OvmfPkg/BaseMemEncryptLib: use the SEV_STATUS MSR value from workarea

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3582 Improve the MemEncryptSev{Es,Snp}IsEnabled() to use the SEV_STATUS MSR value saved in the workarea. Since workarea is valid until the PEI phase, so, for the Dxe phase use the PcdConfidentialComputingGuestAttr to determine which SEV technology is enabled. Cc: Min Xu <min.m.xu@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> Acked-by: Jiewen Yao <jiewen.yao@intel.com>
2022-02-21 22:59:14 +08:00
parent 63c50d3ff2
commit f1d1c337e7
6 changed files with 155 additions and 212 deletions
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
@@ -18,7 +18,33 @@
 #include <Uefi/UefiBaseType.h>

 /**
-  Reads and sets the status of SEV features.
+   Read the workarea to determine whether SEV is enabled. If enabled,
+   then return the SevEsWorkArea pointer.
+
+  **/
+STATIC
+SEC_SEV_ES_WORK_AREA *
+EFIAPI
+GetSevEsWorkArea (
+  VOID
+  )
+{
+  OVMF_WORK_AREA  *WorkArea;
+
+  WorkArea = (OVMF_WORK_AREA *)FixedPcdGet32 (PcdOvmfWorkAreaBase);
+
+  //
+  // If its not SEV guest then SevEsWorkArea is not valid.
+  //
+  if ((WorkArea == NULL) || (WorkArea->Header.GuestType != GUEST_TYPE_AMD_SEV)) {
+    return NULL;
+  }
+
+  return (SEC_SEV_ES_WORK_AREA *)FixedPcdGet32 (PcdSevEsWorkAreaBase);
+}
+
+/**
+  Read the SEV Status MSR value from the workarea

  **/
 STATIC
@@ -28,38 +54,14 @@ InternalMemEncryptSevStatus (
  VOID
  )
 {
-  UINT32                            RegEax;
-  CPUID_MEMORY_ENCRYPTION_INFO_EAX  Eax;
-  BOOLEAN                           ReadSevMsr;
-  SEC_SEV_ES_WORK_AREA              *SevEsWorkArea;
+  SEC_SEV_ES_WORK_AREA  *SevEsWorkArea;

-  ReadSevMsr = FALSE;
-
-  SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *)FixedPcdGet32 (PcdSevEsWorkAreaBase);
-  if ((SevEsWorkArea != NULL) && (SevEsWorkArea->EncryptionMask != 0)) {
-    //
-    // The MSR has been read before, so it is safe to read it again and avoid
-    // having to validate the CPUID information.
-    //
-    ReadSevMsr = TRUE;
-  } else {
-    //
-    // Check if memory encryption leaf exist
-    //
-    AsmCpuid (CPUID_EXTENDED_FUNCTION, &RegEax, NULL, NULL, NULL);
-    if (RegEax >= CPUID_MEMORY_ENCRYPTION_INFO) {
-      //
-      // CPUID Fn8000_001F[EAX] Bit 1 (Sev supported)
-      //
-      AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, &Eax.Uint32, NULL, NULL, NULL);
-
-      if (Eax.Bits.SevBit) {
-        ReadSevMsr = TRUE;
-      }
-    }
+  SevEsWorkArea = GetSevEsWorkArea ();
+  if (SevEsWorkArea == NULL) {
+    return 0;
  }

-  return ReadSevMsr ? AsmReadMsr32 (MSR_SEV_STATUS) : 0;
+  return (UINT32)(UINTN)SevEsWorkArea->SevStatusMsrValue;
 }

 /**
@@ -130,22 +132,14 @@ MemEncryptSevGetEncryptionMask (
  VOID
  )
 {
-  CPUID_MEMORY_ENCRYPTION_INFO_EBX  Ebx;
-  SEC_SEV_ES_WORK_AREA              *SevEsWorkArea;
-  UINT64                            EncryptionMask;
+  SEC_SEV_ES_WORK_AREA  *SevEsWorkArea;

-  SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *)FixedPcdGet32 (PcdSevEsWorkAreaBase);
-  if (SevEsWorkArea != NULL) {
-    EncryptionMask = SevEsWorkArea->EncryptionMask;
-  } else {
-    //
-    // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position)
-    //
-    AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL);
-    EncryptionMask = LShiftU64 (1, Ebx.Bits.PtePosBits);
+  SevEsWorkArea = GetSevEsWorkArea ();
+  if (SevEsWorkArea == NULL) {
+    return 0;
  }

-  return EncryptionMask;
+  return SevEsWorkArea->EncryptionMask;
 }

 /**