[edk2-devel] [PATCH v3 4/5] OvmfPkg/Tcg2ConfigPei: Mark TPM MMIO range as unencrypted for SEV-ES

Laszlo Ersek lersek at redhat.com
Fri Apr 30 18:14:10 UTC 2021 

Hi Tom,

On 04/30/21 19:01, Laszlo Ersek wrote:
> On 04/29/21 19:12, Lendacky, Thomas wrote:
>> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3345
>>
>> During PEI, the MMIO range for the TPM is marked as encrypted when running
>> as an SEV guest. While this isn't an issue for an SEV guest because of
>> the way the nested page fault is handled, it does result in an SEV-ES
>> guest terminating because of a mitigation check in the #VC handler to
>> prevent MMIO to an encrypted address. For an SEV-ES guest, this range
>> must be marked as unencrypted.
>>
>> Create a new x86 PEIM for TPM support that will map the TPM MMIO range as
>> unencrypted when SEV-ES is active. The gOvmfTpmMmioAccessiblePpiGuid PPI
>> will be unconditionally installed before exiting. The PEIM will exit with
>> the EFI_ABORTED status so that the PEIM does not stay resident. This new
>> PEIM will depend on the installation of the permanent PEI RAM, by
>> PlatformPei, so that in case page table splitting is required during the
>> clearing of the encryption bit, the new page table(s) will be allocated
>> from permanent PEI RAM.
>>
>> Update all OVMF Ia32 and X64 build packages to include this new PEIM.
>>
>> Cc: Laszlo Ersek <lersek at redhat.com>
>> Cc: Ard Biesheuvel <ardb+tianocore at kernel.org>
>> Cc: Jordan Justen <jordan.l.justen at intel.com>
>> Cc: Brijesh Singh <brijesh.singh at amd.com>
>> Cc: Erdem Aktas <erdemaktas at google.com>
>> Cc: James Bottomley <jejb at linux.ibm.com>
>> Cc: Jiewen Yao <jiewen.yao at intel.com>
>> Cc: Min Xu <min.m.xu at intel.com>
>> Cc: Marc-André Lureau <marcandre.lureau at redhat.com>
>> Cc: Stefan Berger <stefanb at linux.ibm.com>
>> Signed-off-by: Tom Lendacky <thomas.lendacky at amd.com>
>> ---
>>  OvmfPkg/AmdSev/AmdSevX64.dsc                              |  1 +
>>  OvmfPkg/OvmfPkgIa32.dsc                                   |  1 +
>>  OvmfPkg/OvmfPkgIa32X64.dsc                                |  1 +
>>  OvmfPkg/OvmfPkgX64.dsc                                    |  1 +
>>  OvmfPkg/AmdSev/AmdSevX64.fdf                              |  1 +
>>  OvmfPkg/OvmfPkgIa32.fdf                                   |  1 +
>>  OvmfPkg/OvmfPkgIa32X64.fdf                                |  1 +
>>  OvmfPkg/OvmfPkgX64.fdf                                    |  1 +
>>  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf | 40 +++++++++
>>  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPeim.c  | 87 ++++++++++++++++++++
>>  10 files changed, 135 insertions(+)

[...]

> Reviewed-by: Laszlo Ersek <lersek at redhat.com>

I'm going to update the subject of this patch:

OvmfPkg/TpmMmioSevDecryptPei: Mark TPM MMIO range as unencrypted for SEV-ES

(75 chars, which is the longest that PatchCheck.py accepts.)

Thanks!
Laszlo



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#74670): https://edk2.groups.io/g/devel/message/74670
Mute This Topic: https://groups.io/mt/82461201/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list