From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (NAM12-DM6-obe.outbound.protection.outlook.com [40.107.243.74]) by mx.groups.io with SMTP id smtpd.web12.10448.1589034845023992892 for ; Sat, 09 May 2020 07:34:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amdcloud.onmicrosoft.com header.s=selector2-amdcloud-onmicrosoft-com header.b=EkJX19b/; spf=none, err=SPF record not found (domain: amd.com, ip: 40.107.243.74, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DStgwr5Vj7GOV+eZM/m2VFdhTw6OxPtip5PDqf6AlYRkH+98tznHzfk6u0OOKOlmWJghIs+s/aVxm5flvy2L0PNVK4duRle349Xv/rVQh+GTmbbEsO8BeXT0ox7GIUGJEcjhc0ezZwU8R5sqDjFCMqWyXdM0cofuKnMYC2CdD9ev+qzoedgvX1N4/KJiQOihup4Eerju5OXCF4zxiyvr8lv0BmcHZCpmUvg+NtmX8Xqlp7c+wjN01spVP8kgspHw/hkf9NPIeWLY6dLZJVY3DEbJfVRW27C5GLz91ICa+tcEFDx7vqsPd2MnkiXtNjWtGQqeO/r88MMQurPQd9oSJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eB19pr6QTsrDh5W2nX2TaRdRrVf5048U7v4bSKEEwQI=; b=ZKbCfHkqknyWhHtWRk1cq0nUgH4WHdYNyTFq9SNwH6uwe2vajaGOphs5qiqUo02fOspDZW7JSD1+rKQXsObhgdmfylRlr22uNPEyI32bRJrI219B628tNKJeNBdp9YY2DyqIEdg3uoFR99W6QhW3L7QbbYySY8o1YRZh53FksBWAM3I/bllWgoG3xVe2AermvjtXJEJs7MEXhhAgO5dTEnVW1P43THiyIv9AXiklRyVRSUpI9/ybikLa1NAIwEksOKj7+9gsmlnoNvhuLtY5rUDS8b5xQzEdZoEdmYkuWrBmRp6dqgEtWS+6MuS/H8azyyhXgwjuUfNfFTKsnHKvng== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector2-amdcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eB19pr6QTsrDh5W2nX2TaRdRrVf5048U7v4bSKEEwQI=; b=EkJX19b/K3IfnhncrE/UBCauOWybRGwGDto1x4j7T7eGiKdDRVbWED5tvMUScgtR3cqcbSP7m6hVluXEePEo+iXkB2uUkTWQEzL+JxxR5hH5qXTOP34QMvJf+GDiTfBZfoOpTXuhJeeHzNNWBHaO9PBBtrrt8fvVUCG+5bMbGRE= Authentication-Results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=amd.com; Received: from DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) by DM5PR12MB1129.namprd12.prod.outlook.com (2603:10b6:3:7a::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2979.34; Sat, 9 May 2020 14:34:03 +0000 Received: from DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::4ce1:9947:9681:c8b1]) by DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::4ce1:9947:9681:c8b1%10]) with mapi id 15.20.2979.033; Sat, 9 May 2020 14:34:02 +0000 Subject: Re: [PATCH v7 00/43] SEV-ES guest support To: "Ni, Ray" , "devel@edk2.groups.io" Cc: "Justen, Jordan L" , Laszlo Ersek , Ard Biesheuvel , "Kinney, Michael D" , "Gao, Liming" , "Dong, Eric" , Brijesh Singh , "You, Benjamin" , "Bi, Dandan" , "Dong, Guo" , "Wu, Hao A" , "Wang, Jian J" , "Ma, Maurice" References: <4da69262-e6a8-1374-2853-dab2a8f193d3@amd.com> <734D49CCEBEEF84792F5B80ED585239D5C530D55@SHSMSX104.ccr.corp.intel.com> From: "Lendacky, Thomas" Message-ID: Date: Sat, 9 May 2020 09:34:00 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 In-Reply-To: <734D49CCEBEEF84792F5B80ED585239D5C530D55@SHSMSX104.ccr.corp.intel.com> X-ClientProxiedBy: SN6PR2101CA0005.namprd21.prod.outlook.com (2603:10b6:805:106::15) To DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from office-linux.texastahm.com (67.79.209.213) by SN6PR2101CA0005.namprd21.prod.outlook.com (2603:10b6:805:106::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3000.12 via Frontend Transport; Sat, 9 May 2020 14:34:01 +0000 X-Originating-IP: [67.79.209.213] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 328949ee-e93a-4539-d2b8-08d7f42604c1 X-MS-TrafficTypeDiagnostic: DM5PR12MB1129:|DM5PR12MB1129: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:3968; X-Forefront-PRVS: 03982FDC1D X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: LS9QxwTsTpnClVXHCJTHMkE9vN+cOnE1dppMenoPheFLl+tG9HIYhW/lFtgfAfeRXBLNPpmzouj/g/2wIW3d+pnIzKVigrNxkyTXd974hHmnXuMEJl0R48IpbNtU+HUYAMzVhTVYv0PUVhaPgv+1OuD8SKPAI3w11jo6v/eUx0DfpH+IfEdOsv8It4SxfPuB5kGFBUL1cDcSRZy2Fe9a4Fgg7hpB960DOZy1pw1KTxzk4Y29NCj4v1dAcykXEuCLFSWb5NSsZWWpnaMLnl9v7iwA2rf3Lu4GXntMO6dl6X2GY8UUIs7om5LWWcjYjHy++fxI2FUVsMwoQ7B4tTY7lhBo37eGATb0+e0Tkqcs2PU8KNTQpeDeq8YCGDemqshuCW/J5AQLZ7BDbyqNj9i50MwRV4beBYPj3VA+Wpgw5C+Lly38WurRbhpOyZ0rIC1IFvBWdfd3+G4jy6PTLkdwgaJznVNys9qD3KQBvHAqWITFlShAcutKBeZJs6t0UFL+7ZZNx82Bc9RhzNwZCVhnYzXhx/7yFXdTiDn9Ov4W31cv0LaE/SwcJ6K3zdSwr1Ceeh4oMAGCafCdvR0WEQRWu89y7bUgQKnI1uxwuY20EXZAKis6S8KURXxYHI9AGaeTCZFWPOcocrPuHaqP9B4vuw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR12MB1355.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(4636009)(376002)(366004)(136003)(346002)(396003)(39860400002)(33430700001)(86362001)(66946007)(966005)(5660300002)(186003)(478600001)(19627235002)(16526019)(7416002)(8676002)(110136005)(31696002)(30864003)(54906003)(31686004)(8936002)(66476007)(66556008)(52116002)(53546011)(6506007)(316002)(36756003)(45080400002)(2906002)(6486002)(26005)(33440700001)(6512007)(956004)(4326008)(2616005)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: CyAKVbrI/yyY9CJYf1cdlccGrb8/hvMrc1GXiRM1RZrejzJOxTIEf1HEzJu2Kx6yYXvtyZy8/VJ2XCeHKSfkyAz1WEmoZbysuxnTGOr0JNSGw4UVMNjh3jP+3GROmDcMp70xqzoMBt9lEjvAhJqyRglcbqFavblTjQU19hEQ65RaQ61soWJHpLy1i4eknLGobU1pTYv2kLzIhS2xxJWwIT2glACKhzldXfvV/CJvml9NH0BWuDPtl/XbFJT7J2VniQxh4avtgTolCxObPrEiduVLzVHS76UZ8ASdRWTwrZpVz32SuyWtaB9yigWSptdC1b1vCDUvbmvtd1J3J5pGJLOs0MB+Ms+aEotjTTG+YnzPtydWsLQh7iT9227OLVmyEEAgN2CszWVMB//Z1OQKhSRORJfe+UGZDQkB+ntVp6nybpZqERfUj1QKQw83XVEzLYJXpPiagfSL59Mmq36kydBmfVepWJhza0a3dG6Dm64= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 328949ee-e93a-4539-d2b8-08d7f42604c1 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 May 2020 14:34:02.7087 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: FU80NgSs6YA/cgIDfwViwuPUFsEIfac1klSRishgCSwLn06HKUkew50dgk9oucUafya0gkzlj8cDa2cniaY42g== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR12MB1129 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit On 5/9/20 1:44 AM, Ni, Ray wrote: > Tom, Hi Ray, > I have a bit concern on your change that directly modifies CpuExceptionHandlerLib to handle > exception #29. Today's CpuExceptionHandlerLib simplify dumps the exception context for > every exception. Any component which wants to do specific handling of certain exceptions > should call RegisterCpuInterruptHandler(). Such as code in CpuDxe driver: > > if (HEAP_GUARD_NONSTOP_MODE || NULL_DETECTION_NONSTOP_MODE) { > RegisterCpuInterruptHandler (EXCEPT_IA32_DEBUG, DebugExceptionHandler); > RegisterCpuInterruptHandler (EXCEPT_IA32_PAGE_FAULT, PageFaultExceptionHandler); > } > > Is it possible for your feature to follow the same pattern? There are two problems: The first is that RegisterCpuInterruptHandler() is not implemented for both the SEC and PEI phases, so it is not currently possible to register a handler that early. The second is that I need to be able to propagate an exception request from the hypervisor. With the current implementation there doesn't appear to be an easy way to perform this propagation. If there's a way to accomplish both of the above I wouldn't be opposed to using RegisterCpuInterruptHandler() as long as there are no #VCs that can occur between initializing exception handling and and registering the #VC handler. Thanks, Tom > > Thanks, > Ray > >> -----Original Message----- >> From: Tom Lendacky >> Sent: Saturday, May 9, 2020 3:16 AM >> To: devel@edk2.groups.io >> Cc: Justen, Jordan L ; Laszlo Ersek ; Ard Biesheuvel >> ; Kinney, Michael D ; Gao, Liming ; Dong, >> Eric ; Ni, Ray ; Brijesh Singh ; You, Benjamin >> ; Bi, Dandan ; Dong, Guo ; Wu, Hao A >> ; Wang, Jian J ; Ma, Maurice >> Subject: Re: [PATCH v7 00/43] SEV-ES guest support >> >> I was able to use the pull request method that Laszlo documented and fixed >> up all of the issues identified by the VS compiler. >> >> An additional change I'm planning to make for the next version (v8) of the >> patches is to create a NULL library instance of the VmgExitLib that will >> also include the #VC handler function. This will reduce the amount of code >> associated with this feature for platforms that don't use/support SEV-ES. >> >> Laszlo, this will mean that I will introduce a version of the VmgExitLib >> under OvmfPkg that will provide the majority of the functionality that is >> present today in UefiCpuPkg. In essence, the functionality in v7 patches 8 >> and 11 - 25 will now live under OvmfPkg instead of UefiCpuPkg. I think >> this is the better way to do this. Let me know if you have any concerns. >> >> Thanks, >> Tom >> >> On 4/22/20 12:41 PM, Tom Lendacky wrote: >>> This patch series provides support for running EDK2/OVMF under SEV-ES. >>> >>> Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the >>> SEV support to protect the guest register state from the hypervisor. See >>> "AMD64 Architecture Programmer's Manual Volume 2: System Programming", >>> section "15.35 Encrypted State (SEV-ES)" [1]. >>> >>> In order to allow a hypervisor to perform functions on behalf of a guest, >>> there is architectural support for notifying a guest's operating system >>> when certain types of VMEXITs are about to occur. This allows the guest to >>> selectively share information with the hypervisor to satisfy the requested >>> function. The notification is performed using a new exception, the VMM >>> Communication exception (#VC). The information is shared through the >>> Guest-Hypervisor Communication Block (GHCB) using the VMGEXIT instruction. >>> The GHCB format and the protocol for using it is documented in "SEV-ES >>> Guest-Hypervisor Communication Block Standardization" [2]. >>> >>> The main areas of the EDK2 code that are updated to support SEV-ES are >>> around the exception handling support and the AP boot support. >>> >>> Exception support is required starting in Sec, continuing through Pei >>> and into Dxe in order to handle #VC exceptions that are generated. Each >>> AP requires it's own GHCB page as well as a page to hold values specific >>> to that AP. >>> >>> AP booting poses some interesting challenges. The INIT-SIPI-SIPI sequence >>> is typically used to boot the APs. However, the hypervisor is not allowed >>> to update the guest registers. The GHCB document [2] talks about how SMP >>> booting under SEV-ES is performed. >>> >>> Since the GHCB page must be a shared (unencrypted) page, the processor >>> must be running in long mode in order for the guest and hypervisor to >>> communicate with each other. As a result, SEV-ES is only supported under >>> the X64 architecture. >>> >>> [1] https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.amd.com%2Fsystem%2Ffiles%2FTechDocs%2F24593.pdf&data=02%7C01%7Cthomas.lendacky%40amd.com%7Cf5d7875dfcf54e45c42208d7f3e4676b%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637246036118033165&sdata=H74fQl1n2sXzCMSoGm1tGOKc5epMtVkGJFCidwLMl5c%3D&reserved=0 >>> [2] https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeveloper.amd.com%2Fwp-content%2Fresources%2F56421.pdf&data=02%7C01%7Cthomas.lendacky%40amd.com%7Cf5d7875dfcf54e45c42208d7f3e4676b%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637246036118033165&sdata=EwW9575nJMaWxizo2XrLHjrbUMJIB0WFTDLjwy%2BM%2F4k%3D&reserved=0 >>> >>> --- >>> >>> These patches are based on commit: >>> be7295b36405 (".python/SpellCheck: Increase SpellCheck plugin max failures") >>> >>> Proper execution of SEV-ES relies on Bugzilla 2340 being fixed. >>> >>> A version of the tree (with an extra patch to workaround Bugzilla 2340) can >>> be found at: >>> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAMDESE%2Fovmf%2Ftree%2Fsev-es-v14&data=02%7C01%7Cthomas.lendacky%40amd.com%7Cf5d7875dfcf54e45c42208d7f3e4676b%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637246036118033165&sdata=U8fIzb%2F4A8WBaiVbScxUuGDw22kyxxnRP5olSyTedvE%3D&reserved=0 >>> >>> Cc: Ard Biesheuvel >>> Cc: Benjamin You >>> Cc: Dandan Bi >>> Cc: Eric Dong >>> Cc: Guo Dong >>> Cc: Hao A Wu >>> Cc: Jian J Wang >>> Cc: Jordan Justen >>> Cc: Laszlo Ersek >>> Cc: Liming Gao >>> Cc: Maurice Ma >>> Cc: Michael D Kinney >>> Cc: Ray Ni >>> >>> Changes since v6: >>> - Add function comments to all functions, including local functions >>> - Add function parameter direction to all functions (in/out) >>> - Add support for MMIO MOVZX/MOVSX instructions >>> - Ensure the per-CPU variable page remains encrypted >>> - Coding-style fixes as identified by Ecc >>> >>> Changes since v5: >>> - Remove extraneous VmgExitLib usage >>> - Miscellaneous changes to address feedback (coding style, etc.) >>> >>> Changes since v4: >>> - Move the SEV-ES protocol negotiation out of the SEC exception handler >>> and into the SecMain.c file. As a result: >>> - Move the SecGhcb related PCDs out of UefiCpuPkg and into OvmfPkg >>> - Combine SecAMDSevVcHandler.c and PeiDxeAMDSevVcHandler.c into a >>> single AMDSevVcHandler.c >>> - Consolidate VmgExitLib usage into common LibraryClasses sections >>> - Add documentation comments to the VmgExitLib functions >>> >>> Changes since v3: >>> - Remove the need for the MP library finalization routine. The AP >>> jump table address will be held by the hypervisor rather than >>> communicated via the GHCB MSR. This removes some fragility around >>> the UEFI to OS transition. >>> - Rename the SEV-ES RIP reset area to SEV-ES workarea and use it to >>> communicate the SEV-ES status, so that SEC CPU exception handling is >>> only established for an SEV-ES guest. >>> - Fix SMM build breakageAdd around QemuFlashPtrWrite(). >>> - Fix SMM build breakage by adding VC exception support the SMM CPU >>> exception handling. >>> - Add memory fencing around the invocation of AsmVmgExit(). >>> - Clarify comments around the SEV-ES AP reset RIP values and usage. >>> - Move some PCD definitions from MdeModulePkg to UefiCpuPkg. >>> - Remove the 16-bit code selector definition from MdeModulePkg >>> >>> Changes since v2: >>> - Added a way to locate the SEV-ES fixed AP RIP address for starting >>> AP's to avoid updating the actual flash image (build time location >>> that is identified with a GUID value). >>> - Create a VmgExit library to replace static inline functions. >>> - Move some PCDs to the appropriate packages >>> - Add support for writing to QEMU flash under SEV-ES >>> - Add additional MMIO opcode support >>> - Cleaned up the GHCB MSR CPUID protocol support >>> >>> Changes since v1: >>> - Patches reworked to be more specific to the component/area being updated >>> and order of definition/usage >>> - Created a library for VMGEXIT-related functions to replace use of inline >>> functions >>> - Allocation method for GDT changed from AllocatePool to AllocatePages >>> - Early caching only enabled for SEV-ES guests >>> - Ensure AP loop mode set to halt loop mode for SEV-ES guests >>> - Reserved SEC GHCB-related memory areas when S3 is enabled >>> >>> Tom Lendacky (43): >>> MdeModulePkg: Create PCDs to be used in support of SEV-ES >>> UefiCpuPkg: Create PCD to be used in support of SEV-ES >>> MdePkg: Add the MSR definition for the GHCB register >>> MdePkg: Add a structure definition for the GHCB >>> MdeModulePkg/DxeIplPeim: Support GHCB pages when creating page tables >>> MdePkg/BaseLib: Add support for the XGETBV instruction >>> MdePkg/BaseLib: Add support for the VMGEXIT instruction >>> UefiCpuPkg: Implement library support for VMGEXIT >>> OvmfPkg: Prepare OvmfPkg to use the VmgExitLib library >>> UefiPayloadPkg: Prepare UefiPayloadPkg to use the VmgExitLib library >>> UefiCpuPkg/CpuExceptionHandler: Add base support for the #VC exception >>> UefiCpuPkg/CpuExceptionHandler: Add support for IOIO_PROT NAE events >>> UefiCpuPkg/CpuExceptionHandler: Support string IO for IOIO_PROT NAE >>> events >>> UefiCpuPkg/CpuExceptionHandler: Add support for CPUID NAE events >>> UefiCpuPkg/CpuExceptionHandler: Add support for MSR_PROT NAE events >>> UefiCpuPkg/CpuExceptionHandler: Add support for NPF NAE events (MMIO) >>> UefiCpuPkg/CpuExceptionHandler: Add support for WBINVD NAE events >>> UefiCpuPkg/CpuExceptionHandler: Add support for RDTSC NAE events >>> UefiCpuPkg/CpuExceptionHandler: Add support for RDPMC NAE events >>> UefiCpuPkg/CpuExceptionHandler: Add support for INVD NAE events >>> UefiCpuPkg/CpuExceptionHandler: Add support for VMMCALL NAE events >>> UefiCpuPkg/CpuExceptionHandler: Add support for RDTSCP NAE events >>> UefiCpuPkg/CpuExceptionHandler: Add support for MONITOR/MONITORX NAE >>> events >>> UefiCpuPkg/CpuExceptionHandler: Add support for MWAIT/MWAITX NAE >>> events >>> UefiCpuPkg/CpuExceptionHandler: Add support for DR7 Read/Write NAE >>> events >>> OvmfPkg/MemEncryptSevLib: Add an SEV-ES guest indicator function >>> OvmfPkg: Add support to perform SEV-ES initialization >>> OvmfPkg: Create a GHCB page for use during Sec phase >>> OvmfPkg/PlatformPei: Reserve GHCB-related areas if S3 is supported >>> OvmfPkg: Create GHCB pages for use during Pei and Dxe phase >>> OvmfPkg/PlatformPei: Move early GDT into ram when SEV-ES is enabled >>> UefiCpuPkg: Create an SEV-ES workarea PCD >>> OvmfPkg: Reserve a page in memory for the SEV-ES usage >>> OvmfPkg/ResetVector: Add support for a 32-bit SEV check >>> OvmfPkg/Sec: Add #VC exception handling for Sec phase >>> OvmfPkg/Sec: Enable cache early to speed up booting >>> OvmfPkg/QemuFlashFvbServicesRuntimeDxe: Bypass flash detection with >>> SEV-ES is enabled >>> UefiCpuPkg: Add a 16-bit protected mode code segment descriptor >>> UefiCpuPkg/MpInitLib: Add CPU MP data flag to indicate if SEV-ES is >>> enabled >>> UefiCpuPkg: Allow AP booting under SEV-ES >>> OvmfPkg: Use the SEV-ES work area for the SEV-ES AP reset vector >>> OvmfPkg: Move the GHCB allocations into reserved memory >>> UefiCpuPkg/MpInitLib: Prepare SEV-ES guest APs for OS use >>> >>> MdeModulePkg/MdeModulePkg.dec | 9 + >>> OvmfPkg/OvmfPkg.dec | 9 + >>> UefiCpuPkg/UefiCpuPkg.dec | 17 + >>> OvmfPkg/OvmfPkgIa32.dsc | 6 + >>> OvmfPkg/OvmfPkgIa32X64.dsc | 6 + >>> OvmfPkg/OvmfPkgX64.dsc | 6 + >>> OvmfPkg/OvmfXen.dsc | 1 + >>> UefiCpuPkg/UefiCpuPkg.dsc | 2 + >>> UefiPayloadPkg/UefiPayloadPkgIa32.dsc | 2 + >>> UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc | 2 + >>> OvmfPkg/OvmfPkgX64.fdf | 9 + >>> MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 2 + >>> MdePkg/Library/BaseLib/BaseLib.inf | 4 + >>> OvmfPkg/PlatformPei/PlatformPei.inf | 7 + >>> .../FvbServicesRuntimeDxe.inf | 2 + >>> OvmfPkg/ResetVector/ResetVector.inf | 8 + >>> OvmfPkg/Sec/SecMain.inf | 4 + >>> .../DxeCpuExceptionHandlerLib.inf | 5 + >>> .../PeiCpuExceptionHandlerLib.inf | 5 + >>> .../SecPeiCpuExceptionHandlerLib.inf | 5 + >>> .../SmmCpuExceptionHandlerLib.inf | 5 + >>> UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 4 + >>> UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 4 + >>> UefiCpuPkg/Library/VmgExitLib/VmgExitLib.inf | 33 + >>> .../Core/DxeIplPeim/X64/VirtualMemory.h | 12 +- >>> MdePkg/Include/Library/BaseLib.h | 31 + >>> MdePkg/Include/Register/Amd/Fam17Msr.h | 42 + >>> MdePkg/Include/Register/Amd/Ghcb.h | 136 ++ >>> OvmfPkg/Include/Library/MemEncryptSevLib.h | 12 + >>> .../QemuFlash.h | 13 + >>> UefiCpuPkg/CpuDxe/CpuGdt.h | 4 +- >>> UefiCpuPkg/Include/Library/VmgExitLib.h | 117 ++ >>> .../CpuExceptionHandlerLib/AMDSevVcCommon.h | 49 + >>> .../CpuExceptionCommon.h | 2 + >>> UefiCpuPkg/Library/MpInitLib/MpLib.h | 68 +- >>> .../Core/DxeIplPeim/Ia32/DxeLoadFunc.c | 4 +- >>> .../Core/DxeIplPeim/X64/DxeLoadFunc.c | 11 +- >>> .../Core/DxeIplPeim/X64/VirtualMemory.c | 57 +- >>> MdePkg/Library/BaseLib/Ia32/GccInline.c | 45 + >>> MdePkg/Library/BaseLib/X64/GccInline.c | 47 + >>> .../MemEncryptSevLibInternal.c | 75 +- >>> OvmfPkg/PlatformPei/AmdSev.c | 89 + >>> OvmfPkg/PlatformPei/MemDetect.c | 23 + >>> .../QemuFlash.c | 23 +- >>> .../QemuFlashDxe.c | 22 + >>> .../QemuFlashSmm.c | 16 + >>> OvmfPkg/Sec/SecMain.c | 188 +- >>> UefiCpuPkg/CpuDxe/CpuGdt.c | 8 +- >>> .../CpuExceptionHandlerLib/AMDSevVcHandler.c | 40 + >>> .../CpuExceptionCommon.c | 2 +- >>> .../Ia32/ArchAMDSevVcHandler.c | 38 + >>> .../PeiDxeSmmCpuException.c | 16 + >>> .../SecPeiCpuException.c | 16 + >>> .../X64/ArchAMDSevVcHandler.c | 1699 +++++++++++++++++ >>> UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 113 +- >>> UefiCpuPkg/Library/MpInitLib/MpLib.c | 265 ++- >>> UefiCpuPkg/Library/MpInitLib/PeiMpLib.c | 19 + >>> UefiCpuPkg/Library/VmgExitLib/VmgExitLib.c | 293 +++ >>> UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmmFuncsArch.c | 2 +- >>> MdeModulePkg/MdeModulePkg.uni | 8 + >>> MdePkg/Library/BaseLib/Ia32/VmgExit.nasm | 37 + >>> MdePkg/Library/BaseLib/Ia32/XGetBv.nasm | 31 + >>> MdePkg/Library/BaseLib/X64/VmgExit.nasm | 32 + >>> MdePkg/Library/BaseLib/X64/XGetBv.nasm | 34 + >>> OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 100 + >>> OvmfPkg/ResetVector/Ia32/PageTables64.asm | 350 +++- >>> OvmfPkg/ResetVector/ResetVector.nasmb | 20 + >>> .../X64/ExceptionHandlerAsm.nasm | 17 + >>> UefiCpuPkg/Library/MpInitLib/Ia32/MpEqu.inc | 2 +- >>> .../Library/MpInitLib/Ia32/MpFuncs.nasm | 15 + >>> UefiCpuPkg/Library/MpInitLib/X64/MpEqu.inc | 4 +- >>> UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm | 370 +++- >>> UefiCpuPkg/Library/VmgExitLib/VmgExitLib.uni | 15 + >>> .../ResetVector/Vtf0/Ia16/Real16ToFlat32.asm | 9 + >>> UefiCpuPkg/UefiCpuPkg.uni | 11 + >>> 75 files changed, 4707 insertions(+), 102 deletions(-) >>> create mode 100644 UefiCpuPkg/Library/VmgExitLib/VmgExitLib.inf >>> create mode 100644 MdePkg/Include/Register/Amd/Ghcb.h >>> create mode 100644 UefiCpuPkg/Include/Library/VmgExitLib.h >>> create mode 100644 UefiCpuPkg/Library/CpuExceptionHandlerLib/AMDSevVcCommon.h >>> create mode 100644 UefiCpuPkg/Library/CpuExceptionHandlerLib/AMDSevVcHandler.c >>> create mode 100644 UefiCpuPkg/Library/CpuExceptionHandlerLib/Ia32/ArchAMDSevVcHandler.c >>> create mode 100644 UefiCpuPkg/Library/CpuExceptionHandlerLib/X64/ArchAMDSevVcHandler.c >>> create mode 100644 UefiCpuPkg/Library/VmgExitLib/VmgExitLib.c >>> create mode 100644 MdePkg/Library/BaseLib/Ia32/VmgExit.nasm >>> create mode 100644 MdePkg/Library/BaseLib/Ia32/XGetBv.nasm >>> create mode 100644 MdePkg/Library/BaseLib/X64/VmgExit.nasm >>> create mode 100644 MdePkg/Library/BaseLib/X64/XGetBv.nasm >>> create mode 100644 OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm >>> create mode 100644 UefiCpuPkg/Library/VmgExitLib/VmgExitLib.uni >>>