From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (NAM11-CO1-obe.outbound.protection.outlook.com [40.107.220.69]) by mx.groups.io with SMTP id smtpd.web11.1742.1619808664815662216 for ; Fri, 30 Apr 2021 11:51:05 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amd.com header.s=selector1 header.b=SAoHuAOk; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.220.69, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bXU1yfbnUwYP8j0sQvIOKBqn69k9KrVnrSO6KCCDfeE+BlX9qNAM6OAvHJ0oIkVzjsZqA27x2nlkxvVPsRN5I/Bjz/IqUVvVoqnpwvSd9bMufwnyfEFpBTeC/yyPuphPIWtOua5xQBdaEz/N20Zrx5rNkja54FB95iezwjMQAkBVru0wPTQjQOHSbSF3lAFqijI9Y4+n0w4QQIAAiWldqDETGY3TIJc5cPIa3J54kVq++wcZauYJl6uPuljYEtu+FqDpFloiUMoWNxZCJUDatA7NNc9XGdy3shHDMBoOFsJqZZ62r4dOvBhUjxB8uGRWCsuQ7MJShLdqtXhw9UZx+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=B6WTBoiEVn5k9zAm1uDAaRPBcFFHXSyXCY36VtbIKLg=; b=D/GCNRc9Zqg5Om7Rt5k1rXtuRc1WKuZumNsDzFuC+EKzf3s5r9DpDoA1i2Y5vOwp/DA+Sdyot5k3a5TnyVHcA0xowMVeSbckKWHIqE45Kc79J+2L67SjrkE/jdYEooPirv8GgYn2W8XTYWImA7lGWDbtHnodnooUmotJsfNJAAAu0E40DZet8himllMGphQriAxyRvxXyguw9FLw2yzRkHnPSD80V90YfjNYFtKMSbwmRGwoebdEyv2C+i9CvDu9Diq/6bnTmm/sDRJfaPNLNQIKUwziasjhnXyXMIPPy3FhSsrjcRGuxHm7k34UeVdrVpRMLoguClP4VHt3zefSJg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=B6WTBoiEVn5k9zAm1uDAaRPBcFFHXSyXCY36VtbIKLg=; b=SAoHuAOkPtP4pEjTrHb1fXsT5ZIRbvJXsaxUgAfACtDNSJADHubNtSb50Gj5MtYXfTy+s/b4fqoaKaHU6jBPE8DQ7nwwY15SPyz8CW1VLeHPC3NFXyQizJGqZPjsG3KrIi+/rq8OJPz9+hTJM1mklhETPmSOaBwAhe9V74UOMIc= Authentication-Results: linux.ibm.com; dkim=none (message not signed) header.d=none;linux.ibm.com; dmarc=none action=none header.from=amd.com; Received: from DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) by DM6PR12MB2987.namprd12.prod.outlook.com (2603:10b6:5:3b::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.25; Fri, 30 Apr 2021 18:51:02 +0000 Received: from DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::b914:4704:ad6f:aba9]) by DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::b914:4704:ad6f:aba9%12]) with mapi id 15.20.4065.033; Fri, 30 Apr 2021 18:51:02 +0000 Subject: Re: [edk2-devel] [PATCH v3 0/5] SEV-ES TPM enablement fixes To: Laszlo Ersek , devel@edk2.groups.io CC: Joerg Roedel , Borislav Petkov , Ard Biesheuvel , Jordan Justen , Brijesh Singh , Erdem Aktas , James Bottomley , Jiewen Yao , Min Xu , =?UTF-8?Q?Marc-Andr=c3=a9_Lureau?= , Stefan Berger References: <337e5c84-b5b6-9f55-a3e6-9418891e9f1b@redhat.com> From: "Lendacky, Thomas" Message-ID: Date: Fri, 30 Apr 2021 13:50:59 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 In-Reply-To: <337e5c84-b5b6-9f55-a3e6-9418891e9f1b@redhat.com> X-Originating-IP: [67.79.209.213] X-ClientProxiedBy: SN6PR16CA0038.namprd16.prod.outlook.com (2603:10b6:805:ca::15) To DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from office-linux.texastahm.com (67.79.209.213) by SN6PR16CA0038.namprd16.prod.outlook.com (2603:10b6:805:ca::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.25 via Frontend Transport; Fri, 30 Apr 2021 18:51:01 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: f074191d-3b3e-4585-a0ad-08d90c08e6dc X-MS-TrafficTypeDiagnostic: DM6PR12MB2987: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1751; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: UOJJBgQe4SA+7RcRN3kbNJZH4jfzxhKp6bwXpq/P2tEp5Wdy5Yt+yt+oKLT+x0OREADt8toQB8ErVJb1rpfJRMW1apJ85/E+foYf/r1qdPVZ1UAMbWHwbqNEf2K0QW5cZMfVu7sACb2lBruruxhWTyIsDzNgfD64qyzK5BM1XkpccVDkRH5HS+JoIk/hQMpCszHLZ07jgRTXMQjZiGKK7WhtMQhwYy1EUFM8F9fyU909c3UeDAw4K9K0aYZO/ixamqBC10mFlFfs/DfcUKu0Ogh+2oaDthN+iSaHPxsWEuLcdAkOIL/Vb1yMTrioUHdIxsbNWtlHXH+41Qan9HWKTXcobc5t+f+zKLkAPoDOnbZNGyjF1fjIYat0KpphrnphIzS5bxZ7940Iy7qZkrxOsA+YKZoGcXV6OiqyzR0ROp+t5sXZp8k8FZ/VmBEezf3jnafhr3TVmmMqKICFdZtPFWANZOBrYQ0f0gKefAEOnUob7SPSwTvIWjn4QA0XQdPTMTZAf4jOBjh0kmLYVISfY2KVD3k5sZ8jI6qDZ0PwpZLRkNtm5+RqSr8pPuJ6OINIvRpc1Vasaz3+Zgq0fg1IbBfG4+BJg5C1Cx120KywSCiBAq2HhHYOd/Puh8Fnec14Ocz5xNKMJPRjzJBAKZVotu1aVmyv0gDKc4Y5vkzHmmHV49D1q4wVeZRsS+CAIde5dqWm+OU5mTUcb7pty3BQef67t8PTNq6p0GoEZrVLvfJ3RJuGoBnogvkGxucSLbbvAmzXg+npvHuEHWTzWNwzAA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR12MB1355.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(136003)(396003)(346002)(376002)(39860400002)(19627235002)(7416002)(45080400002)(316002)(5660300002)(54906003)(66556008)(478600001)(966005)(956004)(186003)(66476007)(66946007)(4326008)(6486002)(8936002)(8676002)(6506007)(36756003)(2906002)(38100700002)(86362001)(16526019)(31696002)(6512007)(83380400001)(2616005)(26005)(53546011)(31686004)(45980500001)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?Ue3WCF/Er2d8b+LOfaxuDPmyk2mr8Uy/nefFg+BvTIhwtg/+Tc7ATnlXQRw8?= =?us-ascii?Q?Md6rDW0qWmYrkTTfko5ba3TX7ii9afCSdleiQ6baZ2sK6dYeOlR1mTqzFwnM?= =?us-ascii?Q?mwzTJC34Q98TY+13gzfrIE0bIp295QEfJvPjXiVYSYWeVsJj52/ukIXSRi27?= =?us-ascii?Q?nNJGt+hCTkt6Ufvs9O4Z4nZrr3+CtKiABDrYNa3dSrDxiwb9mnRag/ncWe+P?= =?us-ascii?Q?wA7PrxQ1Tt1Dbguly0ZNqarMdj+HaPiBCX7RzqpDp5on/677f79uqq7Ptve4?= =?us-ascii?Q?XM8iUnvA53UdaXkfuX9pNyIjCBgod2XHmT0VSeikRJ6a+k/AWNd1K0IqmZcJ?= =?us-ascii?Q?MIaPKTa7eKXf4W/Od+FnRxNp38a/8mehERMB2yn76csZ6QgZVE/Eg2sZ9fra?= =?us-ascii?Q?R6uf8/zZlO/TBWA6eMDHFTrTGcEmVtUyx4CTL43hY6a1KBjjy+jAWa5D84vk?= =?us-ascii?Q?FdOV8mJt7eMjLL/PTFJdL6UBwU1FM/BPBkS/Mz8jFo5wpdefLKYF8U+uxJao?= =?us-ascii?Q?6StEfCKMOF2VlIfvK62DgmCyrNOLkmmW9qonq3Sm9G9rlV6AY/bp8bs9CIsa?= =?us-ascii?Q?U3vuiHnaeGb1NWMgZ4dOpWc9d4ljzY0j67ztF1iBrQHljGg09CWwAZw3azvP?= =?us-ascii?Q?h2IIX0tq0BXvVT2WMXid7Myz5wNWDhTazRKWpahaozBTUOErmzijOoS7uhdL?= =?us-ascii?Q?PHEkmpIeexxqtNlNcnTjKc3Q6dwogrmtJfXGHgsKLoMq+6F/2CD6pldWU8BO?= =?us-ascii?Q?peaxZzY4CxEPr996gSvVUVCvmi2EZJpJlLcnE9aAo22c5Jt/MFnnFMGT4EmF?= =?us-ascii?Q?4n3VzXmTmAgluLSsTaZiC5FvVPKrDYOKwfYFEEfJq6lO984fGIblHEKt9qyh?= =?us-ascii?Q?glfmIoMsf03BbVr6zc5a6zwrzmA1lfzL4LLLQ41mnwcC3pMMn0cwFJKnToa0?= =?us-ascii?Q?zNnUxxLpZemkPItsKrvGUeIkChv1PAxvFR/CfykFpkTJLgdWZ5CXcrlNZf9F?= =?us-ascii?Q?hOcMlSIJxx9Z1AH3+RJCHPo5QukksiBuXtKM4uwUg2YChLUciijHixYUTvQB?= =?us-ascii?Q?cNigbbKBubnGLA0n88MoX15froTif62NhsBhwiF2euGvQOPHcpOgT+eJtDTY?= =?us-ascii?Q?oJxfE/1pkqPSj9byhQ4VQuRzTM7tLYrmmIUJVENg2u3P0LK12x1seInzr+zi?= =?us-ascii?Q?Asd2BrHz9FqbXkgJvXm/lZNKRiIuKixJFyP5ZXBHQ/9M1IBcxo40KzLmLlKC?= =?us-ascii?Q?WB/a94n662p61NDIdo+xg1Gfr+OdMO5MssHKYFlZgiR9N3G2P/ZGSAD/L73i?= =?us-ascii?Q?xk8iUKjF2VNTlfHEdLkJZcmm?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: f074191d-3b3e-4585-a0ad-08d90c08e6dc X-MS-Exchange-CrossTenant-AuthSource: DM5PR12MB1355.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Apr 2021 18:51:02.4125 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: C76z9ATmpsi9Vad2oUX9BttW28olJACLCtZd3WfMqb4tik/Sjcapb4Sxp7Tzm4mnyk+TV5UcZHJx2GAQ7HFtIg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB2987 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 4/30/21 1:44 PM, Laszlo Ersek wrote: > On 04/29/21 19:12, Lendacky, Thomas wrote: >> This patch series provides fixes for using TPM support with an SEV-ES >> guest. >> >> The fixes include: >> >> - Decode ModRM byte for MOVZX and MOVSX opcodes. >> - Add MMIO support for MOV opcodes 0xA0-0xA3. >> - Create a new TPM MMIO ready PPI guid, gOvmfTpmMmioAccessiblePpiGuid >> - Mark TPM MMIO range as un-encrypted during PEI phase for an SEV-ES >> guest and install the TPM MMIO ready PPI guid. >> - Update the Tcg2Config Depex to ensure the new PEIM runs before the >> Tcg2Config PEIM >> >> BZ: https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2F= bugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D3345&data=3D04%7C01%7Cthom= as.lendacky%40amd.com%7C66427d33196c49e1cb3608d90c07f4a2%7C3dd8961fe4884e60= 8e11a82d994e183d%7C0%7C0%7C637554050583398276%7CUnknown%7CTWFpbGZsb3d8eyJWI= joiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sd= ata=3DWdFDHBTgxDnvD%2BbNu1CisWXW7W8t3WhqEqWa4G14tLA%3D&reserved=3D0 >> >> --- >> >> These patches are based on commit: >> ab957f036f67 ("BaseTools/Source/Python: New Target/ToolChain/Arch in DSC= [BuildOptions]") >=20 > Merged in commit range ab957f036f67..1e6b0394d6c0, via > . Thanks for all your help getting this fixed, Laszlo! Tom >=20 > Thanks, > Laszlo >=20 >> >> Changes since: >> >> v2: >> - Update the TPM PEIM to only perform the mapping change when SEV-ES is >> active (with a comment in the code to explain why). >> - Update the TPM PEIM file header comment. >> - Updates to the INF file (INF_VERSION, Packages, LibraryClasses, etc.). >> - Updates to PEIM file order in DSC and FDF files. >> - Split out Tcg2Config Depex change to a separate patch. >> >> v1: >> - Create a TPM PEIM that will map the TPM address range as unencrypted a= nd >> install a new PPI to indicate the mapping change is complete. >> >> Cc: Laszlo Ersek >> Cc: Ard Biesheuvel >> Cc: Jordan Justen >> Cc: Brijesh Singh >> Cc: Erdem Aktas >> Cc: James Bottomley >> Cc: Jiewen Yao >> Cc: Min Xu >> Cc: Marc-Andr=C3=A9 Lureau >> Cc: Stefan Berger >> >> Tom Lendacky (5): >> OvfmPkg/VmgExitLib: Properly decode MMIO MOVZX and MOVSX opcodes >> OvmfPkg/VmgExitLib: Add support for new MMIO MOV opcodes >> OvmfPkg: Define a new PPI GUID to signal TPM MMIO accessability >> OvmfPkg/Tcg2ConfigPei: Mark TPM MMIO range as unencrypted for SEV-ES >> OvmfPkg/Tcg2ConfigPei: Update Depex for IA32 and X64 >> >> OvmfPkg/OvmfPkg.dec | 4 + >> OvmfPkg/AmdSev/AmdSevX64.dsc | 1 + >> OvmfPkg/OvmfPkgIa32.dsc | 1 + >> OvmfPkg/OvmfPkgIa32X64.dsc | 1 + >> OvmfPkg/OvmfPkgX64.dsc | 1 + >> OvmfPkg/AmdSev/AmdSevX64.fdf | 1 + >> OvmfPkg/OvmfPkgIa32.fdf | 1 + >> OvmfPkg/OvmfPkgIa32X64.fdf | 1 + >> OvmfPkg/OvmfPkgX64.fdf | 1 + >> OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf | 2 +- >> OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf | 40 +++++++ >> OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 120 +++++++= ++++++++++++- >> OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPeim.c | 87 +++++++= +++++++ >> 13 files changed, 258 insertions(+), 3 deletions(-) >> create mode 100644 OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPe= i.inf >> create mode 100644 OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPe= im.c >> >=20