[edk2-devel] [PATCH v3 2/3] OvmfPkg/ResetVector: update SEV support to use new work area format
Min Xu
min.m.xu at intel.com
Thu Aug 19 14:15:01 UTC 2021
Reviewed-by: Min Xu <min.m.xu at intel.com>
> -----Original Message-----
> From: Brijesh Singh <brijesh.singh at amd.com>
> Sent: Tuesday, August 17, 2021 9:47 PM
> To: devel at edk2.groups.io
> Cc: James Bottomley <jejb at linux.ibm.com>; Xu, Min M
> <min.m.xu at intel.com>; Yao, Jiewen <jiewen.yao at intel.com>; Tom Lendacky
> <thomas.lendacky at amd.com>; Justen, Jordan L <jordan.l.justen at intel.com>;
> Ard Biesheuvel <ardb+tianocore at kernel.org>; Erdem Aktas
> <erdemaktas at google.com>; Michael Roth <Michael.Roth at amd.com>; Brijesh
> Singh <brijesh.singh at amd.com>
> Subject: [PATCH v3 2/3] OvmfPkg/ResetVector: update SEV support to use new
> work area format
>
> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3429
>
> Update the SEV support to switch to using the newer work area format.
>
> Cc: James Bottomley <jejb at linux.ibm.com>
> Cc: Min Xu <min.m.xu at intel.com>
> Cc: Jiewen Yao <jiewen.yao at intel.com>
> Cc: Tom Lendacky <thomas.lendacky at amd.com>
> Cc: Jordan Justen <jordan.l.justen at intel.com>
> Cc: Ard Biesheuvel <ardb+tianocore at kernel.org>
> Cc: Erdem Aktas <erdemaktas at google.com>
> Signed-off-by: Brijesh Singh <brijesh.singh at amd.com>
> ---
> OvmfPkg/ResetVector/ResetVector.inf | 1 +
> OvmfPkg/Sec/SecMain.inf | 2 ++
> OvmfPkg/Sec/SecMain.c | 36 ++++++++++++++++++++++-
> OvmfPkg/ResetVector/Ia32/AmdSev.asm | 8 +++++
> OvmfPkg/ResetVector/Ia32/PageTables64.asm | 4 +++
> OvmfPkg/ResetVector/ResetVector.nasmb | 1 +
> 6 files changed, 51 insertions(+), 1 deletion(-)
>
> diff --git a/OvmfPkg/ResetVector/ResetVector.inf
> b/OvmfPkg/ResetVector/ResetVector.inf
> index d028c92d8cfa..a2520dde5508 100644
> --- a/OvmfPkg/ResetVector/ResetVector.inf
> +++ b/OvmfPkg/ResetVector/ResetVector.inf
> @@ -43,6 +43,7 @@ [Pcd]
> gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize
> gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase
> gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
> + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase
>
> [FixedPcd]
> gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase
> diff --git a/OvmfPkg/Sec/SecMain.inf b/OvmfPkg/Sec/SecMain.inf index
> 7f78dcee2772..ea4b9611f52d 100644
> --- a/OvmfPkg/Sec/SecMain.inf
> +++ b/OvmfPkg/Sec/SecMain.inf
> @@ -70,6 +70,8 @@ [Pcd]
> gUefiOvmfPkgTokenSpaceGuid.PcdGuidedExtractHandlerTableSize
> gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDecompressionScratchEnd
> gEfiMdeModulePkgTokenSpaceGuid.PcdInitValueInTempStack
> +
> gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHead
> er
> + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase
>
> [FeaturePcd]
> gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire
> diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c index
> 9db67e17b2aa..707b0d4bbff4 100644
> --- a/OvmfPkg/Sec/SecMain.c
> +++ b/OvmfPkg/Sec/SecMain.c
> @@ -807,6 +807,36 @@ SevEsProtocolCheck (
> Ghcb->GhcbUsage = GHCB_STANDARD_USAGE; }
>
> +/**
> + Determine if the SEV is active.
> +
> + During the early booting, GuestType is set in the work area. Verify
> + that it is an SEV guest.
> +
> + @retval TRUE SEV is enabled
> + @retval FALSE SEV is not enabled
> +
> +**/
> +STATIC
> +BOOLEAN
> +IsSevGuest (
> + VOID
> + )
> +{
> + OVMF_WORK_AREA *WorkArea;
> +
> + //
> + // Ensure that the size of the Confidential Computing work area
> + header // is same as what is provided through a fixed PCD.
> + //
> + ASSERT ((UINTN) FixedPcdGet32
> (PcdOvmfConfidentialComputingWorkAreaHeader) ==
> + sizeof(CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER));
> +
> + WorkArea = (OVMF_WORK_AREA *) FixedPcdGet32
> (PcdOvmfWorkAreaBase);
> +
> + return ((WorkArea != NULL) && (WorkArea->Header.GuestType ==
> +GUEST_TYPE_AMD_SEV)); }
> +
> /**
> Determine if SEV-ES is active.
>
> @@ -826,9 +856,13 @@ SevEsIsEnabled (
> {
> SEC_SEV_ES_WORK_AREA *SevEsWorkArea;
>
> + if (!IsSevGuest()) {
> + return FALSE;
> + }
> +
> SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32
> (PcdSevEsWorkAreaBase);
>
> - return ((SevEsWorkArea != NULL) && (SevEsWorkArea->SevEsEnabled != 0));
> + return (SevEsWorkArea->SevEsEnabled != 0);
> }
>
> VOID
> diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm
> b/OvmfPkg/ResetVector/Ia32/AmdSev.asm
> index aa95d06eaddb..87d81b01e263 100644
> --- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm
> +++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm
> @@ -171,6 +171,9 @@ CheckSevFeatures:
> bt eax, 0
> jnc NoSev
>
> + ; Set the work area header to indicate that the SEV is enabled
> + mov byte[WORK_AREA_GUEST_TYPE], 1
> +
> ; Check for SEV-ES memory encryption feature:
> ; CPUID Fn8000_001F[EAX] - Bit 3
> ; CPUID raises a #VC exception if running as an SEV-ES guest
> @@ -257,6 +260,11 @@ SevExit:
> IsSevEsEnabled:
> xor eax, eax
>
> + ; During CheckSevFeatures, the WORK_AREA_GUEST_TYPE is set
> + ; to 1 if SEV is enabled.
> + cmp byte[WORK_AREA_GUEST_TYPE], 1
> + jne SevEsDisabled
> +
> ; During CheckSevFeatures, the SEV_ES_WORK_AREA was set to 1 if
> ; SEV-ES is enabled.
> cmp byte[SEV_ES_WORK_AREA], 1
> diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> index eacdb69ddb9f..f688909f1c7d 100644
> --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> @@ -42,6 +42,10 @@ BITS 32
> ;
> SetCr3ForPageTables64:
>
> + ; Clear the WorkArea header. The SEV probe routines will populate the
> + ; work area when detected.
> + mov byte[WORK_AREA_GUEST_TYPE], 0
> +
> OneTimeCall CheckSevFeatures
> xor edx, edx
> test eax, eax
> diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb
> b/OvmfPkg/ResetVector/ResetVector.nasmb
> index acec46a32450..d1d800c56745 100644
> --- a/OvmfPkg/ResetVector/ResetVector.nasmb
> +++ b/OvmfPkg/ResetVector/ResetVector.nasmb
> @@ -72,6 +72,7 @@
> %define GHCB_PT_ADDR (FixedPcdGet32 (PcdOvmfSecGhcbPageTableBase))
> %define GHCB_BASE (FixedPcdGet32 (PcdOvmfSecGhcbBase))
> %define GHCB_SIZE (FixedPcdGet32 (PcdOvmfSecGhcbSize))
> + %define WORK_AREA_GUEST_TYPE (FixedPcdGet32
> (PcdOvmfWorkAreaBase))
> %define SEV_ES_WORK_AREA (FixedPcdGet32 (PcdSevEsWorkAreaBase))
> %define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32
> (PcdSevEsWorkAreaBase) + 8)
> %define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32
> (PcdSevEsWorkAreaBase) + 16)
> --
> 2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#79581): https://edk2.groups.io/g/devel/message/79581
Mute This Topic: https://groups.io/mt/84947964/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list