From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (NAM11-CO1-obe.outbound.protection.outlook.com [40.107.220.70]) by mx.groups.io with SMTP id smtpd.web10.454.1609968176840929669 for ; Wed, 06 Jan 2021 13:22:57 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amdcloud.onmicrosoft.com header.s=selector2-amdcloud-onmicrosoft-com header.b=K3c8EIE1; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.220.70, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cpz5DSFhfVUiQw8bPGB8C0CRTfWZiLq2qWH4O/sxNfv3smR8XavzPNRhzSFJhoNkVCz+NbEcanFF0ITxThsLCdJH6FgAmpJnFJn0kc2N4mA6KlpSmJZZwjioC+SDotBRYplFIiUWQu2MuEflWLXX+K9orZ3Se3ZmEiyDgV1FckkQlekKFWlPCXBkh7FAoaSRGgNubUR55cDz46fRJH3Qbembrkgc5gZvshicL5+kgeqAeBSTRMPXK1xrMZQUIOAVWV/2Zst+K+n7ExMiSbUfge2U3WEdl20jnzWjJ/Bye7WtYEUOQKCRrmFDT9wrrK6/MHJzeW38iVlmk7yDFe96xw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Hmo+eSlrJkK82pdq5yBd7tBRTqAt1Won0Zzli9IuZSE=; b=Vr18/tvXgZ30vGwGY/C+8pGUcQxlSjEiWE/T3uI+9OEfkSHPC3FPN9dMLAx6uAWN+UadRikOt/rC8eRRFMOzAH2kDXoTtN4HPmgqQMy29vCdMxiVm1KnNfBLgE3F7/647BMEaNPEBNB6w2+UQ77UjQY0wblta7Mgt4aQ1ZeC70ZoC1wENlsQlSv7PPRhsvHV4y/o2hzLW10Cg1EID5AmRu92RNqAsEe/qrbZyty87crFsIpvnfEQ4zC6ljoUdM4J4qrGRxjmEwIE38UfInTsJ6PKfbaCK77TuuWJKlNtpWocpchOzpiKH+jVw1TBXNiojuabBezR2VMlMj7X6O62TQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector2-amdcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Hmo+eSlrJkK82pdq5yBd7tBRTqAt1Won0Zzli9IuZSE=; b=K3c8EIE1+dd7azuRdh4aIUZZnxEfjrgphRT1cuWp30t8QPaKJ5L9cXyPbR7cdR7CmghQKx/f+JP40IW35EjQV5SAsa7AtKSC7BaWbbZe5ewK166AEr7xit4Pipm3JC+fAAk3TQAY6qlN4NbHxsffiJlIsge2rv5iFmlhEZizml0= Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com; Received: from DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) by DM5PR12MB1259.namprd12.prod.outlook.com (2603:10b6:3:75::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3742.6; Wed, 6 Jan 2021 21:22:55 +0000 Received: from DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::d95e:b9d:1d6a:e845]) by DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::d95e:b9d:1d6a:e845%12]) with mapi id 15.20.3721.024; Wed, 6 Jan 2021 21:22:55 +0000 From: "Lendacky, Thomas" To: devel@edk2.groups.io CC: Brijesh Singh , James Bottomley , Jordan Justen , Laszlo Ersek , Ard Biesheuvel Subject: [PATCH v2 05/15] OvmfPkg/MemEncryptSevLib: Save the encryption mask at boot time Date: Wed, 6 Jan 2021 15:21:31 -0600 Message-ID: X-Mailer: git-send-email 2.30.0 In-Reply-To: References: X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA0PR11CA0035.namprd11.prod.outlook.com (2603:10b6:806:d0::10) To DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from tlendack-t1.amd.com (165.204.77.1) by SA0PR11CA0035.namprd11.prod.outlook.com (2603:10b6:806:d0::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3742.6 via Frontend Transport; Wed, 6 Jan 2021 21:22:54 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 66597198-34c6-4653-593d-08d8b2893ba5 X-MS-TrafficTypeDiagnostic: DM5PR12MB1259: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4125; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Bcb08UqgZTQLcOhbrxQTulpnOZYmDmS0E9vnY9Sa/pLTNvytSAYC9DBwkpAEraX7AEBjelOn1lgqMnqlBGxj849gf5WCchBkI5Se6LQbFD46Gvce26NKkHP64tgTAXorC2dznz4IABRN9pga6nSuuFgKeW+TWLLaacHF455Zfe0k12k73AFFmGoTaIO9MCoXRw+1BcIrnkzuvAXUaqcYVXzVdUvAC2Hp79tBVU+3V2O+atgvzqOiqSd8ZDwvHOLfGHQrzWcTC/q03/0Jfuyy9Qdv0K2mPTrRs+Ab5QfFj6m1dvpz4ERRpmb26flzr6+mKmnBwSqy34kYY2nbaL+Y70wyIpXyd55un42DmJPsngeMPnIvNpUBg5Do1uv1fuaiA7P2lY0uC/txzia5blM7IEbcjuxSxi/d25IqME9N9TrtDpmGSsRFyAkgOJH4zNp98M4NQ7T5M9HbJM6mw7SVWA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR12MB1355.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(376002)(136003)(366004)(346002)(39860400002)(396003)(19627235002)(6666004)(316002)(83380400001)(5660300002)(2906002)(52116002)(7696005)(36756003)(8676002)(8936002)(478600001)(54906003)(966005)(66946007)(86362001)(2616005)(186003)(16526019)(4326008)(66476007)(26005)(6486002)(956004)(6916009)(66556008);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?LpeuWJT3I/g3aC2L8ZRqAFdo1+BwSoIIKjR1mJC7DljDmBv1Ut9T3UjaNx3G?= =?us-ascii?Q?R+lTQwxoHzBxxiHnzQdw318o0pQ55Jnm8SkD7a4ZpfVi7UVKeUB1CgO5RCUC?= =?us-ascii?Q?7HigvC3Of2njvrRKnCF1slMweZnzu5iwRrE3yAc388Imgmio3W60mZUmF3Wb?= =?us-ascii?Q?JeN2cgYeo8heDMGUlBlV0eoQx1KcAHxMW1iMNwhJd6pM3ttw1itPE/m+rS3K?= =?us-ascii?Q?0XfluBpjOoU6ZietJjmpuWqR36IjaJeKhFt/2bRBLgjUhGPkONdT5QxhaQUO?= =?us-ascii?Q?vuzWukfNJN/kxUzEEQmAHlRy1H1VzsMKYI+cikaxqOWCVxh0dpxCi56j8akR?= =?us-ascii?Q?hURtKPG5+he6QTZB9lFBEvNooUd2yfv3Pt7+k0+oxyp3jPSw05ujVeUXT+t6?= =?us-ascii?Q?ROXBFkTgPZlhWRUBJoyPNPnjcuO5N6tdXd7mSaXzYFveL/LWyPUzUzBiSlSU?= =?us-ascii?Q?qSu2P85SwrwHfZHRbBToj9Q99DcqD0aa2zRMBnSsukjf2XKCKjCMn4ousZtg?= =?us-ascii?Q?1+IHPngCahQH1FNHfe1XOeJA5biWePaKXZvR4jHyIcFyaOxn/uzgotC1Xpzv?= =?us-ascii?Q?YzmI9AwtZOxVaiUPjJAj1Fme/GCgtna1iYvcbQx7E35+/mRZllVQlssH6pfk?= =?us-ascii?Q?ULbTvwGU3C0isxi2lMVhui/4S/JI/uKJs1Hxj5/jepcNeHzz4XCIW5ojaNYD?= =?us-ascii?Q?haB2t3UdSWT5SVbco/6OGmvTiwtJiA4z2vGdINZbqPVHWFsT3yn9ufoM/jgd?= =?us-ascii?Q?j5or1dtSyNffqDyPLkC67dj0ajDCNN6PxqsUe548SfvGcMy67KYGRMAH8Mzq?= =?us-ascii?Q?Dbb5nbeJYBdmK9U7ndDU0gh1cdX4glLqQ8rkB//LXguYu9ICksuH4wt8ujZI?= =?us-ascii?Q?Cu9FFueCIQuDvWnkKJ3BO9fXWRAH4Oce1OAN8hm9iO0SV8J4iAKKEooLMO3K?= =?us-ascii?Q?Bx4tKSkd7BRTIGA96RKt8qcw2WOdiQo+ZYpfs/2sSEYRQM+SzLtM3V9ZI7pG?= =?us-ascii?Q?ZGmZ?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-AuthSource: DM5PR12MB1355.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Jan 2021 21:22:55.2671 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-Network-Message-Id: 66597198-34c6-4653-593d-08d8b2893ba5 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: PRL3gimF5cZadXhOjebd0RzcJTDR7RS041sSfCSzvbcugIEMrgQyp1nYSGrB67OF28zFxhCdzEPwrraUkBBG4A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR12MB1259 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3108 The early assembler code performs validation for some of the SEV-related information, specifically the encryption bit position. To avoid having to re-validate the encryption bit position as the system proceeds through its boot phases, save the validated encryption bit position in the SEV-ES work area for use by later phases. Cc: Jordan Justen Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Brijesh Singh Signed-off-by: Tom Lendacky --- OvmfPkg/Include/Library/MemEncryptSevLib.h | 2 ++ OvmfPkg/ResetVector/Ia32/PageTables64.asm | 10 +++++++++- OvmfPkg/ResetVector/ResetVector.nasmb | 1 + 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/L= ibrary/MemEncryptSevLib.h index dc09c61e58bb..a2c70aa550fe 100644 --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h @@ -29,6 +29,8 @@ typedef struct _SEC_SEV_ES_WORK_AREA { UINT8 Reserved1[7]; =20 UINT64 RandomData; + + UINT64 EncryptionMask; } SEC_SEV_ES_WORK_AREA; =20 /** diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVecto= r/Ia32/PageTables64.asm index a1771dfdec23..5fae8986d9da 100644 --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm @@ -145,7 +145,7 @@ GetSevEncBit: =20 ; The encryption bit position is always above 31 sub ebx, 32 - jns SevExit + jns SevSaveMask =20 ; Encryption bit was reported as 31 or below, enter a HLT loop SevEncBitLowHlt: @@ -153,6 +153,14 @@ SevEncBitLowHlt: hlt jmp SevEncBitLowHlt =20 +SevSaveMask: + xor edx, edx + bts edx, ebx + + mov dword[SEV_ES_WORK_AREA_ENC_MASK], 0 + mov dword[SEV_ES_WORK_AREA_ENC_MASK + 4], edx + jmp SevExit + NoSev: ; ; Perform an SEV-ES sanity check by seeing if a #VC exception occurred= . diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re= setVector.nasmb index d3aa87982959..5fbacaed5f9d 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -74,6 +74,7 @@ %define GHCB_SIZE (FixedPcdGet32 (PcdOvmfSecGhcbSize)) %define SEV_ES_WORK_AREA (FixedPcdGet32 (PcdSevEsWorkAreaBase)) %define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + = 8) + %define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) = + 16) %define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase)= + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize)) %include "Ia32/Flat32ToFlat64.asm" %include "Ia32/PageTables64.asm" --=20 2.30.0