From: "Gerd Hoffmann" <kraxel@redhat.com>
To: Michael Roth <michael.roth@amd.com>
Cc: devel@edk2.groups.io, Tom Lendacky <thomas.lendacky@amd.com>,
Ard Biesheuvel <ardb@kernel.org>,
Erdem Aktas <erdemaktas@google.com>,
Jiewen Yao <jiewen.yao@intel.com>, Min Xu <min.m.xu@intel.com>,
Jianyong Wu <jianyong.wu@arm.com>,
Anatol Belski <anbelski@linux.microsoft.com>
Subject: Re: [edk2-devel] [PATCH] OvmfPkg: Don't make APIC MMIO accesses with encryption bit set
Date: Wed, 24 Apr 2024 13:54:01 +0200 [thread overview]
Message-ID: <k5vzhxgbisuajgvuthtq7uciyq4a36hjcjoicqtdfuwfv4mdcx@jbaljldsjfin> (raw)
In-Reply-To: <20240423205958.1791780-1-michael.roth@amd.com>
On Tue, Apr 23, 2024 at 03:59:58PM -0500, Michael Roth wrote:
> For the most part, OVMF will clear the encryption bit for MMIO regions,
> but there is currently one known exception during SEC when the APIC
> base address is accessed via MMIO with the encryption bit set for
> SEV-ES/SEV-SNP guests.
what exactly accesses the lapic that early?
> +/**
> + Map known MMIO regions unencrypted if SEV-ES is active.
> +
> + During early booting, page table entries default to having the encryption bit
> + set for SEV-ES/SEV-SNP guests. In cases where there is MMIO to an address, the
> + encryption bit should be cleared. Clear it here for any known MMIO accesses
> + during SEC, which is currently just the APIC base address.
> +
> +**/
> +VOID
> +SecMapApicBaseUnencrypted (
> + VOID
> + )
> +{
> + PAGE_MAP_AND_DIRECTORY_POINTER *Level4Entry;
> + PAGE_MAP_AND_DIRECTORY_POINTER *Level3Entry;
> + PAGE_MAP_AND_DIRECTORY_POINTER *Level2Entry;
> + PAGE_TABLE_4K_ENTRY *Level1Entry;
> + SEC_SEV_ES_WORK_AREA *SevEsWorkArea;
> + PHYSICAL_ADDRESS Cr3;
> + UINT64 ApicAddress;
> + UINT64 PgTableMask;
> + UINT32 Level1Page;
> + UINT64 Level1Address;
> + UINT64 Level1Flags;
> + UINTN PteIndex;
> +
> + if (!SevEsIsEnabled ()) {
> + return;
> + }
That is incompatible with 5-level paging. The current reset vector will
never turn on 5-level paging in case SEV is active because we have more
incompatibilities elsewhere (BaseMemEncryptSevLib IIRC). But still,
it's moving things into the wrong direction ...
Ideally CpuPageTableLib should be used for this.
take care,
Gerd
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118211): https://edk2.groups.io/g/devel/message/118211
Mute This Topic: https://groups.io/mt/105698125/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
next prev parent reply other threads:[~2024-04-24 11:54 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-23 20:59 [edk2-devel] [PATCH] OvmfPkg: Don't make APIC MMIO accesses with encryption bit set Roth, Michael via groups.io
2024-04-24 11:54 ` Gerd Hoffmann [this message]
2024-04-24 14:05 ` Lendacky, Thomas via groups.io
2024-04-24 14:45 ` Gerd Hoffmann
2024-04-24 16:38 ` Lendacky, Thomas via groups.io
2024-04-24 14:50 ` Roth, Michael via groups.io
2024-04-24 16:09 ` Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=k5vzhxgbisuajgvuthtq7uciyq4a36hjcjoicqtdfuwfv4mdcx@jbaljldsjfin \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox