sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

OvmfPkg/ResetVector: update SEV support to use new work area format

Browse Source 
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3429

Update the SEV support to switch to using the newer work area format.

Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Erdem Aktas <erdemaktas@google.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Min Xu <min.m.xu@intel.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
This commit is contained in:
Brijesh Singh
2021-08-17 21:46:50 +08:00
committed by mergify[bot]
parent 80e67af9af
commit ab77b6031b
6 changed files with 51 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
OvmfPkg/ResetVector/Ia32/AmdSev.asm
View File

@ -171,6 +171,9 @@ CheckSevFeatures:
bt eax, 0 bt eax, 0
jnc NoSev jnc NoSev
; Set the work area header to indicate that the SEV is enabled
mov byte[WORK_AREA_GUEST_TYPE], 1
; Check for SEV-ES memory encryption feature: ; Check for SEV-ES memory encryption feature:
; CPUID Fn8000_001F[EAX] - Bit 3 ; CPUID Fn8000_001F[EAX] - Bit 3
; CPUID raises a #VC exception if running as an SEV-ES guest ; CPUID raises a #VC exception if running as an SEV-ES guest
@ -257,6 +260,11 @@ SevExit:
IsSevEsEnabled: IsSevEsEnabled:
xor eax, eax xor eax, eax
; During CheckSevFeatures, the WORK_AREA_GUEST_TYPE is set
; to 1 if SEV is enabled.
cmp byte[WORK_AREA_GUEST_TYPE], 1
jne SevEsDisabled
; During CheckSevFeatures, the SEV_ES_WORK_AREA was set to 1 if ; During CheckSevFeatures, the SEV_ES_WORK_AREA was set to 1 if
; SEV-ES is enabled. ; SEV-ES is enabled.
cmp byte[SEV_ES_WORK_AREA], 1 cmp byte[SEV_ES_WORK_AREA], 1

4
OvmfPkg/ResetVector/Ia32/PageTables64.asm
View File

@ -42,6 +42,10 @@ BITS 32
; ;
SetCr3ForPageTables64: SetCr3ForPageTables64:
; Clear the WorkArea header. The SEV probe routines will populate the
; work area when detected.
mov byte[WORK_AREA_GUEST_TYPE], 0
OneTimeCall CheckSevFeatures OneTimeCall CheckSevFeatures
xor edx, edx xor edx, edx
test eax, eax test eax, eax

1
OvmfPkg/ResetVector/ResetVector.inf
View File

@ -43,6 +43,7 @@
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase
[FixedPcd] [FixedPcd]
gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase

1
OvmfPkg/ResetVector/ResetVector.nasmb
View File

@ -72,6 +72,7 @@
%define GHCB_PT_ADDR (FixedPcdGet32 (PcdOvmfSecGhcbPageTableBase)) %define GHCB_PT_ADDR (FixedPcdGet32 (PcdOvmfSecGhcbPageTableBase))
%define GHCB_BASE (FixedPcdGet32 (PcdOvmfSecGhcbBase)) %define GHCB_BASE (FixedPcdGet32 (PcdOvmfSecGhcbBase))
%define GHCB_SIZE (FixedPcdGet32 (PcdOvmfSecGhcbSize)) %define GHCB_SIZE (FixedPcdGet32 (PcdOvmfSecGhcbSize))
%define WORK_AREA_GUEST_TYPE (FixedPcdGet32 (PcdOvmfWorkAreaBase))
%define SEV_ES_WORK_AREA (FixedPcdGet32 (PcdSevEsWorkAreaBase)) %define SEV_ES_WORK_AREA (FixedPcdGet32 (PcdSevEsWorkAreaBase))
%define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 8) %define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 8)
%define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 16) %define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 16)

36
OvmfPkg/Sec/SecMain.c
View File

@ -807,6 +807,36 @@ SevEsProtocolCheck (
Ghcb->GhcbUsage = GHCB_STANDARD_USAGE; Ghcb->GhcbUsage = GHCB_STANDARD_USAGE;
} }
/**
Determine if the SEV is active.
During the early booting, GuestType is set in the work area. Verify that it
is an SEV guest.
@retval TRUE SEV is enabled
@retval FALSE SEV is not enabled
**/
STATIC
BOOLEAN
IsSevGuest (
VOID
)
{
OVMF_WORK_AREA *WorkArea;
//
// Ensure that the size of the Confidential Computing work area header
// is same as what is provided through a fixed PCD.
//
ASSERT ((UINTN) FixedPcdGet32 (PcdOvmfConfidentialComputingWorkAreaHeader) ==
sizeof(CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER));
WorkArea = (OVMF_WORK_AREA *) FixedPcdGet32 (PcdOvmfWorkAreaBase);
return ((WorkArea != NULL) && (WorkArea->Header.GuestType == GUEST_TYPE_AMD_SEV));
}
/** /**
Determine if SEV-ES is active. Determine if SEV-ES is active.
@ -826,9 +856,13 @@ SevEsIsEnabled (
{ {
SEC_SEV_ES_WORK_AREA *SevEsWorkArea; SEC_SEV_ES_WORK_AREA *SevEsWorkArea;
if (!IsSevGuest()) {
return FALSE;
}
SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase); SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase);
return ((SevEsWorkArea != NULL) && (SevEsWorkArea->SevEsEnabled != 0)); return (SevEsWorkArea->SevEsEnabled != 0);
} }
VOID VOID

2
OvmfPkg/Sec/SecMain.inf
View File

@ -70,6 +70,8 @@
gUefiOvmfPkgTokenSpaceGuid.PcdGuidedExtractHandlerTableSize gUefiOvmfPkgTokenSpaceGuid.PcdGuidedExtractHandlerTableSize
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDecompressionScratchEnd gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDecompressionScratchEnd
gEfiMdeModulePkgTokenSpaceGuid.PcdInitValueInTempStack gEfiMdeModulePkgTokenSpaceGuid.PcdInitValueInTempStack
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase
[FeaturePcd] [FeaturePcd]
gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire