From 3b32be7e7192654812eb35bd89255f2916b1f02a Mon Sep 17 00:00:00 2001 From: Tom Lendacky Date: Thu, 7 Jan 2021 12:48:15 -0600 Subject: [PATCH] OvmfPkg/ResetVector: Save the encryption mask at boot time BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 The early assembler code performs validation for some of the SEV-related information, specifically the encryption bit position. To avoid having to re-validate the encryption bit position as the system proceeds through its boot phases, save the validated encryption bit position in the SEV-ES work area for use by later phases. Cc: Jordan Justen Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Brijesh Singh Reviewed-by: Laszlo Ersek Signed-off-by: Tom Lendacky Message-Id: <2609724859cf21f0c6d45bc323e94465dca4e621.1610045305.git.thomas.lendacky@amd.com> --- OvmfPkg/Include/Library/MemEncryptSevLib.h | 2 ++ OvmfPkg/ResetVector/Ia32/PageTables64.asm | 10 +++++++++- OvmfPkg/ResetVector/ResetVector.nasmb | 1 + 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/Library/MemEncryptSevLib.h index dc09c61e58..a2c70aa550 100644 --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h @@ -29,6 +29,8 @@ typedef struct _SEC_SEV_ES_WORK_AREA { UINT8 Reserved1[7]; UINT64 RandomData; + + UINT64 EncryptionMask; } SEC_SEV_ES_WORK_AREA; /** diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm index a1771dfdec..5fae8986d9 100644 --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm @@ -145,7 +145,7 @@ GetSevEncBit: ; The encryption bit position is always above 31 sub ebx, 32 - jns SevExit + jns SevSaveMask ; Encryption bit was reported as 31 or below, enter a HLT loop SevEncBitLowHlt: @@ -153,6 +153,14 @@ SevEncBitLowHlt: hlt jmp SevEncBitLowHlt +SevSaveMask: + xor edx, edx + bts edx, ebx + + mov dword[SEV_ES_WORK_AREA_ENC_MASK], 0 + mov dword[SEV_ES_WORK_AREA_ENC_MASK + 4], edx + jmp SevExit + NoSev: ; ; Perform an SEV-ES sanity check by seeing if a #VC exception occurred. diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb index d3aa879829..5fbacaed5f 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -74,6 +74,7 @@ %define GHCB_SIZE (FixedPcdGet32 (PcdOvmfSecGhcbSize)) %define SEV_ES_WORK_AREA (FixedPcdGet32 (PcdSevEsWorkAreaBase)) %define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 8) + %define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 16) %define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase) + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize)) %include "Ia32/Flat32ToFlat64.asm" %include "Ia32/PageTables64.asm"