[edk2-devel] [PATCH v4 3/4] OvmfPkg/PlatformPei: Mark SEC GHCB page as unencrypted via hypercall

Brijesh Singh via groups.io brijesh.singh=amd.com at groups.io
Tue Jun 22 20:35:19 UTC 2021 


On 6/21/2021 8:57 AM, Ashish Kalra wrote:
> From: Ashish Kalra <ashish.kalra at amd.com>
> 
> Mark the SEC GHCB page (that is mapped as unencrypted in
> ResetVector code) in the hypervisor page status tracking.
> 
> Cc: Jordan Justen <jordan.l.justen at intel.com>
> Cc: Laszlo Ersek <lersek at redhat.com>
> Cc: Ard Biesheuvel <ard.biesheuvel at arm.com>
> 
Remove this new line.

> Signed-off-by: Ashish Kalra <ashish.kalra at amd.com>
> ---
>  OvmfPkg/PlatformPei/AmdSev.c | 10 ++++++++++
>  1 file changed, 10 insertions(+)
> 
> diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
> index a8bf610022..3f642ecb06 100644
> --- a/OvmfPkg/PlatformPei/AmdSev.c
> +++ b/OvmfPkg/PlatformPei/AmdSev.c
> @@ -15,6 +15,7 @@
>  #include <Library/HobLib.h>
>  #include <Library/MemEncryptSevLib.h>
>  #include <Library/MemoryAllocationLib.h>
> +#include <Library/MemEncryptHypercallLib.h>
>  #include <Library/PcdLib.h>
>  #include <PiPei.h>
>  #include <Register/Amd/Msr.h>
> @@ -52,6 +53,15 @@ AmdSevEsInitialize (
>    PcdStatus = PcdSetBoolS (PcdSevEsIsEnabled, TRUE);
>    ASSERT_RETURN_ERROR (PcdStatus);
>  
> +  //
> +  // GHCB_BASE setup during reset-vector needs to be marked as
> +  // decrypted in the hypervisor page encryption bitmap.
> +  //
> +  SetMemoryEncDecHypercall3 (FixedPcdGet32 (PcdOvmfSecGhcbBase),
> +    EFI_SIZE_TO_PAGES(FixedPcdGet32 (PcdOvmfSecGhcbSize)),
> +    KVM_MAP_GPA_RANGE_DECRYPTED
> +    );
> +

Typically we should invoke the HC as soon as the page state is changed in the PTE.
Why we are notifying it too late? Is this because you are trying to avoid asm code
or there is no MSR protocol for VMMCALL NAE ?

I am okay with not notifying in ASM code, but at least we should notify the change
during the ES protocol negotiation and before the GHCB is setup. In other words,
do it inside the  SevEsProtocolCheck() [Sec/SecMain.c].

-Brijesh


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#76861): https://edk2.groups.io/g/devel/message/76861
Mute This Topic: https://groups.io/mt/83688893/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list