From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id 6626EAC0F0B for ; Wed, 24 Apr 2024 11:54:10 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=mJRY0zFqq9lMTfhzeyxPv3tSD0Kda5mS7dJKUem6kes=; c=relaxed/simple; d=groups.io; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type:Content-Disposition; s=20240206; t=1713959648; v=1; b=TveXKbJrequTvzveWbKTw1ChVUsh0tYqS8Jfyv1IDhHxj05jnpPpvsOCm2v1pw30UbLfJ341 VzdvhdBIv5fa2Z/Wzj+Tu/jMh/9zXOj6ctbx3ezIhWMhkeLqNH5zgScUbm1itePrmymv6CqBLSj Hka01gACCtZrrjJgLyja29Iw7/Nx5IfzrYtpryAaGL7Xj4WB+leI2nVx5PMNUde58JII1hCgQA5 Ee0MPfivNau6J08IzsUc1XxKUvXthON3VXxSGnYNMyViiSlIIbM5036iXtlHwrL5ji7LfSPrX4w vM2uDiAHjDafABhfn7MJj0ireZZg0TKNbxsBZIQ9b06aQ== X-Received: by 127.0.0.2 with SMTP id QW7AYY7687511xrguX7wu0QE; Wed, 24 Apr 2024 04:54:08 -0700 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.groups.io with SMTP id smtpd.web11.14352.1713959648126742159 for ; Wed, 24 Apr 2024 04:54:08 -0700 X-Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-53-SsOgR12bPdOfl5zJ1fzIzA-1; Wed, 24 Apr 2024 07:54:03 -0400 X-MC-Unique: SsOgR12bPdOfl5zJ1fzIzA-1 X-Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id ACB3B80D730; Wed, 24 Apr 2024 11:54:02 +0000 (UTC) X-Received: from dobby.home.kraxel.org (unknown [10.39.192.254]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 67A1C112132A; Wed, 24 Apr 2024 11:54:02 +0000 (UTC) X-Received: by dobby.home.kraxel.org (Postfix, from userid 1000) id 236A2F62C1; Wed, 24 Apr 2024 13:54:01 +0200 (CEST) Date: Wed, 24 Apr 2024 13:54:01 +0200 From: "Gerd Hoffmann" To: Michael Roth Cc: devel@edk2.groups.io, Tom Lendacky , Ard Biesheuvel , Erdem Aktas , Jiewen Yao , Min Xu , Jianyong Wu , Anatol Belski Subject: Re: [edk2-devel] [PATCH] OvmfPkg: Don't make APIC MMIO accesses with encryption bit set Message-ID: References: <20240423205958.1791780-1-michael.roth@amd.com> MIME-Version: 1.0 In-Reply-To: <20240423205958.1791780-1-michael.roth@amd.com> X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Wed, 24 Apr 2024 04:54:08 -0700 Resent-From: kraxel@redhat.com Reply-To: devel@edk2.groups.io,kraxel@redhat.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: 4THFCfDAZNHE05rnR0oZytEPx7686176AA= Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=TveXKbJr; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=redhat.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io On Tue, Apr 23, 2024 at 03:59:58PM -0500, Michael Roth wrote: > For the most part, OVMF will clear the encryption bit for MMIO regions, > but there is currently one known exception during SEC when the APIC > base address is accessed via MMIO with the encryption bit set for > SEV-ES/SEV-SNP guests. what exactly accesses the lapic that early? > +/** > + Map known MMIO regions unencrypted if SEV-ES is active. > + > + During early booting, page table entries default to having the encryption bit > + set for SEV-ES/SEV-SNP guests. In cases where there is MMIO to an address, the > + encryption bit should be cleared. Clear it here for any known MMIO accesses > + during SEC, which is currently just the APIC base address. > + > +**/ > +VOID > +SecMapApicBaseUnencrypted ( > + VOID > + ) > +{ > + PAGE_MAP_AND_DIRECTORY_POINTER *Level4Entry; > + PAGE_MAP_AND_DIRECTORY_POINTER *Level3Entry; > + PAGE_MAP_AND_DIRECTORY_POINTER *Level2Entry; > + PAGE_TABLE_4K_ENTRY *Level1Entry; > + SEC_SEV_ES_WORK_AREA *SevEsWorkArea; > + PHYSICAL_ADDRESS Cr3; > + UINT64 ApicAddress; > + UINT64 PgTableMask; > + UINT32 Level1Page; > + UINT64 Level1Address; > + UINT64 Level1Flags; > + UINTN PteIndex; > + > + if (!SevEsIsEnabled ()) { > + return; > + } That is incompatible with 5-level paging. The current reset vector will never turn on 5-level paging in case SEV is active because we have more incompatibilities elsewhere (BaseMemEncryptSevLib IIRC). But still, it's moving things into the wrong direction ... Ideally CpuPageTableLib should be used for this. take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#118211): https://edk2.groups.io/g/devel/message/118211 Mute This Topic: https://groups.io/mt/105698125/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-