + MSR_SEV_STATUS_REGISTER Msr; >> + CPUID_MEMORY_ENCRYPTION_INFO_EAX Eax; >> + BOOLEAN ReadSevMsr; >> + UINT64 EncryptionMask; >> + >> + ReadSevMsr = FALSE; >> + >> + EncryptionMask = PcdGet64 (PcdPteMemoryEncryptionAddressOrMask); >> + if (EncryptionMask != 0) { >> + // >> + // The MSR has been read before, so it is safe to read it again and avoid >> + // having to validate the CPUID information. >> + // >> + ReadSevMsr = TRUE; >> + } else { >> + // >> + // Check if memory encryption leaf exist >> + // >> + AsmCpuid (CPUID_EXTENDED_FUNCTION, &RegEax, NULL, NULL, NULL); >> + if (RegEax >= CPUID_MEMORY_ENCRYPTION_INFO) { >> + // >> + // CPUID Fn8000_001F[EAX] Bit 1 (Sev supported) >> + // >> + AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, &Eax.Uint32, NULL, NULL, NULL); >> + >> + if (Eax.Bits.SevBit) { >> + ReadSevMsr = TRUE; >> + } >> + } >> + } >> + >> + if (ReadSevMsr) { >> + // >> + // Check MSR_0xC0010131 Bit 0 (Sev Enabled) >> + // >> + Msr.Uint32 = AsmReadMsr32 (MSR_SEV_STATUS); >> + if (Msr.Bits.SevBit) { >> + mSevStatus = TRUE; >> + } >> + >> + // >> + // Check MSR_0xC0010131 Bit 1 (Sev-Es Enabled) >> + // >> + if (Msr.Bits.SevEsBit) { >> + mSevEsStatus = TRUE; >> + } >> + } >> + >> + mSevStatusChecked = TRUE; >> +} >> + >> +/** >> + Returns a boolean to indicate whether SEV-ES is enabled. >> + >> + @retval TRUE SEV-ES is enabled >> + @retval FALSE SEV-ES is not enabled >> +**/ >> +BOOLEAN >> +EFIAPI >> +MemEncryptSevEsIsEnabled ( >> + VOID >> + ) >> +{ >> + if (!mSevStatusChecked) { >> + InternalMemEncryptSevStatus (); >> + } >> + >> + return mSevEsStatus; >> +} >> + >> +/** >> + Returns a boolean to indicate whether SEV is enabled. >> + >> + @retval TRUE SEV is enabled >> + @retval FALSE SEV is not enabled >> +**/ >> +BOOLEAN >> +EFIAPI >> +MemEncryptSevIsEnabled ( >> + VOID >> + ) >> +{ >> + if (!mSevStatusChecked) { >> + InternalMemEncryptSevStatus (); >> + } >> + >> + return mSevStatus; >> +} >> + >> +/** >> + Returns the SEV encryption mask. >> + >> + @return The SEV pagtable encryption mask >> +**/ >> +UINT64 >> +EFIAPI >> +MemEncryptSevGetEncryptionMask ( >> + VOID >> + ) >> +{ >> + if (!mSevEncryptionMaskSaved) { >> + mSevEncryptionMask = PcdGet64 (PcdPteMemoryEncryptionAddressOrMask); >> + mSevEncryptionMaskSaved = TRUE; >> + } >> + >> + return mSevEncryptionMask; >> +} >> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/MemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/MemEncryptSevLibInternal.c >> index 02b8eb225d81..ec6d02eaefd0 100644 >> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/MemEncryptSevLibInternal.c >> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/MemEncryptSevLibInternal.c >> @@ -2,7 +2,7 @@ >> >> Secure Encrypted Virtualization (SEV) library helper function >> >> - Copyright (c) 2017, AMD Incorporated. All rights reserved.
>> + Copyright (c) 2017 - 2020, AMD Incorporated. All rights reserved.
>> >> SPDX-License-Identifier: BSD-2-Clause-Patent >> >> @@ -19,95 +19,6 @@ >> #include >> #include >> >> -STATIC BOOLEAN mSevStatus = FALSE; >> -STATIC BOOLEAN mSevEsStatus = FALSE; >> -STATIC BOOLEAN mSevStatusChecked = FALSE; >> - >> -/** >> - Reads and sets the status of SEV features. >> - >> - **/ >> -STATIC >> -VOID >> -EFIAPI >> -InternalMemEncryptSevStatus ( >> - VOID >> - ) >> -{ >> - UINT32 RegEax; >> - MSR_SEV_STATUS_REGISTER Msr; >> - CPUID_MEMORY_ENCRYPTION_INFO_EAX Eax; >> - >> - // >> - // Check if memory encryption leaf exist >> - // >> - AsmCpuid (CPUID_EXTENDED_FUNCTION, &RegEax, NULL, NULL, NULL); >> - if (RegEax >= CPUID_MEMORY_ENCRYPTION_INFO) { >> - // >> - // CPUID Fn8000_001F[EAX] Bit 1 (Sev supported) >> - // >> - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, &Eax.Uint32, NULL, NULL, NULL); >> - >> - if (Eax.Bits.SevBit) { >> - // >> - // Check MSR_0xC0010131 Bit 0 (Sev Enabled) >> - // >> - Msr.Uint32 = AsmReadMsr32 (MSR_SEV_STATUS); >> - if (Msr.Bits.SevBit) { >> - mSevStatus = TRUE; >> - } >> - >> - // >> - // Check MSR_0xC0010131 Bit 1 (Sev-Es Enabled) >> - // >> - if (Msr.Bits.SevEsBit) { >> - mSevEsStatus = TRUE; >> - } >> - } >> - } >> - >> - mSevStatusChecked = TRUE; >> -} >> - >> -/** >> - Returns a boolean to indicate whether SEV-ES is enabled. >> - >> - @retval TRUE SEV-ES is enabled >> - @retval FALSE SEV-ES is not enabled >> -**/ >> -BOOLEAN >> -EFIAPI >> -MemEncryptSevEsIsEnabled ( >> - VOID >> - ) >> -{ >> - if (!mSevStatusChecked) { >> - InternalMemEncryptSevStatus (); >> - } >> - >> - return mSevEsStatus; >> -} >> - >> -/** >> - Returns a boolean to indicate whether SEV is enabled. >> - >> - @retval TRUE SEV is enabled >> - @retval FALSE SEV is not enabled >> -**/ >> -BOOLEAN >> -EFIAPI >> -MemEncryptSevIsEnabled ( >> - VOID >> - ) >> -{ >> - if (!mSevStatusChecked) { >> - InternalMemEncryptSevStatus (); >> - } >> - >> - return mSevStatus; >> -} >> - >> - >> /** >> Locate the page range that covers the initial (pre-SMBASE-relocation) SMRAM >> Save State Map. >> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c >> new file mode 100644 >> index 000000000000..e2fd109d120f >> --- /dev/null >> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c >> @@ -0,0 +1,159 @@ >> +/** @file >> + >> + Secure Encrypted Virtualization (SEV) library helper function >> + >> + Copyright (c) 2020, AMD Incorporated. All rights reserved.
>> + >> + SPDX-License-Identifier: BSD-2-Clause-Patent >> + >> +**/ >> + >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> + >> +STATIC BOOLEAN mSevStatus = FALSE; >> +STATIC BOOLEAN mSevEsStatus = FALSE; >> +STATIC BOOLEAN mSevStatusChecked = FALSE; >> + >> +STATIC UINT64 mSevEncryptionMask = 0; >> +STATIC BOOLEAN mSevEncryptionMaskSaved = FALSE; >> + >> +/** >> + Reads and sets the status of SEV features. >> + >> + **/ >> +STATIC >> +VOID >> +EFIAPI >> +InternalMemEncryptSevStatus ( >> + VOID >> + ) >> +{ >> + UINT32 RegEax; >> + MSR_SEV_STATUS_REGISTER Msr; >> + CPUID_MEMORY_ENCRYPTION_INFO_EAX Eax; >> + BOOLEAN ReadSevMsr; >> + SEC_SEV_ES_WORK_AREA *SevEsWorkArea; >> + >> + ReadSevMsr = FALSE; >> + >> + SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase); >> + if (SevEsWorkArea != NULL && SevEsWorkArea->EncryptionMask != 0) { >> + // >> + // The MSR has been read before, so it is safe to read it again and avoid >> + // having to validate the CPUID information. >> + // >> + ReadSevMsr = TRUE; >> + } else { >> + // >> + // Check if memory encryption leaf exist >> + // >> + AsmCpuid (CPUID_EXTENDED_FUNCTION, &RegEax, NULL, NULL, NULL); >> + if (RegEax >= CPUID_MEMORY_ENCRYPTION_INFO) { >> + // >> + // CPUID Fn8000_001F[EAX] Bit 1 (Sev supported) >> + // >> + AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, &Eax.Uint32, NULL, NULL, NULL); >> + >> + if (Eax.Bits.SevBit) { >> + ReadSevMsr = TRUE; >> + } >> + } >> + } >> + >> + if (ReadSevMsr) { >> + // >> + // Check MSR_0xC0010131 Bit 0 (Sev Enabled) >> + // >> + Msr.Uint32 = AsmReadMsr32 (MSR_SEV_STATUS); >> + if (Msr.Bits.SevBit) { >> + mSevStatus = TRUE; >> + } >> + >> + // >> + // Check MSR_0xC0010131 Bit 1 (Sev-Es Enabled) >> + // >> + if (Msr.Bits.SevEsBit) { >> + mSevEsStatus = TRUE; >> + } >> + } >> + >> + mSevStatusChecked = TRUE; >> +} >> + >> +/** >> + Returns a boolean to indicate whether SEV-ES is enabled. >> + >> + @retval TRUE SEV-ES is enabled >> + @retval FALSE SEV-ES is not enabled >> +**/ >> +BOOLEAN >> +EFIAPI >> +MemEncryptSevEsIsEnabled ( >> + VOID >> + ) >> +{ >> + if (!mSevStatusChecked) { >> + InternalMemEncryptSevStatus (); >> + } >> + >> + return mSevEsStatus; >> +} >> + >> +/** >> + Returns a boolean to indicate whether SEV is enabled. >> + >> + @retval TRUE SEV is enabled >> + @retval FALSE SEV is not enabled >> +**/ >> +BOOLEAN >> +EFIAPI >> +MemEncryptSevIsEnabled ( >> + VOID >> + ) >> +{ >> + if (!mSevStatusChecked) { >> + InternalMemEncryptSevStatus (); >> + } >> + >> + return mSevStatus; >> +} >> + >> +/** >> + Returns the SEV encryption mask. >> + >> + @return The SEV pagtable encryption mask >> +**/ >> +UINT64 >> +EFIAPI >> +MemEncryptSevGetEncryptionMask ( >> + VOID >> + ) >> +{ >> + if (!mSevEncryptionMaskSaved) { >> + SEC_SEV_ES_WORK_AREA *SevEsWorkArea; >> + >> + SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase); >> + if (SevEsWorkArea != NULL) { >> + mSevEncryptionMask = SevEsWorkArea->EncryptionMask; >> + } else { >> + CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx; >> + >> + // >> + // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position) >> + // >> + AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL); >> + mSevEncryptionMask = LShiftU64 (1, Ebx.Bits.PtePosBits); >> + } >> + >> + mSevEncryptionMaskSaved = TRUE; >> + } >> + >> + return mSevEncryptionMask; >> +} >> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c >> index 5e110c84ff81..6422bc53bd5d 100644 >> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c >> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c >> @@ -3,7 +3,7 @@ >> Virtual Memory Management Services to set or clear the memory encryption bit >> >> Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
>> - Copyright (c) 2017, AMD Incorporated. All rights reserved.
>> + Copyright (c) 2017 - 2020, AMD Incorporated. All rights reserved.
>> >> SPDX-License-Identifier: BSD-2-Clause-Patent >> >> @@ -12,6 +12,7 @@ >> **/ >> >> #include >> +#include >> #include >> #include >> >> @@ -39,17 +40,12 @@ GetMemEncryptionAddressMask ( >> ) >> { >> UINT64 EncryptionMask; >> - CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx; >> >> if (mAddressEncMaskChecked) { >> return mAddressEncMask; >> } >> >> - // >> - // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position) >> - // >> - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL); >> - EncryptionMask = LShiftU64 (1, Ebx.Bits.PtePosBits); >> + EncryptionMask = MemEncryptSevGetEncryptionMask (); >> >> mAddressEncMask = EncryptionMask & PAGING_1G_ADDRESS_MASK_64; >> mAddressEncMaskChecked = TRUE; >> @@ -289,8 +285,7 @@ SetPageTablePoolReadOnly ( >> LevelSize[3] = SIZE_1GB; >> LevelSize[4] = SIZE_512GB; >> >> - AddressEncMask = GetMemEncryptionAddressMask() & >> - PAGING_1G_ADDRESS_MASK_64; >> + AddressEncMask = GetMemEncryptionAddressMask(); >> PageTable = (UINT64 *)(UINTN)PageTableBase; >> PoolUnitSize = PAGE_TABLE_POOL_UNIT_SIZE; >> >> @@ -437,7 +432,7 @@ Split1GPageTo2M ( >> >> AddressEncMask = GetMemEncryptionAddressMask (); >> ASSERT (PageDirectoryEntry != NULL); >> - ASSERT (*PageEntry1G & GetMemEncryptionAddressMask ()); >> + ASSERT (*PageEntry1G & AddressEncMask); >> // >> // Fill in 1G page entry. >> // >> diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c >> index 4a515a484720..954d53eba4e8 100644 >> --- a/OvmfPkg/PlatformPei/AmdSev.c >> +++ b/OvmfPkg/PlatformPei/AmdSev.c >> @@ -1,7 +1,7 @@ >> /**@file >> Initialize Secure Encrypted Virtualization (SEV) support >> >> - Copyright (c) 2017, Advanced Micro Devices. All rights reserved.
>> + Copyright (c) 2017 - 2020, Advanced Micro Devices. All rights reserved.
>> >> SPDX-License-Identifier: BSD-2-Clause-Patent >> >> @@ -17,9 +17,7 @@ >> #include >> #include >> #include >> -#include >> #include >> -#include >> #include >> >> #include "Platform.h" >> @@ -116,7 +114,6 @@ AmdSevInitialize ( >> VOID >> ) >> { >> - CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx; >> UINT64 EncryptionMask; >> RETURN_STATUS PcdStatus; >> >> @@ -127,15 +124,10 @@ AmdSevInitialize ( >> return; >> } >> >> - // >> - // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position) >> - // >> - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL); >> - EncryptionMask = LShiftU64 (1, Ebx.Bits.PtePosBits); >> - >> // >> // Set Memory Encryption Mask PCD >> // >> + EncryptionMask = MemEncryptSevGetEncryptionMask (); >> PcdStatus = PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, EncryptionMask); >> ASSERT_RETURN_ERROR (PcdStatus); >> >> diff --git a/OvmfPkg/XenPlatformPei/AmdSev.c b/OvmfPkg/XenPlatformPei/AmdSev.c >> index 7ebbb5cc1fd2..4ed448632ae2 100644 >> --- a/OvmfPkg/XenPlatformPei/AmdSev.c >> +++ b/OvmfPkg/XenPlatformPei/AmdSev.c >> @@ -1,7 +1,7 @@ >> /**@file >> Initialize Secure Encrypted Virtualization (SEV) support >> >> - Copyright (c) 2017, Advanced Micro Devices. All rights reserved.
>> + Copyright (c) 2017 - 2020, Advanced Micro Devices. All rights reserved.
>> Copyright (c) 2019, Citrix Systems, Inc. >> >> SPDX-License-Identifier: BSD-2-Clause-Patent >> @@ -14,8 +14,6 @@ >> #include >> #include >> #include >> -#include >> -#include >> >> #include "Platform.h" >> >> @@ -30,7 +28,6 @@ AmdSevInitialize ( >> VOID >> ) >> { >> - CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx; >> UINT64 EncryptionMask; >> RETURN_STATUS PcdStatus; >> >> @@ -41,15 +38,10 @@ AmdSevInitialize ( >> return; >> } >> >> - // >> - // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position) >> - // >> - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL); >> - EncryptionMask = LShiftU64 (1, Ebx.Bits.PtePosBits); >> - >> // >> // Set Memory Encryption Mask PCD >> // >> + EncryptionMask = MemEncryptSevGetEncryptionMask (); >> PcdStatus = PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, EncryptionMask); >> ASSERT_RETURN_ERROR (PcdStatus); >> >> diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm >> index b08f31157cbf..8c0d432050df 100644 >> --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm >> +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm >> @@ -145,13 +145,21 @@ GetSevEncBit: >> >> ; The encryption bit position is always above 31 >> sub ebx, 32 >> - jns SevExit >> + jns SevSaveMask >> >> ; Encryption bit was reported as 31 or below, enter a HLT loop >> SevEncBitLowHlt: >> hlt >> jmp SevEncBitLowHlt >> >> +SevSaveMask: >> + xor edx, edx >> + bts edx, ebx >> + >> + mov dword[SEV_ES_WORK_AREA_ENC_MASK], 0 >> + mov dword[SEV_ES_WORK_AREA_ENC_MASK + 4], edx >> + jmp SevExit >> + >> NoSev: >> ; >> ; Perform an SEV-ES sanity check by seeing if a #VC exception occurred. >> diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb >> index d3aa87982959..5fbacaed5f9d 100644 >> --- a/OvmfPkg/ResetVector/ResetVector.nasmb >> +++ b/OvmfPkg/ResetVector/ResetVector.nasmb >> @@ -74,6 +74,7 @@ >> %define GHCB_SIZE (FixedPcdGet32 (PcdOvmfSecGhcbSize)) >> %define SEV_ES_WORK_AREA (FixedPcdGet32 (PcdSevEsWorkAreaBase)) >> %define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 8) >> + %define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 16) >> %define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase) + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize)) >> %include "Ia32/Flat32ToFlat64.asm" >> %include "Ia32/PageTables64.asm" >> >