From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.107.223.59]) by mx.groups.io with SMTP id smtpd.web11.475.1609968146591364881 for ; Wed, 06 Jan 2021 13:22:26 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amdcloud.onmicrosoft.com header.s=selector2-amdcloud-onmicrosoft-com header.b=jE3xYZ2W; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.223.59, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dn7u4vvoGRyybvi1LTlVjOdPS4sAlNHdphz77fGbiUjDM3fVSMvXwyRwNaYO+fZc+47F7RgHZAsiXbVEcqq+nWUV1tSSiwe+TMB4vQ5wjeNItA5+amoHplsbL604Z9H33ACi0EzBm3CqxP+nE7pr5n4fjglnyiVIGaCEMtP6Z0dWc0HD4xpRT5iRnL6m9mlMAp2+cB2dX9UbzNdqol5/cxbudiMdhlAlRmUbjYUjON0c8nhovKhfGbglUNnZRndwyaLnwGBZEn3VNniAWkmFpHByu6unhVKWk/7hE9RMRW75I2MVIg1wF6oJy2HxilGbBc889m+VRlhnI0Q8R6xF8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oO1K9D4ut2PUpPlrsE3RGduw7Jd3LKdGpZ8TKzmjinY=; b=GiTM0CawC/+2QsGuJRk9Q8vA15ls2nBu2tpalQRvbzXcC4QVwI1WOV269zdRG1A3va1nPm26it/Lb0XrpM2bSBb/Pvv3p4Z4OIOQJEmbYSuxh3iYiZg822i2iM6ax8yUv0Cgoc/xMgnHNp3ZzF2Fkapz0jmIWmdmh2F5n8hvE2K5krX0w5jjrYWlEvwc8uJuOYr2FHiKu6VOhXZbC5Uf885mGMsFWeA+R/8ECIWOceLHgeTYDr/ri2pZmD7O84TcAMcX/NmDVxWuxJgZAaDtZiW4KX2vwsQYJwbndLNLgLfLu4h7dwEC/xvgdPtP+yG89Dx8tu0t+oUnGqnWiYmX9A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector2-amdcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oO1K9D4ut2PUpPlrsE3RGduw7Jd3LKdGpZ8TKzmjinY=; b=jE3xYZ2WwdaL6gYavclf4uIyduL1XHlnR0jOcuulOLMPHepSGOsB8nr5HH2vvtxr230RBUfdheEtrHUkORkElAphnW1HCek0/wCRGFX7a8AlFOX+BskI4nZdmasF1iGgrdOQw53vCi+dfIJ/yDQ3GgguOyEKTezLoE+BlWMhXhQ= Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com; Received: from DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) by DM6PR12MB3578.namprd12.prod.outlook.com (2603:10b6:5:3c::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3721.24; Wed, 6 Jan 2021 21:22:23 +0000 Received: from DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::d95e:b9d:1d6a:e845]) by DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::d95e:b9d:1d6a:e845%12]) with mapi id 15.20.3721.024; Wed, 6 Jan 2021 21:22:23 +0000 From: "Lendacky, Thomas" To: devel@edk2.groups.io CC: Brijesh Singh , James Bottomley , Jordan Justen , Laszlo Ersek , Ard Biesheuvel Subject: [PATCH v2 01/15] Ovmf/ResetVector: Simplify and consolidate the SEV features checks Date: Wed, 6 Jan 2021 15:21:27 -0600 Message-ID: X-Mailer: git-send-email 2.30.0 In-Reply-To: References: X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA0PR11CA0044.namprd11.prod.outlook.com (2603:10b6:806:d0::19) To DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from tlendack-t1.amd.com (165.204.77.1) by SA0PR11CA0044.namprd11.prod.outlook.com (2603:10b6:806:d0::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3742.6 via Frontend Transport; Wed, 6 Jan 2021 21:22:23 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 4f45d95e-24f9-4cda-dc48-08d8b28928e5 X-MS-TrafficTypeDiagnostic: DM6PR12MB3578: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5236; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: z87qoONju9RmFXqSlL90YXdpGdbNdpZdN6Kn9TFSM8vplAPsS8dCIQuzWoglG/CmiMfLjuW5DuOUuYAaqCnJ4TXiKhPD5xxm/kQ6ASclyhmReUNqf6NVPFHtnTtNW7KFn3UZFpiOns1l1MBfqeor5cWE/XRzxKiLwkFVv3qFBHK6phwuo2DhftyCNjcQP9CsxGmiwpjNVoAQ5WniqQd6pkZhMTgcDkUAIHHIylrV8VyhdgjeUQLsl9vi4kKWI1pGpR3vf2M+4IwRrc3oiE4Hqxq/TXbtfV2zgWhiK9frP7YpnV+ihCEihePHdH7OAS/X3k7md+nyhWOOwXktK4Y8aBmXKHBCYdy+7k23ZWHDBNPjTEbYd/AsEBjOaXPfIzEuudGVxrs4V8nulE/2Jq2ftyZcWhfSfhPfJ1TTAi0VahKvhdgxO0M/rbgvlq/oNUAi45o6WgoH3cXWfETZBq1eUg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR12MB1355.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(39860400002)(396003)(366004)(136003)(346002)(376002)(4326008)(36756003)(956004)(16526019)(83380400001)(186003)(66556008)(6486002)(66476007)(2616005)(7696005)(316002)(52116002)(2906002)(26005)(54906003)(66946007)(8676002)(86362001)(966005)(5660300002)(6916009)(8936002)(19627235002)(478600001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?+qLStPx5JFsO7DE26BhDJJ4YwsekNQoQl2PZrHW77nHnapWfv+RJeJF2C7Gj?= =?us-ascii?Q?TzY3cLAtxn4iQFZwsTBkn5xTHsmiswygZIBEd20Jp9ORBOCQLkXOj+FWh4WU?= =?us-ascii?Q?17PThoyhi9s217BcW+jlPnLZXlWqBAC+LFrsr/kTGp7HPOfdrSIwWP956Q29?= =?us-ascii?Q?+mOPHk0ZZ5J0eW0JR7qLxbcOBhlB6muP3BIQtncJSKa30vqgh0iB7XCYz7Wu?= =?us-ascii?Q?cPJdnFdJFMS+s+QdUFKN4VtdosOh4aFN6jZdY0zjIi6iG/wHJHkVHVhWExoW?= =?us-ascii?Q?IawjJTUhaQXAr1NhxvSY9RTEqk1vNLRfnxB6oYZb9MncUOcWLCKkKba2FWX2?= =?us-ascii?Q?Nxzin+b3P6Ja2h9U+xsgBFDdF/FuWvauLZ71UL8dD8isDOTpv6j/sRYWuKwW?= =?us-ascii?Q?7TZ0rKCLCMzSoefCZtQvuRccInl/0sXl9+xikPzwxvDxfZHHmbnLxJ6y7dKl?= =?us-ascii?Q?ADCheMjotyqXD3k6qpTPhLC/hM2R1O7EwVorIp3wEmoS+TUlId0OIUN6mjCO?= =?us-ascii?Q?rQ4bR7XmYvyqU7OppLNIW4aIjs1MugxOlma3z7V7h3FfLA0zaQ26yAWIVqNA?= =?us-ascii?Q?QmD4MIIiNBfg0PJ7r0JRC1vMivSQC90P0Nq3wm5QQJBADOiWhGhM9ePu/mQ1?= =?us-ascii?Q?oVVGQuwALjNUCqK6bzeMKY+Bru/K0XrIQLhoNnJY1NnjeZb5cc471g4+OFD4?= =?us-ascii?Q?BV2NO5A3t+OUESxApyRxLtln8dYMTzULyCkRqIetl/YJrutl+8pPp/w/weRA?= =?us-ascii?Q?QRh+SOLzUh+JCDlKvdcqn91aBfjIFmPuk721NxgkW04abbfA+c3ssbKSE92v?= =?us-ascii?Q?6lBVrFn8thWzm0xrnvYj2LDG4B6OzVJW+YirFWvcOr08kRHX/Iayht/AuBAT?= =?us-ascii?Q?0XLl2mdHT/kLhEy411YNvLY2YktYuIGWN2dVkchlQTQ5P5q4aWEn051xjGas?= =?us-ascii?Q?PUeTgUeQSW3bGIca4MBdrCp5Hl8qkrhcsdmQ3olgztAYKF+Or5o9ajzZydER?= =?us-ascii?Q?WC6o?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-AuthSource: DM5PR12MB1355.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Jan 2021 21:22:23.7932 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-Network-Message-Id: 4f45d95e-24f9-4cda-dc48-08d8b28928e5 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: PCZHO5zjtCoS64xX3OgAQovtFtrvBt6dbPN0JMYeq+ZEHaMn/oQg0eudswcE9b4w8gPijYNqhnq9y8b+UstR7g== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB3578 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3108 Simplify and consolidate the SEV and SEV-ES checks into a single routine. This new routine will use CPUID to check for the appropriate CPUID leaves and the required values, as well as read the non-interceptable SEV status MSR (0xc0010131) to check SEV and SEV-ES enablement. Cc: Jordan Justen Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Brijesh Singh Reviewed-by: Laszlo Ersek Signed-off-by: Tom Lendacky --- OvmfPkg/ResetVector/Ia32/PageTables64.asm | 75 ++++++++++++-------- 1 file changed, 45 insertions(+), 30 deletions(-) diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVecto= r/Ia32/PageTables64.asm index 7c72128a84d6..4032719c3075 100644 --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm @@ -3,6 +3,7 @@ ; Sets the CR3 register for 64-bit paging ; ; Copyright (c) 2008 - 2013, Intel Corporation. All rights reserved.
+; Copyright (c) 2017 - 2020, Advanced Micro Devices, Inc. All rights reser= ved.
; SPDX-License-Identifier: BSD-2-Clause-Patent ; ;-------------------------------------------------------------------------= ----- @@ -62,18 +63,22 @@ BITS 32 %define CPUID_INSN_LEN 2 =20 =20 -; Check if Secure Encrypted Virtualization (SEV) feature is enabled +; Check if Secure Encrypted Virtualization (SEV) features are enabled. +; +; Register usage is tight in this routine, so multiple calls for the +; same CPUID and MSR data are performed to keep things simple. ; ; Modified: EAX, EBX, ECX, EDX, ESP ; ; If SEV is enabled then EAX will be at least 32. ; If SEV is disabled then EAX will be zero. ; -CheckSevFeature: +CheckSevFeatures: ; Set the first byte of the workarea to zero to communicate to the SEC ; phase that SEV-ES is not enabled. If SEV-ES is enabled, the CPUID ; instruction will trigger a #VC exception where the first byte of the - ; workarea will be set to one. + ; workarea will be set to one or, if CPUID is not being intercepted, + ; the MSR check below will set the first byte of the workarea to one. mov byte[SEV_ES_WORK_AREA], 0 =20 ; @@ -97,21 +102,41 @@ CheckSevFeature: cmp eax, 0x8000001f jl NoSev =20 - ; Check for memory encryption feature: + ; Check for SEV memory encryption feature: ; CPUID Fn8000_001F[EAX] - Bit 1 ; CPUID raises a #VC exception if running as an SEV-ES guest - mov eax, 0x8000001f + mov eax, 0x8000001f cpuid bt eax, 1 jnc NoSev =20 - ; Check if memory encryption is enabled + ; Check if SEV memory encryption is enabled ; MSR_0xC0010131 - Bit 0 (SEV enabled) mov ecx, 0xc0010131 rdmsr bt eax, 0 jnc NoSev =20 + ; Check for SEV-ES memory encryption feature: + ; CPUID Fn8000_001F[EAX] - Bit 3 + ; CPUID raises a #VC exception if running as an SEV-ES guest + mov eax, 0x8000001f + cpuid + bt eax, 3 + jnc GetSevEncBit + + ; Check if SEV-ES is enabled + ; MSR_0xC0010131 - Bit 1 (SEV-ES enabled) + mov ecx, 0xc0010131 + rdmsr + bt eax, 1 + jnc GetSevEncBit + + ; Set the first byte of the workarea to one to communicate to the SEC + ; phase that SEV-ES is enabled. + mov byte[SEV_ES_WORK_AREA], 1 + +GetSevEncBit: ; Get pte bit position to enable memory encryption ; CPUID Fn8000_001F[EBX] - Bits 5:0 ; @@ -132,45 +157,35 @@ SevExit: pop eax mov esp, 0 =20 - OneTimeCallRet CheckSevFeature + OneTimeCallRet CheckSevFeatures =20 ; Check if Secure Encrypted Virtualization - Encrypted State (SEV-ES) feat= ure ; is enabled. ; -; Modified: EAX, EBX, ECX +; Modified: EAX ; ; If SEV-ES is enabled then EAX will be non-zero. ; If SEV-ES is disabled then EAX will be zero. ; -CheckSevEsFeature: +IsSevEsEnabled: xor eax, eax =20 - ; SEV-ES can't be enabled if SEV isn't, so first check the encryption - ; mask. - test edx, edx - jz NoSevEs + ; During CheckSevFeatures, the SEV_ES_WORK_AREA was set to 1 if + ; SEV-ES is enabled. + cmp byte[SEV_ES_WORK_AREA], 1 + jne SevEsDisabled =20 - ; Save current value of encryption mask - mov ebx, edx + mov eax, 1 =20 - ; Check if SEV-ES is enabled - ; MSR_0xC0010131 - Bit 1 (SEV-ES enabled) - mov ecx, 0xc0010131 - rdmsr - and eax, 2 - - ; Restore encryption mask - mov edx, ebx - -NoSevEs: - OneTimeCallRet CheckSevEsFeature +SevEsDisabled: + OneTimeCallRet IsSevEsEnabled =20 ; ; Modified: EAX, EBX, ECX, EDX ; SetCr3ForPageTables64: =20 - OneTimeCall CheckSevFeature + OneTimeCall CheckSevFeatures xor edx, edx test eax, eax jz SevNotActive @@ -229,7 +244,7 @@ pageTableEntriesLoop: mov [(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], edx loop pageTableEntriesLoop =20 - OneTimeCall CheckSevEsFeature + OneTimeCall IsSevEsEnabled test eax, eax jz SetCr3 =20 @@ -336,8 +351,8 @@ SevEsIdtVmmComm: ; If we're here, then we are an SEV-ES guest and this ; was triggered by a CPUID instruction ; - ; Set the first byte of the workarea to one to communicate to the SEC - ; phase that SEV-ES is enabled. + ; Set the first byte of the workarea to one to communicate that + ; a #VC was taken. mov byte[SEV_ES_WORK_AREA], 1 =20 pop ecx ; Error code --=20 2.30.0