[edk2-devel] [PATCH v12 06/32] OvmfPkg: reserve CPUID page

Brijesh Singh via groups.io brijesh.singh=amd.com at groups.io
Wed Nov 10 22:14:31 UTC 2021 

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275

Platform features and capabilities are traditionally discovered via the
CPUID instruction. Hypervisors typically trap and emulate the CPUID
instruction for a variety of reasons. There are some cases where incorrect
CPUID information can potentially lead to a security issue. The SEV-SNP
firmware provides a feature to filter the CPUID results through the PSP.
The filtered CPUID values are saved on a special page for the guest to
consume. Reserve a page in MEMFD that will contain the results of
filtered CPUID values.

Cc: Michael Roth <michael.roth at amd.com>
Cc: James Bottomley <jejb at linux.ibm.com>
Cc: Min Xu <min.m.xu at intel.com>
Cc: Jiewen Yao <jiewen.yao at intel.com>
Cc: Tom Lendacky <thomas.lendacky at amd.com>
Cc: Jordan Justen <jordan.l.justen at intel.com>
Cc: Ard Biesheuvel <ardb+tianocore at kernel.org>
Cc: Erdem Aktas <erdemaktas at google.com>
Cc: Gerd Hoffmann <kraxel at redhat.com>
Acked-by: Jiewen Yao <Jiewen.yao at intel.com>
Acked-by: Gerd Hoffmann <kraxel at redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh at amd.com>
---
 OvmfPkg/OvmfPkg.dec                         |  7 +++++++
 OvmfPkg/OvmfPkgX64.fdf                      |  3 +++
 OvmfPkg/ResetVector/ResetVector.inf         |  2 ++
 OvmfPkg/ResetVector/ResetVector.nasmb       |  2 ++
 OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm | 16 ++++++++++++++++
 5 files changed, 30 insertions(+)

diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index deb285fd62c5..bc14cf2ed403 100644
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -357,6 +357,13 @@ [PcdsFixedAtBuild]
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|0|UINT32|0x58
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize|0|UINT32|0x59
 
+  ## The base address and size of a CPUID Area that contains the hypervisor
+  #  provided CPUID results. In the case of SEV-SNP, the CPUID results are
+  #  filtered by the SEV-SNP firmware. If this is set in the .fdf, the
+  #  platform is responsible to reserve this area from DXE phase overwrites.
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|0|UINT32|0x60
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize|0|UINT32|0x61
+
 [PcdsDynamic, PcdsDynamicEx]
   gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 1313c7f016bf..e94b433e7b28 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -91,6 +91,9 @@ [FD.MEMFD]
 0x00D000|0x001000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize
 
+0x00E000|0x001000
+gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize
+
 0x010000|0x010000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
 
diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/ResetVector.inf
index fcbc25d0ce3d..1c5d84184ed7 100644
--- a/OvmfPkg/ResetVector/ResetVector.inf
+++ b/OvmfPkg/ResetVector/ResetVector.inf
@@ -55,6 +55,8 @@ [Pcd]
   gUefiOvmfPkgTokenSpaceGuid.PcdBfvRawDataSize
 
 [FixedPcd]
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize
   gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase
   gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
   gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase
diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb
index 4e685ef23684..fbaeab5f5168 100644
--- a/OvmfPkg/ResetVector/ResetVector.nasmb
+++ b/OvmfPkg/ResetVector/ResetVector.nasmb
@@ -105,6 +105,8 @@
   %define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase) + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize))
   %define SEV_SNP_SECRETS_BASE  (FixedPcdGet32 (PcdOvmfSnpSecretsBase))
   %define SEV_SNP_SECRETS_SIZE  (FixedPcdGet32 (PcdOvmfSnpSecretsSize))
+  %define CPUID_BASE  (FixedPcdGet32 (PcdOvmfCpuidBase))
+  %define CPUID_SIZE  (FixedPcdGet32 (PcdOvmfCpuidSize))
 
 %include "X64/IntelTdxMetadata.asm"
 %include "Ia32/Flat32ToFlat64.asm"
diff --git a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm
index 2bc7790bd808..0cc12ad3473f 100644
--- a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm
+++ b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm
@@ -17,6 +17,16 @@ BITS  64
 ; AMD SEV-SNP specific sections
 %define OVMF_SECTION_TYPE_SNP_SECRETS     0x2
 
+;
+; The section contains the hypervisor pre-populated CPUID values.
+; In the case of SEV-SNP, the CPUID values are filtered and measured by
+; the SEV-SNP firmware.
+; The CPUID format is documented in SEV-SNP firmware spec 0.9 section 7.1
+; (CPUID function structure).
+;
+%define OVMF_SECTION_TYPE_CPUID           0x3
+
+
 ALIGN 16
 
 TIMES (15 - ((OvmfSevGuidedStructureEnd - OvmfSevGuidedStructureStart + 15) % 16)) DB 0
@@ -39,5 +49,11 @@ SevSnpSecrets:
   DD  SEV_SNP_SECRETS_SIZE
   DD  OVMF_SECTION_TYPE_SNP_SECRETS
 
+; CPUID values
+CpuidSec:
+  DD  CPUID_BASE
+  DD  CPUID_SIZE
+  DD  OVMF_SECTION_TYPE_CPUID
+
 OvmfSevGuidedStructureEnd:
   ALIGN   16
-- 
2.25.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#83579): https://edk2.groups.io/g/devel/message/83579
Mute This Topic: https://groups.io/mt/86969126/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list