[edk2-devel] [PATCH RFC v3 04/22] OvmfPkg/MemEncryptSevLib: extend Es Workarea to include hv features
Laszlo Ersek
lersek at redhat.com
Wed Jun 9 10:50:55 UTC 2021
On 06/08/21 23:36, Tom Lendacky wrote:
> On 6/8/21 3:49 AM, Laszlo Ersek wrote:
>> On 06/07/21 15:37, Brijesh Singh wrote:
>>
>>
> ...
>
>> ... But maybe I just need to accept that we have to repurpose
>> SEC_SEV_ES_WORK_AREA, considering it a super-early "HOB list" of sorts.
>> Same as the PEI phase is considered the "HOB producer phase", outputting
>> a bunch of disparate bits of info, we could consider the SEV-ES parts of
>> the Reset Vector such an "early info bits" producer phase. I think this
>> is a very big conceptual step away from the original purpose of
>> SEC_SEV_ES_WORK_AREA (note the *name* of the structure: "work area"!
>> HOBs are not "work areas", they are effectively read-only, once
>> produced). But perhaps this is what we need (and then with proper
>> documentation).
>>
>> NB however that HOBs have types, GUIDed HOBs have GUIDs, the HOB types
>> are specified in PI, and GUIDs are expressly declared to stand for
>> various purposes at least in edk2 DEC files. All that helps with
>> discerning the information flow. So... I'd still prefer keeping
>> SEC_SEV_ES_WORK_AREA as minimal as possible.
>>
>> Tom, any comments?
>
> The purpose of the work area was originally two-fold. It is used in the
> reset vector code to set the SevEsEnabled bit so that we could keep the
> original behavior in SecCoreStartupWithStack() - no initialization of the
> exception handlers or early enabling of processor cache. The second use is
> for initial AP startup, where we had a known memory address at build time
> that could be used to set the initial CS:IP of APs for the first boot.
>
> We expanded the use for the security mitigations, used by the reset vector
> code and again in SEC. At the start of PEI, PCDs are then set.
>
> So, yes, if the information can be obtained later, and in this case we're
> not talking about CPUID information which would need re-validation, then
> there's no need to keep it in the work area and we can keep the size and
> information stored in the work area to a minimum.
Thank you very much!
Laszlo
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#76262): https://edk2.groups.io/g/devel/message/76262
Mute This Topic: https://groups.io/mt/83113765/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list