From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM04-BN8-obe.outbound.protection.outlook.com (NAM04-BN8-obe.outbound.protection.outlook.com [40.107.100.50]) by mx.groups.io with SMTP id smtpd.web10.155.1624403189707256883 for ; Tue, 22 Jun 2021 16:06:30 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=mUV+7qwT; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.100.50, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lptMDK/O1g+hJYxHnP5nmYkKfCvkJNyL5XCJQ4j5DLMNfZ6zp1r2lzTmOpdh0uy5ocrEqaNwQK1kE9WxApRSf9uGOzUrE/F4ot1BubXIlR7kivCH0CDVoGbYlHzRSMtktj1WTKUKpGCzuGwSDwPTjDZAmgaklNjQ0WVaiwRxbL9T5Xegp0mN44qeFvBTd3oyrHQKOY43EDu7/jq+e2JOx94++hHS0fE2b6WSB2a0tc+AMdxuJ7IbuuiYj1ap3Krm5jWrMUFnkNlbG+aKRcPACb79qtqESO9NIos+y2qHTDE9QQWNi62PGbg4mKW3rrNY6TkNjDkOOds+APWgkW7N2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rQreeVPIUnTkGHnkTDUHVNUnqYzx1xmAfkcPpaLEy2c=; b=Mc+Z/SGcJFQR72miBkAa9etSs2CMe7LydV8Xd9dhlKpfSwcD6Ui75OdLJsNYTjMRItWPDJTEM7PymwtFB7vdRva+qcaEvfSllaCTfWDSGSHEAfjRr23KeMSWd/7h9QJeMeq0St9vsy9V2grqfQGVgy8uPOPVjP0EjJcr/ZT5o2tORV/fwIXTGAh/Krib4IC/Bdj/p34mcf8MEZJuNCkxChJ/XzEezb2OKQaZ6mHTGWPzJ3xrTM2K8sEK2I8yy47u2MYtUNkg0lBfYRMVIdd88OBFHhZ2altWdllwUVHWgVxBxIwoA6z6J/976I6uU+RP5g5RTgLRAVydLaVjCuPivg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rQreeVPIUnTkGHnkTDUHVNUnqYzx1xmAfkcPpaLEy2c=; b=mUV+7qwT22Tp86wCOnvkihz99su1Vcf3EeAZXwZbaXv1ETPEOhhaPmSLKNbKpaHB5TW2Nxn0E403bDjawwOh+Snora6QPaqZHUSMOAEjsBSHdIUwbPMlJRN7QWlmDFjlMtRdISjieh2NCLzMH1d+ijLp8vJLibZ4GKdQH/cs2iA= Authentication-Results: arm.com; dkim=none (message not signed) header.d=none;arm.com; dmarc=none action=none header.from=amd.com; Received: from DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) by DM5PR12MB1449.namprd12.prod.outlook.com (2603:10b6:4:10::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.22; Tue, 22 Jun 2021 23:06:27 +0000 Received: from DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::6437:2e87:f7dc:a686]) by DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::6437:2e87:f7dc:a686%12]) with mapi id 15.20.4242.023; Tue, 22 Jun 2021 23:06:27 +0000 Subject: Re: [PATCH v4 4/4] OvmfPkg/PlatformDxe: Add support for SEV live migration. To: Ashish Kalra , devel@edk2.groups.io Cc: brijesh.singh@amd.com, jejb@linux.ibm.com, erdemaktas@google.com, jiewen.yao@intel.com, min.m.xu@intel.com, lersek@redhat.com, jordan.l.justen@intel.com, ard.biesheuvel@arm.com References: From: "Lendacky, Thomas" Message-ID: Date: Tue, 22 Jun 2021 18:06:24 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 In-Reply-To: X-Originating-IP: [67.79.209.213] X-ClientProxiedBy: SN4PR0501CA0135.namprd05.prod.outlook.com (2603:10b6:803:2c::13) To DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from office-ryzen.texastahm.com (67.79.209.213) by SN4PR0501CA0135.namprd05.prod.outlook.com (2603:10b6:803:2c::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.7 via Frontend Transport; Tue, 22 Jun 2021 23:06:26 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 54757f2b-ef32-4fad-c4b3-08d935d25ce4 X-MS-TrafficTypeDiagnostic: DM5PR12MB1449: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: l8Kl26I+yKFdaFCxd6PtrhnCZlrjvcqMvZu+a6Y5Momo9jaEbx9NXUIFTSgGB+qzmURjTt3V7rtAoGahg6kRX35vUYpcGcoeRDc5kUUSibbQyMOhE5ITaf/XuhntfEaYTYHpas71Hslgen3VbdhqaI3hwUstfWWoQ9NPEq8ZVOC8XxlYmDAqL8G8bkpsm78wauOuSTuHDZz3Td2tpDtymkPDQc9KSGy2KqeDcLqLq0zqwiBdOBxv1H/xrBxKvZYDE5bsjATQ4zOKEfRAYpFrzk+TCNDfXngLjC37gLpoi4dq8PwONuuHRxk5Sr9fIC5mw953R2lmTVbt7+Vmx+DezjCS8JMDV68S/s5FIOQJu5ukEY4p9KtYx9g24DDsvnG4k9Wg7cF7+RBexf0SaOJYVVrukwGk22Oe6eaChBEIBysUf5xXVW2wtKxYsCXJEOt2lYbfkiMCJHl9nHbSH01Z81aGb/1wvg33RSYIpVdZit4KN82XyLRtU0k7hUWpycGSLd6vlv6eGh2E38h+ZRm+cZb+jOJ+g1CtApUm3pqxPSzWQJxpSAijnMgq3qT18kSiiqV+6BmGMaJHj2MHZz3fSYlG5scJdJe+ekwoAkeIywD0pjc7g8NCn/Yh59FHWxtZW11ZsyGcs5Oe88HBpN4nn8FoIw5Enzvb2kmP2DjXh6du6bkKoRl5Qt2CTRRmSTOGLNrM1p/+w2Hv/QOO2lbqYpwSjFIo3dhH8ZuB3UDWf9EBoiU3JVGRGFroFrgh8kWs X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR12MB1355.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(39860400002)(346002)(396003)(376002)(136003)(366004)(5660300002)(4326008)(36756003)(38100700002)(6506007)(83380400001)(53546011)(8676002)(86362001)(956004)(6486002)(31696002)(66556008)(316002)(478600001)(66946007)(2616005)(186003)(31686004)(66476007)(26005)(6512007)(16526019)(8936002)(2906002)(43740500002)(45980500001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?TitCMms4ZzBwSTZmMkExMDhHd1IvWW5yclFycW1uSUxNWko4dkpMQ3NVVHdp?= =?utf-8?B?SDltdnliVDBTaEVrekNBTjd0ajJNOW8wc2NIaFIzQ2VkekUwUzQ1V2I4QUsy?= =?utf-8?B?NUxQdm5aTEFxWTl1K2NYcXF4Vm9PMXVid08yOFVNeXhFazJaUGZVMDFJdFVr?= =?utf-8?B?OGR3NWRlSmNpb3dEaEM0YmxWeVlJRm1naXRYMmkzREcreks2NVdMbkVmcndZ?= =?utf-8?B?YnJDeWZhaWVkMnk4Q2Z0Wmh3aFdsOTAxRnBDdWFkWkppWS8rSGUxU1VZdUU1?= =?utf-8?B?ZkViUFlIdHRiK0lvK2RzaVltbk5ZMUh3WE5HOEM3MVVvSEJqMXBadjJEOUFU?= =?utf-8?B?SnVQbFZXRURMdkozcVErVFVMOGc3KyswS2VzakNXQlkvNWFDeEY0MW05eWJp?= =?utf-8?B?dUZmTDZNZ2JnTkxDTUVWZm5pUEt2WmNvcE1YZ25ubDlmR3NFRXdvYlIrMnlG?= =?utf-8?B?a1B4a1d6UDhoWHQ2YTY0Zno3U2xaU3UybVVhRHl2K29WcERkVWJlUCt4SUNh?= =?utf-8?B?cEpmL1VLQUFoUldQR0kxU0dhOGxHYnBhRVEyQmtEL3k3bXNnWVRHMm4yT08z?= =?utf-8?B?YndpbWV6VmJLV3hCMWVLUnF2V1ZqT3Nselp5TEo2TkxkakdoT1VHL3h3RWpQ?= =?utf-8?B?eDRpN0I1Z1JhandKdEVGZ3FjUUc1bmE2T3VoY0RBUXRJRG9ZZWVsWHovZVFz?= =?utf-8?B?dW9aYnlxYmplbHVjTExYUTU5blA2RXlPb1A4YXhVU0U2d2RkOU9PeW83Qk1S?= =?utf-8?B?WjVPK0ZFNnJRMTFNYkZjenBUaUhBdmR2eWNub2JmYnJrUXR5RkJtampNZmFR?= =?utf-8?B?SGtmR1Rjclh3a01rWktETzZNcUVuc24vZ0xlYmtERTBvK0VrcEt3Vm1hYm9Y?= =?utf-8?B?ckxqQ0ZzaXJDblZMWHJPbjBDbGdLdTdjMk5Kd3Qya0JxaXdlMng1REU1dHNL?= =?utf-8?B?WVNMM3l3ZlUxSDRVN2lNblBRK09vSkhkNlZ4TlNMMFhRYXBudHpYYXpOeGNq?= =?utf-8?B?TzM3NC81ZnpvTk4wMWRaaUcxWHhvZlJJWmtibzBuU0hacUtiN1JmWW1ybm1L?= =?utf-8?B?ekU4aXRJcGh3am9NTTRTT25BcHN1OURTd1BoLzcwSUVaVForRkdmWUVyTVV4?= =?utf-8?B?dUQwNXZkZEhPZHpMbUN6SDc0azUyWngzTDZHNGZ4K0I4dTFKR0s3TCt2R0I1?= =?utf-8?B?WS9lZXkzckI5WGdCdUtsemdBRVlGaDBTRitJTHlsQ0FCTnBZZ2xhVTlwczlE?= =?utf-8?B?UlR3OHkzaDJldm4xWlljS1UvZjRNYkZiTGZsbFExL3UydS9JZWJQMnhKKzJa?= =?utf-8?B?aTBueHlxdDVTaHhxVnVuM1l6UWlISHpibHpxdnBjd1BoMEVUaUkreWNEeTl3?= =?utf-8?B?VmhJbzJzMlZrbnkzbXRtU25qbkVsdzkzK21XT1JQRmRpaGtYNUNmaEJydHlp?= =?utf-8?B?TFlocWhRNWJVbmVzVGlnc3Bqa0F1cStqak5XMm1LcGlHNDBZYjI5eUtHTnZC?= =?utf-8?B?emNaMm5wdEdqbEx4bUg0UnZOSFhyQStTVlJLOVpqSEVtbVdaWDVsMEZ6VGc1?= =?utf-8?B?aWxFS2ZnL09jUlB6Q1U2Q0NncGFBQ0gycFF4UE94akdZWEZJMHIrUml1YVkr?= =?utf-8?B?bnV3Zm4vN3ZhZG04WkZIWFYyd1BKYWY3TEtoRHVjaHRxRCtOaXp6eGx0cHFi?= =?utf-8?B?SitGbmxGRFdFUkVkRGJWYkt5K1hxVnBjQ0pCU0drcFVPUlNYTzI4OTdKK3hZ?= =?utf-8?Q?tXF9RXyfrZ7Wjy4CXKL77k7XxDJasL4eCwqfQVp?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 54757f2b-ef32-4fad-c4b3-08d935d25ce4 X-MS-Exchange-CrossTenant-AuthSource: DM5PR12MB1355.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jun 2021 23:06:26.9265 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 91nzh6MQbwubtXL3lW06YPFsqhAL6eDZYQ4//F+QG8kYddCmUIyMAhOyyNgZL12pRn8AcJwCA0y6iLVD3l5o2Q== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR12MB1449 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 6/21/21 8:57 AM, Ashish Kalra wrote: > From: Ashish Kalra > > Detect for KVM hypervisor and check for SEV live migration > feature support via KVM_FEATURE_CPUID, if detected setup a new > UEFI enviroment variable to indicate OVMF support for SEV > live migration. > > Signed-off-by: Ashish Kalra > --- > OvmfPkg/Include/Guid/MemEncryptLib.h | 20 ++++ > OvmfPkg/OvmfPkg.dec | 1 + > OvmfPkg/PlatformDxe/AmdSev.c | 108 ++++++++++++++++++++ > OvmfPkg/PlatformDxe/Platform.c | 5 + > OvmfPkg/PlatformDxe/Platform.inf | 2 + > OvmfPkg/PlatformDxe/PlatformConfig.h | 5 + > 6 files changed, 141 insertions(+) > > diff --git a/OvmfPkg/Include/Guid/MemEncryptLib.h b/OvmfPkg/Include/Guid/MemEncryptLib.h > new file mode 100644 > index 0000000000..4c046ba439 > --- /dev/null > +++ b/OvmfPkg/Include/Guid/MemEncryptLib.h > @@ -0,0 +1,20 @@ > +/** @file > + > + AMD Memory Encryption GUID, define a new GUID for defining > + new UEFI enviroment variables assocaiated with SEV Memory Encryption. > + > + Copyright (c) 2020, AMD Inc. All rights reserved.
> + > + SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#ifndef __MEMENCRYPT_LIB_H__ > +#define __MEMENCRYPT_LIB_H__ > + > +#define MEMENCRYPT_GUID \ > +{0x0cf29b71, 0x9e51, 0x433a, {0xa3, 0xb7, 0x81, 0xf3, 0xab, 0x16, 0xb8, 0x75}} > + > +extern EFI_GUID gMemEncryptGuid; > + > +#endif > diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec > index 6ae733f6e3..e452dc8494 100644 > --- a/OvmfPkg/OvmfPkg.dec > +++ b/OvmfPkg/OvmfPkg.dec > @@ -122,6 +122,7 @@ > gQemuKernelLoaderFsMediaGuid = {0x1428f772, 0xb64a, 0x441e, {0xb8, 0xc3, 0x9e, 0xbd, 0xd7, 0xf8, 0x93, 0xc7}} > gGrubFileGuid = {0xb5ae312c, 0xbc8a, 0x43b1, {0x9c, 0x62, 0xeb, 0xb8, 0x26, 0xdd, 0x5d, 0x07}} > gConfidentialComputingSecretGuid = {0xadf956ad, 0xe98c, 0x484c, {0xae, 0x11, 0xb5, 0x1c, 0x7d, 0x33, 0x64, 0x47}} > + gMemEncryptGuid = {0x0cf29b71, 0x9e51, 0x433a, {0xa3, 0xb7, 0x81, 0xf3, 0xab, 0x16, 0xb8, 0x75}} > > [Ppis] > # PPI whose presence in the PPI database signals that the TPM base address > diff --git a/OvmfPkg/PlatformDxe/AmdSev.c b/OvmfPkg/PlatformDxe/AmdSev.c > new file mode 100644 > index 0000000000..3dbf17a8cd > --- /dev/null > +++ b/OvmfPkg/PlatformDxe/AmdSev.c Can this be done in OvmfPkg/AmdSevDxe/AmdSevDxe.c or is that too early? > @@ -0,0 +1,108 @@ > +/**@file > + Detect KVM hypervisor support for SEV live migration and if > + detected, setup a new UEFI enviroment variable indicating > + OVMF support for SEV live migration. > + > + Copyright (c) 2020, Advanced Micro Devices. All rights reserved.
> + > + SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > +// > +// The package level header files this module uses > +// > + > +#include > +#include > +#include > +#include > +#include > +#include > + > +#define KVM_FEATURE_MIGRATION_CONTROL 17 BIT17 > + > +/** > + Figures out if we are running inside KVM HVM and > + KVM HVM supports SEV Live Migration feature. > + > + @retval TRUE KVM was detected and Live Migration supported > + @retval FALSE KVM was not detected or Live Migration not supported > + > +**/ > +BOOLEAN > +KvmDetectSevLiveMigrationFeature( > + VOID > + ) > +{ > + UINT8 Signature[13]; > + UINT32 mKvmLeaf = 0; > + UINT32 RegEax, RegEbx, RegEcx, RegEdx; > + > + Signature[12] = '\0'; > + for (mKvmLeaf = 0x40000000; mKvmLeaf < 0x40010000; mKvmLeaf += 0x100) { What's the reason for the loop? I would think that just checking 0x40000000 would be enough, so a comment seems to be warranted. > + AsmCpuid (mKvmLeaf, > + NULL, > + (UINT32 *) &Signature[0], > + (UINT32 *) &Signature[4], > + (UINT32 *) &Signature[8]); > + > + if (!AsciiStrCmp ((CHAR8 *) Signature, "KVMKVMKVM\0\0\0")) { > + DEBUG (( > + DEBUG_ERROR, DEBUG_INFO, it doesn't seem like an error. > + "%a: KVM Detected, signature = %s\n", > + __FUNCTION__, > + Signature > + )); > +> + RegEax = 0x40000001; Should this be mKvmLeaf + 1? It is confusing that you may check 0x40000100 and then not do 0x40000101. > + RegEcx = 0; > + AsmCpuid (0x40000001, &RegEax, &RegEbx, &RegEcx, &RegEdx); > + if (RegEax & (1 << KVM_FEATURE_MIGRATION_CONTROL)) { This needs to be (assuming BIT17 is used above): if ((RegEax & KVM_FEATURE_MIGRATION_CONTROL) != 0) { You must use an actual comparison if the variable is not a boolean. > + DEBUG (( > + DEBUG_ERROR, > + "%a: Live Migration feature supported\n", DEBUG_INFO again. > + __FUNCTION__ > + )); > + return TRUE; > + } > + } > + } > + > + return FALSE; > +} > + > +/** > + > + Function checks if SEV Live Migration support is available, if present then it sets > + a UEFI enviroment variable to be queried later using Runtime services. > + > + **/ > +VOID > +AmdSevSetConfig( Kind of a generic name for what is being done. > + VOID > + ) > +{ > + EFI_STATUS Status; > + BOOLEAN SevLiveMigrationEnabled; > + > + SevLiveMigrationEnabled = KvmDetectSevLiveMigrationFeature(); > + > + if (SevLiveMigrationEnabled) { > + Status = gRT->SetVariable ( > + L"SevLiveMigrationEnabled", > + &gMemEncryptGuid, > + EFI_VARIABLE_NON_VOLATILE | > + EFI_VARIABLE_BOOTSERVICE_ACCESS | > + EFI_VARIABLE_RUNTIME_ACCESS, > + sizeof (BOOLEAN), > + &SevLiveMigrationEnabled > + ); > + > + DEBUG (( > + DEBUG_ERROR, > + "%a: Setting SevLiveMigrationEnabled variable, status = %lx\n", DEBUG_INFO. Thanks, Tom > + __FUNCTION__, > + Status > + )); > + } > +} > diff --git a/OvmfPkg/PlatformDxe/Platform.c b/OvmfPkg/PlatformDxe/Platform.c > index f2e51960ce..f61302d98b 100644 > --- a/OvmfPkg/PlatformDxe/Platform.c > +++ b/OvmfPkg/PlatformDxe/Platform.c > @@ -763,6 +763,11 @@ PlatformInit ( > { > EFI_STATUS Status; > > + // > + // Set Amd Sev configuation > + // > + AmdSevSetConfig(); > + > ExecutePlatformConfig (); > > mConfigAccess.ExtractConfig = &ExtractConfig; > diff --git a/OvmfPkg/PlatformDxe/Platform.inf b/OvmfPkg/PlatformDxe/Platform.inf > index 14727c1220..2896f0a1d1 100644 > --- a/OvmfPkg/PlatformDxe/Platform.inf > +++ b/OvmfPkg/PlatformDxe/Platform.inf > @@ -24,6 +24,7 @@ > PlatformConfig.c > PlatformConfig.h > PlatformForms.vfr > + AmdSev.c > > [Packages] > MdePkg/MdePkg.dec > @@ -56,6 +57,7 @@ > [Guids] > gEfiIfrTianoGuid > gOvmfPlatformConfigGuid > + gMemEncryptGuid > > [Depex] > gEfiHiiConfigRoutingProtocolGuid AND > diff --git a/OvmfPkg/PlatformDxe/PlatformConfig.h b/OvmfPkg/PlatformDxe/PlatformConfig.h > index 716514da21..4f662aafa4 100644 > --- a/OvmfPkg/PlatformDxe/PlatformConfig.h > +++ b/OvmfPkg/PlatformDxe/PlatformConfig.h > @@ -44,6 +44,11 @@ PlatformConfigLoad ( > OUT UINT64 *OptionalElements > ); > > +VOID > +AmdSevSetConfig( > + VOID > + ); > + > // > // Feature flags for OptionalElements. > // >