[edk2-devel] [PATCH v8 35/46] OvmfPkg/PlatformPei: Reserve SEV-ES work area if S3 is supported
Laszlo Ersek
lersek at redhat.com
Tue May 26 07:53:50 UTC 2020
On 05/19/20 23:51, Lendacky, Thomas wrote:
> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
>
> Protect the SEV-ES work area memory used by an SEV-ES guest.
>
> Regarding the lifecycle of the SEV-ES memory area:
> PcdSevEsWorkArea
>
> (a) when and how it is initialized after first boot of the VM
>
> If SEV-ES is enabled, the SEV-ES area is initialized during
> the SEC phase [OvmfPkg/ResetVector/Ia32/PageTables64.asm].
>
> (b) how it is protected from memory allocations during DXE
>
> If SEV-ES is enabled, then InitializeRamRegions()
> [OvmfPkg/PlatformPei/MemDetect.c] protects the ranges with either
> an AcpiNVS (S3 enabled) or BootServicesData (S3 disabled) memory
> allocation HOB, in PEI.
>
> (c) how it is protected from the OS
>
> If S3 is enabled, then (b) reserves it from the OS too.
>
> If S3 is disabled, then the range needs no protection.
>
> (d) how it is accessed on the S3 resume path
>
> It is rewritten same as in (a), which is fine because (b) reserved it.
>
> (e) how it is accessed on the warm reset path
>
> It is rewritten same as in (a).
>
> Cc: Jordan Justen <jordan.l.justen at intel.com>
> Cc: Laszlo Ersek <lersek at redhat.com>
> Cc: Ard Biesheuvel <ard.biesheuvel at arm.com>
> Cc: Anthony Perard <anthony.perard at citrix.com>
> Cc: Julien Grall <julien at xen.org>
> Signed-off-by: Tom Lendacky <thomas.lendacky at amd.com>
> ---
> OvmfPkg/PlatformPei/PlatformPei.inf | 2 ++
> OvmfPkg/PlatformPei/MemDetect.c | 20 ++++++++++++++++++++
> 2 files changed, 22 insertions(+)
>
> diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
> index 4742e1bdf42b..c53be2f4925c 100644
> --- a/OvmfPkg/PlatformPei/PlatformPei.inf
> +++ b/OvmfPkg/PlatformPei/PlatformPei.inf
> @@ -118,6 +118,8 @@ [FixedPcd]
> gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiReservedMemoryType
> gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiRuntimeServicesCode
> gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiRuntimeServicesData
> + gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase
> + gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize
>
> [FeaturePcd]
> gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable
> diff --git a/OvmfPkg/PlatformPei/MemDetect.c b/OvmfPkg/PlatformPei/MemDetect.c
> index 6b5fee166b5d..ffbbef891a11 100644
> --- a/OvmfPkg/PlatformPei/MemDetect.c
> +++ b/OvmfPkg/PlatformPei/MemDetect.c
> @@ -940,5 +940,25 @@ InitializeRamRegions (
> );
> }
> }
> +
> +#ifdef MDE_CPU_X64
> + if (MemEncryptSevEsIsEnabled ()) {
> + //
> + // If SEV-ES is enabled, reserve the SEV-ES work area.
> + //
> + // Since this memory range will be used by the Reset Vector on S3
> + // resume, it must be reserved as ACPI NVS.
> + //
> + // If S3 is unsupported, then various drivers might still write to the
> + // work area. We ought to prevent DXE from serving allocation requests
> + // such that they would overlap the work area.
> + //
> + BuildMemoryAllocationHob (
> + (EFI_PHYSICAL_ADDRESS)(UINTN) FixedPcdGet32 (PcdSevEsWorkAreaBase),
> + (UINT64)(UINTN) FixedPcdGet32 (PcdSevEsWorkAreaSize),
> + mS3Supported ? EfiACPIMemoryNVS : EfiBootServicesData
> + );
> + }
> +#endif
> }
> }
>
Reviewed-by: Laszlo Ersek <lersek at redhat.com>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#60244): https://edk2.groups.io/g/devel/message/60244
Mute This Topic: https://groups.io/mt/74336597/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list