f0ed194236
For the most part, OVMF will clear the encryption bit for MMIO regions, but there is currently one known exception during SEC when the APIC base address is accessed via MMIO with the encryption bit set for SEV-ES/SEV-SNP guests. In the case of SEV-SNP, this requires special handling on the hypervisor side which may not be available in the future[1], so make the necessary changes in the SEC-configured page table to clear the encryption bit for 4K region containing the APIC base address. [1] https://lore.kernel.org/lkml/20240208002420.34mvemnzrwwsaesw@amd.com/#t Suggested-by: Tom Lendacky <thomas.lendacky@amd.com> Cc: Ard Biesheuvel <ardb@kernel.org> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Min Xu <min.m.xu@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Jianyong Wu <jianyong.wu@arm.com> Cc: Anatol Belski <anbelski@linux.microsoft.com> Signed-off-by: Michael Roth <michael.roth@amd.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
92 lines
2.6 KiB
INI
92 lines
2.6 KiB
INI
## @file
|
|
# SEC Driver
|
|
#
|
|
# Copyright (c) 2008 - 2018, Intel Corporation. All rights reserved.<BR>
|
|
#
|
|
# SPDX-License-Identifier: BSD-2-Clause-Patent
|
|
#
|
|
##
|
|
|
|
[Defines]
|
|
INF_VERSION = 1.30
|
|
BASE_NAME = SecMain
|
|
FILE_GUID = df1ccef6-f301-4a63-9661-fc6030dcc880
|
|
MODULE_TYPE = SEC
|
|
VERSION_STRING = 1.0
|
|
ENTRY_POINT = SecMain
|
|
|
|
#
|
|
# The following information is for reference only and not required by the build tools.
|
|
#
|
|
# VALID_ARCHITECTURES = IA32 X64 EBC
|
|
#
|
|
|
|
[Sources]
|
|
SecMain.c
|
|
AmdSev.c
|
|
AmdSev.h
|
|
|
|
[Sources.IA32]
|
|
Ia32/SecEntry.nasm
|
|
|
|
[Sources.X64]
|
|
X64/SecEntry.nasm
|
|
|
|
[Packages]
|
|
MdePkg/MdePkg.dec
|
|
MdeModulePkg/MdeModulePkg.dec
|
|
UefiCpuPkg/UefiCpuPkg.dec
|
|
OvmfPkg/OvmfPkg.dec
|
|
|
|
[LibraryClasses]
|
|
BaseLib
|
|
DebugLib
|
|
BaseMemoryLib
|
|
PeiServicesLib
|
|
PcdLib
|
|
CpuLib
|
|
DebugAgentLib
|
|
IoLib
|
|
PeCoffLib
|
|
PeCoffGetEntryPointLib
|
|
PeCoffExtraActionLib
|
|
ExtractGuidedSectionLib
|
|
LocalApicLib
|
|
MemEncryptSevLib
|
|
CpuExceptionHandlerLib
|
|
CcProbeLib
|
|
CpuPageTableLib
|
|
|
|
[Ppis]
|
|
gEfiTemporaryRamSupportPpiGuid # PPI ALWAYS_PRODUCED
|
|
gEfiPeiMpInitLibMpDepPpiGuid
|
|
gEfiPeiMpInitLibUpDepPpiGuid
|
|
|
|
[Pcd]
|
|
gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase
|
|
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase
|
|
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvSize
|
|
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase
|
|
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize
|
|
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase
|
|
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize
|
|
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase
|
|
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase
|
|
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
|
|
gEfiMdePkgTokenSpaceGuid.PcdGuidedExtractHandlerTableAddress
|
|
gUefiOvmfPkgTokenSpaceGuid.PcdGuidedExtractHandlerTableSize
|
|
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDecompressionScratchEnd
|
|
gEfiMdeModulePkgTokenSpaceGuid.PcdInitValueInTempStack
|
|
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader
|
|
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase
|
|
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedStart
|
|
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedEnd
|
|
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase
|
|
gUefiOvmfPkgTokenSpaceGuid.PcdTdxAcceptPageSize
|
|
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase
|
|
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecApicPageTableBase
|
|
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecApicPageTableSize
|
|
|
|
[FeaturePcd]
|
|
gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire
|