sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
c0984d1ff28325a8f1c76e23a79141cbb12c3e4f
system76-edk2/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c
Brijesh Singh via groups.io d706f8fec2 OvmfPkg/MemEncryptSevLib: add function to check the VMPL0 
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275

Virtual Machine Privilege Level (VMPL) feature in the SEV-SNP
architecture allows a guest VM to divide its address space into four
levels. The level can be used to provide the hardware isolated
abstraction layers with a VM. The VMPL0 is the highest privilege, and
VMPL3 is the least privilege. Certain operations must be done by the
VMPL0 software, such as:

* Validate or invalidate memory range (PVALIDATE instruction)
* Allocate VMSA page (RMPADJUST instruction when VMSA=1)

The initial SEV-SNP support assumes that the guest is running on VMPL0.
Let's add function in the MemEncryptSevLib that can be used for checking
whether guest is booted under the VMPL0.

Cc: Michael Roth <michael.roth@amd.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
2021-12-09 06:28:10 +00:00

83 lines
1.8 KiB
C
Raw Blame History

/** @file
SEV-SNP Page Validation functions.
Copyright (c) 2021 AMD Incorporated. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <Uefi/UefiBaseType.h>
#include <Library/BaseLib.h>
#include <Library/MemEncryptSevLib.h>
#include "SnpPageStateChange.h"
//
// The variable used for the VMPL check.
//
STATIC UINT8 gVmpl0Data[4096];
/**
The function checks whether SEV-SNP guest is booted under VMPL0.
@retval TRUE The guest is booted under VMPL0
@retval FALSE The guest is not booted under VMPL0
**/
STATIC
BOOLEAN
SevSnpIsVmpl0 (
VOID
)
{
UINT64 Rdx;
EFI_STATUS Status;
//
// There is no straightforward way to query the current VMPL level.
// The simplest method is to use the RMPADJUST instruction to change
// a page permission to a VMPL level-1, and if the guest kernel is
// launched at a level <= 1, then RMPADJUST instruction will return
// an error.
//
Rdx = 1;
Status = AsmRmpAdjust ((UINT64)gVmpl0Data, 0, Rdx);
if (EFI_ERROR (Status)) {
return FALSE;
}
return TRUE;
}
/**
Pre-validate the system RAM when SEV-SNP is enabled in the guest VM.
@param[in] BaseAddress Base address
@param[in] NumPages Number of pages starting from the base address
**/
VOID
EFIAPI
MemEncryptSevSnpPreValidateSystemRam (
IN PHYSICAL_ADDRESS BaseAddress,
IN UINTN NumPages
)
{
if (!MemEncryptSevSnpIsEnabled ()) {
return;
}
//
// The page state change uses the PVALIDATE instruction. The instruction
// can be run on VMPL-0 only. If its not VMPL-0 guest then terminate
// the boot.
//
if (!SevSnpIsVmpl0 ()) {
SnpPageStateFailureTerminate ();
}
InternalSetPageState (BaseAddress, NumPages, SevSnpPagePrivate, TRUE);
}
Reference in New Issue View Git Blame Copy Permalink