Tom Lendacky 
							
						 
					 
					
						
						
							
						
						f6bf37c171 
					 
					
						
						
							
							OvmfPkg/BaseMemEncryptSevLib: Use AmdSvsmSnpPvalidate() to validate pages  
						
						... 
						
						
						
						BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4654 
The PVALIDATE instruction is used to change the SNP validation of a page,
but that can only be done when running at VMPL0. To prepare for running at
a less priviledged VMPL, use the AmdSvsmLib library API to perform the
PVALIDATE. The AmdSvsmLib library will perform the proper operation on
behalf of the caller.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org >
Cc: Erdem Aktas <erdemaktas@google.com >
Cc: Gerd Hoffmann <kraxel@redhat.com >
Cc: Jiewen Yao <jiewen.yao@intel.com >
Cc: Laszlo Ersek <lersek@redhat.com >
Cc: Michael Roth <michael.roth@amd.com >
Cc: Min Xu <min.m.xu@intel.com >
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com >
Acked-by: Gerd Hoffmann <kraxel@redhat.com > 
						
						
					 
					
						2024-04-17 20:04:41 +00:00 
						 
				 
			
				
					
						
							
							
								Min M Xu 
							
						 
					 
					
						
						
							
						
						a89f558d3c 
					 
					
						
						
							
							OvmfPkg/UefiCpuPkg/UefiPayloadPkg: Rename VmgExitLib to CcExitLib  
						
						... 
						
						
						
						BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4123 
VmgExitLib once was designed to provide interfaces to support #VC handler
and issue VMGEXIT instruction. After TDVF (enable TDX feature in OVMF) is
introduced, this library is updated to support #VE as well. Now the name
of VmgExitLib cannot reflect what the lib does.
This patch renames VmgExitLib to CcExitLib (Cc means Confidential
Computing). This is a simple renaming and there is no logic changes.
After renaming all the VmgExitLib related codes are updated with
CcExitLib. These changes are in OvmfPkg/UefiCpuPkg/UefiPayloadPkg.
Cc: Guo Dong <guo.dong@intel.com >
Cc: Sean Rhodes <sean@starlabs.systems >
Cc: James Lu <james.lu@intel.com >
Cc: Gua Guo <gua.guo@intel.com >
Cc: Eric Dong <eric.dong@intel.com >
Cc: Ray Ni <ray.ni@intel.com >
Cc: Brijesh Singh <brijesh.singh@amd.com >
Cc: Erdem Aktas <erdemaktas@google.com >
Cc: Gerd Hoffmann <kraxel@redhat.com >
Cc: James Bottomley <jejb@linux.ibm.com >
Cc: Jiewen Yao <jiewen.yao@intel.com >
Cc: Tom Lendacky <thomas.lendacky@amd.com >
Reviewed-by: James Lu <james.lu@intel.com >
Reviewed-by: Gua Guo <gua.guo@intel.com >
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com >
Reviewed-by: Ray Ni <ray.ni@intel.com >
Signed-off-by: Min Xu <min.m.xu@intel.com > 
						
						
					 
					
						2022-11-14 04:55:34 +00:00 
						 
				 
			
				
					
						
							
							
								Brijesh Singh 
							
						 
					 
					
						
						
							
						
						f1d1c337e7 
					 
					
						
						
							
							OvmfPkg/BaseMemEncryptLib: use the SEV_STATUS MSR value from workarea  
						
						... 
						
						
						
						BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3582 
Improve the MemEncryptSev{Es,Snp}IsEnabled() to use the SEV_STATUS MSR
value saved in the workarea. Since workarea is valid until the PEI phase,
so, for the Dxe phase use the PcdConfidentialComputingGuestAttr to
determine which SEV technology is enabled.
Cc: Min Xu <min.m.xu@intel.com >
Cc: Jiewen Yao <jiewen.yao@intel.com >
Cc: Tom Lendacky <thomas.lendacky@amd.com >
Cc: Jordan Justen <jordan.l.justen@intel.com >
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org >
Cc: Erdem Aktas <erdemaktas@google.com >
Cc: Gerd Hoffmann <kraxel@redhat.com >
Acked-by: Gerd Hoffmann <kraxel@redhat.com >
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com >
Acked-by: Jiewen Yao <jiewen.yao@intel.com > 
						
						
					 
					
						2022-02-28 02:46:08 +00:00 
						 
				 
			
				
					
						
							
							
								Brijesh Singh via groups.io 
							
						 
					 
					
						
						
							
						
						ade62c18f4 
					 
					
						
						
							
							OvmfPkg/MemEncryptSevLib: add support to validate system RAM  
						
						... 
						
						
						
						BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 
Many of the integrity guarantees of SEV-SNP are enforced through the
Reverse Map Table (RMP). Each RMP entry contains the GPA at which a
particular page of DRAM should be mapped. The guest can request the
hypervisor to add pages in the RMP table via the Page State Change VMGEXIT
defined in the GHCB specification section 2.5.1 and 4.1.6. Inside each RMP
entry is a Validated flag; this flag is automatically cleared to 0 by the
CPU hardware when a new RMP entry is created for a guest. Each VM page
can be either validated or invalidated, as indicated by the Validated
flag in the RMP entry. Memory access to a private page that is not
validated generates a #VC. A VM can use the PVALIDATE instruction to
validate the private page before using it.
During the guest creation, the boot ROM memory is pre-validated by the
AMD-SEV firmware. The MemEncryptSevSnpValidateSystemRam() can be called
during the SEC and PEI phase to validate the detected system RAM.
One of the fields in the Page State Change NAE is the RMP page size. The
page size input parameter indicates that either a 4KB or 2MB page should
be used while adding the RMP entry. During the validation, when possible,
the MemEncryptSevSnpValidateSystemRam() will use the 2MB entry. A
hypervisor backing the memory may choose to use the different page size
in the RMP entry. In those cases, the PVALIDATE instruction should return
SIZEMISMATCH. If a SIZEMISMATCH is detected, then validate all 512-pages
constituting a 2MB region.
Upon completion, the PVALIDATE instruction sets the rFLAGS.CF to 0 if
instruction changed the RMP entry and to 1 if the instruction did not
change the RMP entry. The rFlags.CF will be 1 only when a memory region
is already validated. We should not double validate a memory
as it could lead to a security compromise. If double validation is
detected, terminate the boot.
Cc: Michael Roth <michael.roth@amd.com >
Cc: James Bottomley <jejb@linux.ibm.com >
Cc: Min Xu <min.m.xu@intel.com >
Cc: Jiewen Yao <jiewen.yao@intel.com >
Cc: Tom Lendacky <thomas.lendacky@amd.com >
Cc: Jordan Justen <jordan.l.justen@intel.com >
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org >
Cc: Erdem Aktas <erdemaktas@google.com >
Cc: Gerd Hoffmann <kraxel@redhat.com >
Acked-by: Jiewen Yao <Jiewen.yao@intel.com >
Acked-by: Gerd Hoffmann <kraxel@redhat.com >
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com > 
						
						
					 
					
						2021-12-09 06:28:10 +00:00 
						 
				 
			
				
					
						
							
							
								Tom Lendacky 
							
						 
					 
					
						
						
							
						
						85b8eac59b 
					 
					
						
						
							
							OvfmPkg/VmgExitLib: Validate #VC MMIO is to un-encrypted memory  
						
						... 
						
						
						
						BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 
When SEV-ES is active, and MMIO operation will trigger a #VC and the
VmgExitLib exception handler will process this MMIO operation.
A malicious hypervisor could try to extract information from encrypted
memory by setting a reserved bit in the guests nested page tables for
a non-MMIO area. This can result in the encrypted data being copied into
the GHCB shared buffer area and accessed by the hypervisor.
Prevent this by ensuring that the MMIO source/destination is un-encrypted
memory. For the APIC register space, access is allowed in general.
Cc: Jordan Justen <jordan.l.justen@intel.com >
Cc: Laszlo Ersek <lersek@redhat.com >
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com >
Cc: Brijesh Singh <brijesh.singh@amd.com >
Acked-by: Laszlo Ersek <lersek@redhat.com >
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com >
Message-Id: <0cf28470ad5e694af45f7f0b35296628f819567d.1610045305.git.thomas.lendacky@amd.com > 
						
						
					 
					
						2021-01-07 19:34:39 +00:00 
						 
				 
			
				
					
						
							
							
								Tom Lendacky 
							
						 
					 
					
						
						
							
						
						c330af0246 
					 
					
						
						
							
							OvmfPkg/MemEncryptSevLib: Address range encryption state interface  
						
						... 
						
						
						
						BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 
Update the MemEncryptSevLib library to include an interface that can
report the encryption state on a range of memory. The values will
represent the range as being unencrypted, encrypted, a mix of unencrypted
and encrypted, and error (e.g. ranges that aren't mapped).
Cc: Jordan Justen <jordan.l.justen@intel.com >
Cc: Laszlo Ersek <lersek@redhat.com >
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com >
Cc: Brijesh Singh <brijesh.singh@amd.com >
Acked-by: Laszlo Ersek <lersek@redhat.com >
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com >
Message-Id: <0d98f4d42a2b67310c29bac7bcdcf1eda6835847.1610045305.git.thomas.lendacky@amd.com > 
						
						
					 
					
						2021-01-07 19:34:39 +00:00 
						 
				 
			
				
					
						
							
							
								Tom Lendacky 
							
						 
					 
					
						
						
							
						
						a746ca5b47 
					 
					
						
						
							
							OvmfPkg/MemEncryptSevLib: Make the MemEncryptSevLib available for SEC  
						
						... 
						
						
						
						BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 
In preparation for a new interface to be added to the MemEncryptSevLib
library that will be used in SEC, create an SEC version of the library.
This requires the creation of SEC specific files.
Some of the current MemEncryptSevLib functions perform memory allocations
which cannot be performed in SEC, so these interfaces will return an error
during SEC. Also, the current MemEncryptSevLib library uses some static
variables to optimize access to variables, which cannot be used in SEC.
Cc: Jordan Justen <jordan.l.justen@intel.com >
Cc: Laszlo Ersek <lersek@redhat.com >
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com >
Cc: Brijesh Singh <brijesh.singh@amd.com >
Acked-by: Laszlo Ersek <lersek@redhat.com >
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com >
Message-Id: <bc7fa76cc23784ab3f37356b6c10dfec61942c38.1610045305.git.thomas.lendacky@amd.com > 
						
						
					 
					
						2021-01-07 19:34:39 +00:00 
						 
				 
			
				
					
						
							
							
								Tom Lendacky 
							
						 
					 
					
						
						
							
						
						b97dc4b92b 
					 
					
						
						
							
							OvmfPkg/MemEncryptSevLib: Add an interface to retrieve the encryption mask  
						
						... 
						
						
						
						BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 
To ensure that we always use a validated encryption mask for an SEV-ES
guest, create a new interface in the MemEncryptSevLib library to return
the encryption mask. This can be used in place of the multiple locations
where CPUID is used to retrieve the value (which would require validation
again) and allows the validated mask to be returned.
The PEI phase will use the value from the SEV-ES work area. Since the
SEV-ES work area isn't valid in the DXE phase, the DXE phase will use the
PcdPteMemoryEncryptionAddressOrMask PCD which is set during PEI.
Cc: Jordan Justen <jordan.l.justen@intel.com >
Cc: Laszlo Ersek <lersek@redhat.com >
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com >
Cc: Rebecca Cran <rebecca@bsdio.com >
Cc: Peter Grehan <grehan@freebsd.org >
Cc: Anthony Perard <anthony.perard@citrix.com >
Cc: Julien Grall <julien@xen.org >
Cc: Brijesh Singh <brijesh.singh@amd.com >
Acked-by: Laszlo Ersek <lersek@redhat.com >
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com >
Message-Id: <e12044dc01b21e6fc2e9535760ddf3a38a142a71.1610045305.git.thomas.lendacky@amd.com > 
						
						
					 
					
						2021-01-07 19:34:39 +00:00