[edk2-devel] [PATCH RFC v3 04/22] OvmfPkg/MemEncryptSevLib: extend Es Workarea to include hv features
Lendacky, Thomas via groups.io
thomas.lendacky=amd.com at groups.io
Tue Jun 8 21:36:18 UTC 2021
On 6/8/21 3:49 AM, Laszlo Ersek wrote:
> On 06/07/21 15:37, Brijesh Singh wrote:
>
>
...
> ... But maybe I just need to accept that we have to repurpose
> SEC_SEV_ES_WORK_AREA, considering it a super-early "HOB list" of sorts.
> Same as the PEI phase is considered the "HOB producer phase", outputting
> a bunch of disparate bits of info, we could consider the SEV-ES parts of
> the Reset Vector such an "early info bits" producer phase. I think this
> is a very big conceptual step away from the original purpose of
> SEC_SEV_ES_WORK_AREA (note the *name* of the structure: "work area"!
> HOBs are not "work areas", they are effectively read-only, once
> produced). But perhaps this is what we need (and then with proper
> documentation).
>
> NB however that HOBs have types, GUIDed HOBs have GUIDs, the HOB types
> are specified in PI, and GUIDs are expressly declared to stand for
> various purposes at least in edk2 DEC files. All that helps with
> discerning the information flow. So... I'd still prefer keeping
> SEC_SEV_ES_WORK_AREA as minimal as possible.
>
> Tom, any comments?
The purpose of the work area was originally two-fold. It is used in the
reset vector code to set the SevEsEnabled bit so that we could keep the
original behavior in SecCoreStartupWithStack() - no initialization of the
exception handlers or early enabling of processor cache. The second use is
for initial AP startup, where we had a known memory address at build time
that could be used to set the initial CS:IP of APs for the first boot.
We expanded the use for the security mitigations, used by the reset vector
code and again in SEC. At the start of PEI, PCDs are then set.
So, yes, if the information can be obtained later, and in this case we're
not talking about CPUID information which would need re-validation, then
there's no need to keep it in the work area and we can keep the size and
information stored in the work area to a minimum.
Thanks,
Tom
>
> Thank you Brijesh for raising great points!
> Laszlo
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#76236): https://edk2.groups.io/g/devel/message/76236
Mute This Topic: https://groups.io/mt/83113765/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list