OvmfPkg/PlatformPei: Set memory encryption PCD when SEV is enabled
Secure Encrypted Virtualization (SEV) guest VMs have the concept of
private and shared memory. Private memory is encrypted with the
guest-specific key, while shared memory may be encrypted with hypervisor
key. Certain types of memory (namely instruction pages and guest page
tables) are always treated as private memory by the hardware.
For data memory, SEV guest VMs can choose which pages they would like
to be private. The choice is done using the standard CPU page tables
using the C-bit. When building the initial page table we mark all the
memory as private.
The patch sets the memory encryption PCD. The PCD is consumed by the
following edk2 modules, which manipulate page tables:
- PEI phase modules: CapsulePei, DxeIplPeim, S3Resume2Pei.
CapsulePei is not used by OVMF. DxeIplPeim consumes the PCD at the
end of the PEI phase, when it builds the initial page tables for the
DXE core / DXE phase. S3Resume2Pei does not consume the PCD in its
entry point function, only when DxeIplPeim branches to the S3 resume
path at the end of the PEI phase, and calls S3Resume2Pei's
EFI_PEI_S3_RESUME2_PPI.S3RestoreConfig2() member function.
Therefore it is safe to set the PCD for these modules in PlatformPei.
- DXE phase modules: BootScriptExecutorDxe, CpuDxe, PiSmmCpuDxeSmm.
They are all dispatched after the PEI phase, so setting the PCD for
them in PlatformPei is safe. (BootScriptExecutorDxe is launched "for
real" in the PEI phase during S3 resume, but it caches the PCD into a
static variable when its entry point is originally invoked in DXE.)
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
2017-07-06 15:25:48 +02:00
|
|
|
/**@file
|
|
|
|
Initialize Secure Encrypted Virtualization (SEV) support
|
|
|
|
|
2021-01-07 19:48:17 +01:00
|
|
|
Copyright (c) 2017 - 2020, Advanced Micro Devices. All rights reserved.<BR>
|
OvmfPkg/PlatformPei: Set memory encryption PCD when SEV is enabled
Secure Encrypted Virtualization (SEV) guest VMs have the concept of
private and shared memory. Private memory is encrypted with the
guest-specific key, while shared memory may be encrypted with hypervisor
key. Certain types of memory (namely instruction pages and guest page
tables) are always treated as private memory by the hardware.
For data memory, SEV guest VMs can choose which pages they would like
to be private. The choice is done using the standard CPU page tables
using the C-bit. When building the initial page table we mark all the
memory as private.
The patch sets the memory encryption PCD. The PCD is consumed by the
following edk2 modules, which manipulate page tables:
- PEI phase modules: CapsulePei, DxeIplPeim, S3Resume2Pei.
CapsulePei is not used by OVMF. DxeIplPeim consumes the PCD at the
end of the PEI phase, when it builds the initial page tables for the
DXE core / DXE phase. S3Resume2Pei does not consume the PCD in its
entry point function, only when DxeIplPeim branches to the S3 resume
path at the end of the PEI phase, and calls S3Resume2Pei's
EFI_PEI_S3_RESUME2_PPI.S3RestoreConfig2() member function.
Therefore it is safe to set the PCD for these modules in PlatformPei.
- DXE phase modules: BootScriptExecutorDxe, CpuDxe, PiSmmCpuDxeSmm.
They are all dispatched after the PEI phase, so setting the PCD for
them in PlatformPei is safe. (BootScriptExecutorDxe is launched "for
real" in the PEI phase during S3 resume, but it caches the PCD into a
static variable when its entry point is originally invoked in DXE.)
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
2017-07-06 15:25:48 +02:00
|
|
|
|
2019-04-04 01:06:33 +02:00
|
|
|
SPDX-License-Identifier: BSD-2-Clause-Patent
|
OvmfPkg/PlatformPei: Set memory encryption PCD when SEV is enabled
Secure Encrypted Virtualization (SEV) guest VMs have the concept of
private and shared memory. Private memory is encrypted with the
guest-specific key, while shared memory may be encrypted with hypervisor
key. Certain types of memory (namely instruction pages and guest page
tables) are always treated as private memory by the hardware.
For data memory, SEV guest VMs can choose which pages they would like
to be private. The choice is done using the standard CPU page tables
using the C-bit. When building the initial page table we mark all the
memory as private.
The patch sets the memory encryption PCD. The PCD is consumed by the
following edk2 modules, which manipulate page tables:
- PEI phase modules: CapsulePei, DxeIplPeim, S3Resume2Pei.
CapsulePei is not used by OVMF. DxeIplPeim consumes the PCD at the
end of the PEI phase, when it builds the initial page tables for the
DXE core / DXE phase. S3Resume2Pei does not consume the PCD in its
entry point function, only when DxeIplPeim branches to the S3 resume
path at the end of the PEI phase, and calls S3Resume2Pei's
EFI_PEI_S3_RESUME2_PPI.S3RestoreConfig2() member function.
Therefore it is safe to set the PCD for these modules in PlatformPei.
- DXE phase modules: BootScriptExecutorDxe, CpuDxe, PiSmmCpuDxeSmm.
They are all dispatched after the PEI phase, so setting the PCD for
them in PlatformPei is safe. (BootScriptExecutorDxe is launched "for
real" in the PEI phase during S3 resume, but it caches the PCD into a
static variable when its entry point is originally invoked in DXE.)
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
2017-07-06 15:25:48 +02:00
|
|
|
|
|
|
|
**/
|
|
|
|
//
|
|
|
|
// The package level header files this module uses
|
|
|
|
//
|
OvmfPkg/SEV: don't manage the lifecycle of the SMRAM at the default SMBASE
When OVMF runs in a SEV guest, the initial SMM Save State Map is
(1) allocated as EfiBootServicesData type memory in OvmfPkg/PlatformPei,
function AmdSevInitialize(), for preventing unintended information
sharing with the hypervisor;
(2) decrypted in AmdSevDxe;
(3) re-encrypted in OvmfPkg/Library/SmmCpuFeaturesLib, function
SmmCpuFeaturesSmmRelocationComplete(), which is called by
PiSmmCpuDxeSmm right after initial SMBASE relocation;
(4) released to DXE at the same location.
The SMRAM at the default SMBASE is a superset of the initial Save State
Map. The reserved memory allocation in InitializeRamRegions(), from the
previous patch, must override the allocating and freeing in (1) and (4),
respectively. (Note: the decrypting and re-encrypting in (2) and (3) are
unaffected.)
In AmdSevInitialize(), only assert the containment of the initial Save
State Map, in the larger area already allocated by InitializeRamRegions().
In SmmCpuFeaturesSmmRelocationComplete(), preserve the allocation of the
initial Save State Map into OS runtime, as part of the allocation done by
InitializeRamRegions(). Only assert containment.
These changes only affect the normal boot path (the UEFI memory map is
untouched during S3 resume).
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1512
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Message-Id: <20200129214412.2361-9-lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2019-09-20 17:07:43 +02:00
|
|
|
#include <IndustryStandard/Q35MchIch9.h>
|
2020-08-12 22:21:40 +02:00
|
|
|
#include <Library/BaseMemoryLib.h>
|
OvmfPkg/PlatformPei: Set memory encryption PCD when SEV is enabled
Secure Encrypted Virtualization (SEV) guest VMs have the concept of
private and shared memory. Private memory is encrypted with the
guest-specific key, while shared memory may be encrypted with hypervisor
key. Certain types of memory (namely instruction pages and guest page
tables) are always treated as private memory by the hardware.
For data memory, SEV guest VMs can choose which pages they would like
to be private. The choice is done using the standard CPU page tables
using the C-bit. When building the initial page table we mark all the
memory as private.
The patch sets the memory encryption PCD. The PCD is consumed by the
following edk2 modules, which manipulate page tables:
- PEI phase modules: CapsulePei, DxeIplPeim, S3Resume2Pei.
CapsulePei is not used by OVMF. DxeIplPeim consumes the PCD at the
end of the PEI phase, when it builds the initial page tables for the
DXE core / DXE phase. S3Resume2Pei does not consume the PCD in its
entry point function, only when DxeIplPeim branches to the S3 resume
path at the end of the PEI phase, and calls S3Resume2Pei's
EFI_PEI_S3_RESUME2_PPI.S3RestoreConfig2() member function.
Therefore it is safe to set the PCD for these modules in PlatformPei.
- DXE phase modules: BootScriptExecutorDxe, CpuDxe, PiSmmCpuDxeSmm.
They are all dispatched after the PEI phase, so setting the PCD for
them in PlatformPei is safe. (BootScriptExecutorDxe is launched "for
real" in the PEI phase during S3 resume, but it caches the PCD into a
static variable when its entry point is originally invoked in DXE.)
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
2017-07-06 15:25:48 +02:00
|
|
|
#include <Library/DebugLib.h>
|
OvmfPkg/PlatformPei: SEV: allocate pages of initial SMRAM save state map
In the next two patches, we'll temporarily decrypt the pages containing
the initial SMRAM save state map, for SMBASE relocation. (Unlike the
separate, relocated SMRAM save state map of each VCPU, the original,
shared map behaves similarly to a "common buffer" between guest and host.)
The decryption will occur near the beginning of the DXE phase, in
AmdSevDxe, and the re-encryption will occur in PiSmmCpuDxeSmm, via OVMF's
SmmCpuFeaturesLib instance.
There is a non-trivial time gap between these two points, and the DXE
phase might use the pages overlapping the initial SMRAM save state map for
arbitrary purposes meanwhile. In order to prevent any information leak
towards the hypervisor, make sure the DXE phase puts nothing in those
pages until re-encryption is done.
Creating a memalloc HOB for the area in question is safe:
- the temporary SEC/PEI RAM (stack and heap) is based at
PcdOvmfSecPeiTempRamBase, which is above 8MB,
- the permanent PEI RAM (installed in PlatformPei's PublishPeiMemory()
function) never starts below PcdOvmfDxeMemFvBase, which is also above
8MB.
The allocated pages can be released to the DXE phase after SMBASE
relocation and re-encryption are complete.
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Brijesh Singh <brijesh.singh@amd.com>
2018-03-01 17:59:19 +01:00
|
|
|
#include <Library/HobLib.h>
|
2018-03-01 17:52:37 +01:00
|
|
|
#include <Library/MemEncryptSevLib.h>
|
2020-08-12 22:21:40 +02:00
|
|
|
#include <Library/MemoryAllocationLib.h>
|
OvmfPkg/PlatformPei: Set memory encryption PCD when SEV is enabled
Secure Encrypted Virtualization (SEV) guest VMs have the concept of
private and shared memory. Private memory is encrypted with the
guest-specific key, while shared memory may be encrypted with hypervisor
key. Certain types of memory (namely instruction pages and guest page
tables) are always treated as private memory by the hardware.
For data memory, SEV guest VMs can choose which pages they would like
to be private. The choice is done using the standard CPU page tables
using the C-bit. When building the initial page table we mark all the
memory as private.
The patch sets the memory encryption PCD. The PCD is consumed by the
following edk2 modules, which manipulate page tables:
- PEI phase modules: CapsulePei, DxeIplPeim, S3Resume2Pei.
CapsulePei is not used by OVMF. DxeIplPeim consumes the PCD at the
end of the PEI phase, when it builds the initial page tables for the
DXE core / DXE phase. S3Resume2Pei does not consume the PCD in its
entry point function, only when DxeIplPeim branches to the S3 resume
path at the end of the PEI phase, and calls S3Resume2Pei's
EFI_PEI_S3_RESUME2_PPI.S3RestoreConfig2() member function.
Therefore it is safe to set the PCD for these modules in PlatformPei.
- DXE phase modules: BootScriptExecutorDxe, CpuDxe, PiSmmCpuDxeSmm.
They are all dispatched after the PEI phase, so setting the PCD for
them in PlatformPei is safe. (BootScriptExecutorDxe is launched "for
real" in the PEI phase during S3 resume, but it caches the PCD into a
static variable when its entry point is originally invoked in DXE.)
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
2017-07-06 15:25:48 +02:00
|
|
|
#include <Library/PcdLib.h>
|
2018-03-01 17:52:37 +01:00
|
|
|
#include <PiPei.h>
|
2020-08-12 22:21:40 +02:00
|
|
|
#include <Register/Amd/Msr.h>
|
OvmfPkg/SEV: don't manage the lifecycle of the SMRAM at the default SMBASE
When OVMF runs in a SEV guest, the initial SMM Save State Map is
(1) allocated as EfiBootServicesData type memory in OvmfPkg/PlatformPei,
function AmdSevInitialize(), for preventing unintended information
sharing with the hypervisor;
(2) decrypted in AmdSevDxe;
(3) re-encrypted in OvmfPkg/Library/SmmCpuFeaturesLib, function
SmmCpuFeaturesSmmRelocationComplete(), which is called by
PiSmmCpuDxeSmm right after initial SMBASE relocation;
(4) released to DXE at the same location.
The SMRAM at the default SMBASE is a superset of the initial Save State
Map. The reserved memory allocation in InitializeRamRegions(), from the
previous patch, must override the allocating and freeing in (1) and (4),
respectively. (Note: the decrypting and re-encrypting in (2) and (3) are
unaffected.)
In AmdSevInitialize(), only assert the containment of the initial Save
State Map, in the larger area already allocated by InitializeRamRegions().
In SmmCpuFeaturesSmmRelocationComplete(), preserve the allocation of the
initial Save State Map into OS runtime, as part of the allocation done by
InitializeRamRegions(). Only assert containment.
These changes only affect the normal boot path (the UEFI memory map is
untouched during S3 resume).
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1512
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Message-Id: <20200129214412.2361-9-lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2019-09-20 17:07:43 +02:00
|
|
|
#include <Register/Intel/SmramSaveStateMap.h>
|
2021-12-09 04:27:40 +01:00
|
|
|
#include <Library/VmgExitLib.h>
|
2021-12-09 04:27:49 +01:00
|
|
|
#include <ConfidentialComputingGuestAttr.h>
|
OvmfPkg/PlatformPei: Set memory encryption PCD when SEV is enabled
Secure Encrypted Virtualization (SEV) guest VMs have the concept of
private and shared memory. Private memory is encrypted with the
guest-specific key, while shared memory may be encrypted with hypervisor
key. Certain types of memory (namely instruction pages and guest page
tables) are always treated as private memory by the hardware.
For data memory, SEV guest VMs can choose which pages they would like
to be private. The choice is done using the standard CPU page tables
using the C-bit. When building the initial page table we mark all the
memory as private.
The patch sets the memory encryption PCD. The PCD is consumed by the
following edk2 modules, which manipulate page tables:
- PEI phase modules: CapsulePei, DxeIplPeim, S3Resume2Pei.
CapsulePei is not used by OVMF. DxeIplPeim consumes the PCD at the
end of the PEI phase, when it builds the initial page tables for the
DXE core / DXE phase. S3Resume2Pei does not consume the PCD in its
entry point function, only when DxeIplPeim branches to the S3 resume
path at the end of the PEI phase, and calls S3Resume2Pei's
EFI_PEI_S3_RESUME2_PPI.S3RestoreConfig2() member function.
Therefore it is safe to set the PCD for these modules in PlatformPei.
- DXE phase modules: BootScriptExecutorDxe, CpuDxe, PiSmmCpuDxeSmm.
They are all dispatched after the PEI phase, so setting the PCD for
them in PlatformPei is safe. (BootScriptExecutorDxe is launched "for
real" in the PEI phase during S3 resume, but it caches the PCD into a
static variable when its entry point is originally invoked in DXE.)
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
2017-07-06 15:25:48 +02:00
|
|
|
|
2018-02-06 22:18:36 +01:00
|
|
|
#include "Platform.h"
|
|
|
|
|
2021-12-09 04:27:52 +01:00
|
|
|
STATIC
|
|
|
|
UINT64
|
|
|
|
GetHypervisorFeature (
|
|
|
|
VOID
|
|
|
|
);
|
|
|
|
|
2021-12-09 04:27:47 +01:00
|
|
|
/**
|
|
|
|
Initialize SEV-SNP support if running as an SEV-SNP guest.
|
|
|
|
|
|
|
|
**/
|
|
|
|
STATIC
|
|
|
|
VOID
|
|
|
|
AmdSevSnpInitialize (
|
|
|
|
VOID
|
|
|
|
)
|
|
|
|
{
|
|
|
|
EFI_PEI_HOB_POINTERS Hob;
|
|
|
|
EFI_HOB_RESOURCE_DESCRIPTOR *ResourceHob;
|
2021-12-09 04:27:52 +01:00
|
|
|
UINT64 HvFeatures;
|
|
|
|
EFI_STATUS PcdStatus;
|
2021-12-09 04:27:47 +01:00
|
|
|
|
|
|
|
if (!MemEncryptSevSnpIsEnabled ()) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2021-12-09 04:27:52 +01:00
|
|
|
//
|
|
|
|
// Query the hypervisor feature using the VmgExit and set the value in the
|
|
|
|
// hypervisor features PCD.
|
|
|
|
//
|
|
|
|
HvFeatures = GetHypervisorFeature ();
|
|
|
|
PcdStatus = PcdSet64S (PcdGhcbHypervisorFeatures, HvFeatures);
|
|
|
|
ASSERT_RETURN_ERROR (PcdStatus);
|
|
|
|
|
2021-12-09 04:27:47 +01:00
|
|
|
//
|
|
|
|
// Iterate through the system RAM and validate it.
|
|
|
|
//
|
|
|
|
for (Hob.Raw = GetHobList (); !END_OF_HOB_LIST (Hob); Hob.Raw = GET_NEXT_HOB (Hob)) {
|
|
|
|
if ((Hob.Raw != NULL) && (GET_HOB_TYPE (Hob) == EFI_HOB_TYPE_RESOURCE_DESCRIPTOR)) {
|
|
|
|
ResourceHob = Hob.ResourceDescriptor;
|
|
|
|
|
|
|
|
if (ResourceHob->ResourceType == EFI_RESOURCE_SYSTEM_MEMORY) {
|
|
|
|
MemEncryptSevSnpPreValidateSystemRam (
|
|
|
|
ResourceHob->PhysicalStart,
|
|
|
|
EFI_SIZE_TO_PAGES ((UINTN)ResourceHob->ResourceLength)
|
|
|
|
);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-12-09 04:27:40 +01:00
|
|
|
/**
|
|
|
|
Handle an SEV-SNP/GHCB protocol check failure.
|
|
|
|
|
|
|
|
Notify the hypervisor using the VMGEXIT instruction that the SEV-SNP guest
|
|
|
|
wishes to be terminated.
|
|
|
|
|
|
|
|
@param[in] ReasonCode Reason code to provide to the hypervisor for the
|
|
|
|
termination request.
|
|
|
|
|
|
|
|
**/
|
|
|
|
STATIC
|
|
|
|
VOID
|
|
|
|
SevEsProtocolFailure (
|
|
|
|
IN UINT8 ReasonCode
|
|
|
|
)
|
|
|
|
{
|
|
|
|
MSR_SEV_ES_GHCB_REGISTER Msr;
|
|
|
|
|
|
|
|
//
|
|
|
|
// Use the GHCB MSR Protocol to request termination by the hypervisor
|
|
|
|
//
|
|
|
|
Msr.GhcbPhysicalAddress = 0;
|
|
|
|
Msr.GhcbTerminate.Function = GHCB_INFO_TERMINATE_REQUEST;
|
|
|
|
Msr.GhcbTerminate.ReasonCodeSet = GHCB_TERMINATE_GHCB;
|
|
|
|
Msr.GhcbTerminate.ReasonCode = ReasonCode;
|
|
|
|
AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress);
|
|
|
|
|
|
|
|
AsmVmgExit ();
|
|
|
|
|
|
|
|
ASSERT (FALSE);
|
|
|
|
CpuDeadLoop ();
|
|
|
|
}
|
|
|
|
|
2021-12-09 04:27:52 +01:00
|
|
|
/**
|
|
|
|
Get the hypervisor features bitmap
|
|
|
|
|
|
|
|
**/
|
|
|
|
STATIC
|
|
|
|
UINT64
|
|
|
|
GetHypervisorFeature (
|
|
|
|
VOID
|
|
|
|
)
|
|
|
|
{
|
|
|
|
UINT64 Status;
|
|
|
|
GHCB *Ghcb;
|
|
|
|
MSR_SEV_ES_GHCB_REGISTER Msr;
|
|
|
|
BOOLEAN InterruptState;
|
|
|
|
UINT64 Features;
|
|
|
|
|
|
|
|
Msr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB);
|
|
|
|
Ghcb = Msr.Ghcb;
|
|
|
|
|
|
|
|
//
|
|
|
|
// Initialize the GHCB
|
|
|
|
//
|
|
|
|
VmgInit (Ghcb, &InterruptState);
|
|
|
|
|
|
|
|
//
|
|
|
|
// Query the Hypervisor Features.
|
|
|
|
//
|
|
|
|
Status = VmgExit (Ghcb, SVM_EXIT_HYPERVISOR_FEATURES, 0, 0);
|
|
|
|
if ((Status != 0)) {
|
|
|
|
SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL);
|
|
|
|
}
|
|
|
|
|
|
|
|
Features = Ghcb->SaveArea.SwExitInfo2;
|
|
|
|
|
|
|
|
VmgDone (Ghcb, InterruptState);
|
|
|
|
|
|
|
|
return Features;
|
|
|
|
}
|
|
|
|
|
2021-12-09 04:27:40 +01:00
|
|
|
/**
|
|
|
|
|
|
|
|
This function can be used to register the GHCB GPA.
|
|
|
|
|
|
|
|
@param[in] Address The physical address to be registered.
|
|
|
|
|
|
|
|
**/
|
|
|
|
STATIC
|
|
|
|
VOID
|
|
|
|
GhcbRegister (
|
|
|
|
IN EFI_PHYSICAL_ADDRESS Address
|
|
|
|
)
|
|
|
|
{
|
|
|
|
MSR_SEV_ES_GHCB_REGISTER Msr;
|
|
|
|
MSR_SEV_ES_GHCB_REGISTER CurrentMsr;
|
|
|
|
|
|
|
|
//
|
|
|
|
// Save the current MSR Value
|
|
|
|
//
|
|
|
|
CurrentMsr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB);
|
|
|
|
|
|
|
|
//
|
|
|
|
// Use the GHCB MSR Protocol to request to register the GPA.
|
|
|
|
//
|
|
|
|
Msr.GhcbPhysicalAddress = Address & ~EFI_PAGE_MASK;
|
|
|
|
Msr.GhcbGpaRegister.Function = GHCB_INFO_GHCB_GPA_REGISTER_REQUEST;
|
|
|
|
AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress);
|
|
|
|
|
|
|
|
AsmVmgExit ();
|
|
|
|
|
|
|
|
Msr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB);
|
|
|
|
|
|
|
|
//
|
|
|
|
// If hypervisor responded with a different GPA than requested then fail.
|
|
|
|
//
|
|
|
|
if ((Msr.GhcbGpaRegister.Function != GHCB_INFO_GHCB_GPA_REGISTER_RESPONSE) ||
|
|
|
|
((Msr.GhcbPhysicalAddress & ~EFI_PAGE_MASK) != Address))
|
|
|
|
{
|
|
|
|
SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL);
|
|
|
|
}
|
|
|
|
|
|
|
|
//
|
|
|
|
// Restore the MSR
|
|
|
|
//
|
|
|
|
AsmWriteMsr64 (MSR_SEV_ES_GHCB, CurrentMsr.GhcbPhysicalAddress);
|
|
|
|
}
|
|
|
|
|
2020-08-12 22:21:39 +02:00
|
|
|
/**
|
|
|
|
|
|
|
|
Initialize SEV-ES support if running as an SEV-ES guest.
|
|
|
|
|
|
|
|
**/
|
|
|
|
STATIC
|
|
|
|
VOID
|
|
|
|
AmdSevEsInitialize (
|
|
|
|
VOID
|
|
|
|
)
|
|
|
|
{
|
2021-01-07 19:48:23 +01:00
|
|
|
UINT8 *GhcbBase;
|
|
|
|
PHYSICAL_ADDRESS GhcbBasePa;
|
|
|
|
UINTN GhcbPageCount;
|
|
|
|
UINT8 *GhcbBackupBase;
|
|
|
|
UINT8 *GhcbBackupPages;
|
|
|
|
UINTN GhcbBackupPageCount;
|
|
|
|
SEV_ES_PER_CPU_DATA *SevEsData;
|
|
|
|
UINTN PageCount;
|
|
|
|
RETURN_STATUS PcdStatus, DecryptStatus;
|
|
|
|
IA32_DESCRIPTOR Gdtr;
|
|
|
|
VOID *Gdt;
|
2020-08-12 22:21:39 +02:00
|
|
|
|
|
|
|
if (!MemEncryptSevEsIsEnabled ()) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
PcdStatus = PcdSetBoolS (PcdSevEsIsEnabled, TRUE);
|
|
|
|
ASSERT_RETURN_ERROR (PcdStatus);
|
2020-08-12 22:21:40 +02:00
|
|
|
|
|
|
|
//
|
|
|
|
// Allocate GHCB and per-CPU variable pages.
|
2020-08-12 22:21:42 +02:00
|
|
|
// Since the pages must survive across the UEFI to OS transition
|
|
|
|
// make them reserved.
|
2020-08-12 22:21:40 +02:00
|
|
|
//
|
2022-03-06 03:20:36 +01:00
|
|
|
GhcbPageCount = mPlatformInfoHob.PcdCpuMaxLogicalProcessorNumber * 2;
|
2021-12-05 23:54:09 +01:00
|
|
|
GhcbBase = AllocateReservedPages (GhcbPageCount);
|
2020-08-12 22:21:40 +02:00
|
|
|
ASSERT (GhcbBase != NULL);
|
|
|
|
|
2021-12-05 23:54:09 +01:00
|
|
|
GhcbBasePa = (PHYSICAL_ADDRESS)(UINTN)GhcbBase;
|
2020-08-12 22:21:40 +02:00
|
|
|
|
|
|
|
//
|
|
|
|
// Each vCPU gets two consecutive pages, the first is the GHCB and the
|
|
|
|
// second is the per-CPU variable page. Loop through the allocation and
|
|
|
|
// only clear the encryption mask for the GHCB pages.
|
|
|
|
//
|
|
|
|
for (PageCount = 0; PageCount < GhcbPageCount; PageCount += 2) {
|
|
|
|
DecryptStatus = MemEncryptSevClearPageEncMask (
|
2021-12-05 23:54:09 +01:00
|
|
|
0,
|
|
|
|
GhcbBasePa + EFI_PAGES_TO_SIZE (PageCount),
|
|
|
|
1
|
|
|
|
);
|
2020-08-12 22:21:40 +02:00
|
|
|
ASSERT_RETURN_ERROR (DecryptStatus);
|
|
|
|
}
|
|
|
|
|
|
|
|
ZeroMem (GhcbBase, EFI_PAGES_TO_SIZE (GhcbPageCount));
|
|
|
|
|
|
|
|
PcdStatus = PcdSet64S (PcdGhcbBase, GhcbBasePa);
|
|
|
|
ASSERT_RETURN_ERROR (PcdStatus);
|
|
|
|
PcdStatus = PcdSet64S (PcdGhcbSize, EFI_PAGES_TO_SIZE (GhcbPageCount));
|
|
|
|
ASSERT_RETURN_ERROR (PcdStatus);
|
|
|
|
|
2021-12-05 23:54:09 +01:00
|
|
|
DEBUG ((
|
|
|
|
DEBUG_INFO,
|
2020-08-12 22:21:40 +02:00
|
|
|
"SEV-ES is enabled, %lu GHCB pages allocated starting at 0x%p\n",
|
2021-12-05 23:54:09 +01:00
|
|
|
(UINT64)GhcbPageCount,
|
|
|
|
GhcbBase
|
|
|
|
));
|
2020-08-12 22:21:40 +02:00
|
|
|
|
2021-01-07 19:48:23 +01:00
|
|
|
//
|
|
|
|
// Allocate #VC recursion backup pages. The number of backup pages needed is
|
|
|
|
// one less than the maximum VC count.
|
|
|
|
//
|
2022-03-06 03:20:36 +01:00
|
|
|
GhcbBackupPageCount = mPlatformInfoHob.PcdCpuMaxLogicalProcessorNumber * (VMGEXIT_MAXIMUM_VC_COUNT - 1);
|
2021-12-05 23:54:09 +01:00
|
|
|
GhcbBackupBase = AllocatePages (GhcbBackupPageCount);
|
2021-01-07 19:48:23 +01:00
|
|
|
ASSERT (GhcbBackupBase != NULL);
|
|
|
|
|
|
|
|
GhcbBackupPages = GhcbBackupBase;
|
|
|
|
for (PageCount = 1; PageCount < GhcbPageCount; PageCount += 2) {
|
|
|
|
SevEsData =
|
|
|
|
(SEV_ES_PER_CPU_DATA *)(GhcbBase + EFI_PAGES_TO_SIZE (PageCount));
|
|
|
|
SevEsData->GhcbBackupPages = GhcbBackupPages;
|
|
|
|
|
|
|
|
GhcbBackupPages += EFI_PAGE_SIZE * (VMGEXIT_MAXIMUM_VC_COUNT - 1);
|
|
|
|
}
|
|
|
|
|
2021-12-05 23:54:09 +01:00
|
|
|
DEBUG ((
|
|
|
|
DEBUG_INFO,
|
2021-01-07 19:48:23 +01:00
|
|
|
"SEV-ES is enabled, %lu GHCB backup pages allocated starting at 0x%p\n",
|
2021-12-05 23:54:09 +01:00
|
|
|
(UINT64)GhcbBackupPageCount,
|
|
|
|
GhcbBackupBase
|
|
|
|
));
|
2021-01-07 19:48:23 +01:00
|
|
|
|
2021-12-09 04:27:40 +01:00
|
|
|
//
|
|
|
|
// SEV-SNP guest requires that GHCB GPA must be registered before using it.
|
|
|
|
//
|
|
|
|
if (MemEncryptSevSnpIsEnabled ()) {
|
|
|
|
GhcbRegister (GhcbBasePa);
|
|
|
|
}
|
|
|
|
|
2020-08-12 22:21:40 +02:00
|
|
|
AsmWriteMsr64 (MSR_SEV_ES_GHCB, GhcbBasePa);
|
2020-08-12 22:21:40 +02:00
|
|
|
|
|
|
|
//
|
|
|
|
// The SEV support will clear the C-bit from non-RAM areas. The early GDT
|
|
|
|
// lives in a non-RAM area, so when an exception occurs (like a #VC) the GDT
|
|
|
|
// will be read as un-encrypted even though it was created before the C-bit
|
|
|
|
// was cleared (encrypted). This will result in a failure to be able to
|
|
|
|
// handle the exception.
|
|
|
|
//
|
|
|
|
AsmReadGdtr (&Gdtr);
|
|
|
|
|
2021-12-05 23:54:09 +01:00
|
|
|
Gdt = AllocatePages (EFI_SIZE_TO_PAGES ((UINTN)Gdtr.Limit + 1));
|
2020-08-12 22:21:40 +02:00
|
|
|
ASSERT (Gdt != NULL);
|
|
|
|
|
2021-12-05 23:54:09 +01:00
|
|
|
CopyMem (Gdt, (VOID *)Gdtr.Base, Gdtr.Limit + 1);
|
|
|
|
Gdtr.Base = (UINTN)Gdt;
|
2020-08-12 22:21:40 +02:00
|
|
|
AsmWriteGdtr (&Gdtr);
|
2020-08-12 22:21:39 +02:00
|
|
|
}
|
|
|
|
|
OvmfPkg/PlatformPei: Set memory encryption PCD when SEV is enabled
Secure Encrypted Virtualization (SEV) guest VMs have the concept of
private and shared memory. Private memory is encrypted with the
guest-specific key, while shared memory may be encrypted with hypervisor
key. Certain types of memory (namely instruction pages and guest page
tables) are always treated as private memory by the hardware.
For data memory, SEV guest VMs can choose which pages they would like
to be private. The choice is done using the standard CPU page tables
using the C-bit. When building the initial page table we mark all the
memory as private.
The patch sets the memory encryption PCD. The PCD is consumed by the
following edk2 modules, which manipulate page tables:
- PEI phase modules: CapsulePei, DxeIplPeim, S3Resume2Pei.
CapsulePei is not used by OVMF. DxeIplPeim consumes the PCD at the
end of the PEI phase, when it builds the initial page tables for the
DXE core / DXE phase. S3Resume2Pei does not consume the PCD in its
entry point function, only when DxeIplPeim branches to the S3 resume
path at the end of the PEI phase, and calls S3Resume2Pei's
EFI_PEI_S3_RESUME2_PPI.S3RestoreConfig2() member function.
Therefore it is safe to set the PCD for these modules in PlatformPei.
- DXE phase modules: BootScriptExecutorDxe, CpuDxe, PiSmmCpuDxeSmm.
They are all dispatched after the PEI phase, so setting the PCD for
them in PlatformPei is safe. (BootScriptExecutorDxe is launched "for
real" in the PEI phase during S3 resume, but it caches the PCD into a
static variable when its entry point is originally invoked in DXE.)
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
2017-07-06 15:25:48 +02:00
|
|
|
/**
|
|
|
|
|
|
|
|
Function checks if SEV support is available, if present then it sets
|
|
|
|
the dynamic PcdPteMemoryEncryptionAddressOrMask with memory encryption mask.
|
|
|
|
|
|
|
|
**/
|
|
|
|
VOID
|
|
|
|
AmdSevInitialize (
|
|
|
|
VOID
|
|
|
|
)
|
|
|
|
{
|
2021-12-05 23:54:09 +01:00
|
|
|
UINT64 EncryptionMask;
|
|
|
|
RETURN_STATUS PcdStatus;
|
OvmfPkg/PlatformPei: Set memory encryption PCD when SEV is enabled
Secure Encrypted Virtualization (SEV) guest VMs have the concept of
private and shared memory. Private memory is encrypted with the
guest-specific key, while shared memory may be encrypted with hypervisor
key. Certain types of memory (namely instruction pages and guest page
tables) are always treated as private memory by the hardware.
For data memory, SEV guest VMs can choose which pages they would like
to be private. The choice is done using the standard CPU page tables
using the C-bit. When building the initial page table we mark all the
memory as private.
The patch sets the memory encryption PCD. The PCD is consumed by the
following edk2 modules, which manipulate page tables:
- PEI phase modules: CapsulePei, DxeIplPeim, S3Resume2Pei.
CapsulePei is not used by OVMF. DxeIplPeim consumes the PCD at the
end of the PEI phase, when it builds the initial page tables for the
DXE core / DXE phase. S3Resume2Pei does not consume the PCD in its
entry point function, only when DxeIplPeim branches to the S3 resume
path at the end of the PEI phase, and calls S3Resume2Pei's
EFI_PEI_S3_RESUME2_PPI.S3RestoreConfig2() member function.
Therefore it is safe to set the PCD for these modules in PlatformPei.
- DXE phase modules: BootScriptExecutorDxe, CpuDxe, PiSmmCpuDxeSmm.
They are all dispatched after the PEI phase, so setting the PCD for
them in PlatformPei is safe. (BootScriptExecutorDxe is launched "for
real" in the PEI phase during S3 resume, but it caches the PCD into a
static variable when its entry point is originally invoked in DXE.)
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
2017-07-06 15:25:48 +02:00
|
|
|
|
|
|
|
//
|
|
|
|
// Check if SEV is enabled
|
|
|
|
//
|
|
|
|
if (!MemEncryptSevIsEnabled ()) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2021-12-09 04:27:47 +01:00
|
|
|
//
|
|
|
|
// Check and perform SEV-SNP initialization if required. This need to be
|
|
|
|
// done before the GHCB page is made shared in the AmdSevEsInitialize(). This
|
|
|
|
// is because the system RAM must be validated before it is made shared.
|
|
|
|
// The AmdSevSnpInitialize() validates the system RAM.
|
|
|
|
//
|
|
|
|
AmdSevSnpInitialize ();
|
|
|
|
|
OvmfPkg/PlatformPei: Set memory encryption PCD when SEV is enabled
Secure Encrypted Virtualization (SEV) guest VMs have the concept of
private and shared memory. Private memory is encrypted with the
guest-specific key, while shared memory may be encrypted with hypervisor
key. Certain types of memory (namely instruction pages and guest page
tables) are always treated as private memory by the hardware.
For data memory, SEV guest VMs can choose which pages they would like
to be private. The choice is done using the standard CPU page tables
using the C-bit. When building the initial page table we mark all the
memory as private.
The patch sets the memory encryption PCD. The PCD is consumed by the
following edk2 modules, which manipulate page tables:
- PEI phase modules: CapsulePei, DxeIplPeim, S3Resume2Pei.
CapsulePei is not used by OVMF. DxeIplPeim consumes the PCD at the
end of the PEI phase, when it builds the initial page tables for the
DXE core / DXE phase. S3Resume2Pei does not consume the PCD in its
entry point function, only when DxeIplPeim branches to the S3 resume
path at the end of the PEI phase, and calls S3Resume2Pei's
EFI_PEI_S3_RESUME2_PPI.S3RestoreConfig2() member function.
Therefore it is safe to set the PCD for these modules in PlatformPei.
- DXE phase modules: BootScriptExecutorDxe, CpuDxe, PiSmmCpuDxeSmm.
They are all dispatched after the PEI phase, so setting the PCD for
them in PlatformPei is safe. (BootScriptExecutorDxe is launched "for
real" in the PEI phase during S3 resume, but it caches the PCD into a
static variable when its entry point is originally invoked in DXE.)
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
2017-07-06 15:25:48 +02:00
|
|
|
//
|
|
|
|
// Set Memory Encryption Mask PCD
|
|
|
|
//
|
2021-01-07 19:48:17 +01:00
|
|
|
EncryptionMask = MemEncryptSevGetEncryptionMask ();
|
2021-12-05 23:54:09 +01:00
|
|
|
PcdStatus = PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, EncryptionMask);
|
OvmfPkg/PlatformPei: Set memory encryption PCD when SEV is enabled
Secure Encrypted Virtualization (SEV) guest VMs have the concept of
private and shared memory. Private memory is encrypted with the
guest-specific key, while shared memory may be encrypted with hypervisor
key. Certain types of memory (namely instruction pages and guest page
tables) are always treated as private memory by the hardware.
For data memory, SEV guest VMs can choose which pages they would like
to be private. The choice is done using the standard CPU page tables
using the C-bit. When building the initial page table we mark all the
memory as private.
The patch sets the memory encryption PCD. The PCD is consumed by the
following edk2 modules, which manipulate page tables:
- PEI phase modules: CapsulePei, DxeIplPeim, S3Resume2Pei.
CapsulePei is not used by OVMF. DxeIplPeim consumes the PCD at the
end of the PEI phase, when it builds the initial page tables for the
DXE core / DXE phase. S3Resume2Pei does not consume the PCD in its
entry point function, only when DxeIplPeim branches to the S3 resume
path at the end of the PEI phase, and calls S3Resume2Pei's
EFI_PEI_S3_RESUME2_PPI.S3RestoreConfig2() member function.
Therefore it is safe to set the PCD for these modules in PlatformPei.
- DXE phase modules: BootScriptExecutorDxe, CpuDxe, PiSmmCpuDxeSmm.
They are all dispatched after the PEI phase, so setting the PCD for
them in PlatformPei is safe. (BootScriptExecutorDxe is launched "for
real" in the PEI phase during S3 resume, but it caches the PCD into a
static variable when its entry point is originally invoked in DXE.)
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
2017-07-06 15:25:48 +02:00
|
|
|
ASSERT_RETURN_ERROR (PcdStatus);
|
|
|
|
|
|
|
|
DEBUG ((DEBUG_INFO, "SEV is enabled (mask 0x%lx)\n", EncryptionMask));
|
2017-10-05 22:16:42 +02:00
|
|
|
|
|
|
|
//
|
|
|
|
// Set Pcd to Deny the execution of option ROM when security
|
|
|
|
// violation.
|
|
|
|
//
|
|
|
|
PcdStatus = PcdSet32S (PcdOptionRomImageVerificationPolicy, 0x4);
|
|
|
|
ASSERT_RETURN_ERROR (PcdStatus);
|
OvmfPkg/PlatformPei: SEV: allocate pages of initial SMRAM save state map
In the next two patches, we'll temporarily decrypt the pages containing
the initial SMRAM save state map, for SMBASE relocation. (Unlike the
separate, relocated SMRAM save state map of each VCPU, the original,
shared map behaves similarly to a "common buffer" between guest and host.)
The decryption will occur near the beginning of the DXE phase, in
AmdSevDxe, and the re-encryption will occur in PiSmmCpuDxeSmm, via OVMF's
SmmCpuFeaturesLib instance.
There is a non-trivial time gap between these two points, and the DXE
phase might use the pages overlapping the initial SMRAM save state map for
arbitrary purposes meanwhile. In order to prevent any information leak
towards the hypervisor, make sure the DXE phase puts nothing in those
pages until re-encryption is done.
Creating a memalloc HOB for the area in question is safe:
- the temporary SEC/PEI RAM (stack and heap) is based at
PcdOvmfSecPeiTempRamBase, which is above 8MB,
- the permanent PEI RAM (installed in PlatformPei's PublishPeiMemory()
function) never starts below PcdOvmfDxeMemFvBase, which is also above
8MB.
The allocated pages can be released to the DXE phase after SMBASE
relocation and re-encryption are complete.
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Brijesh Singh <brijesh.singh@amd.com>
2018-03-01 17:59:19 +01:00
|
|
|
|
|
|
|
//
|
|
|
|
// When SMM is required, cover the pages containing the initial SMRAM Save
|
|
|
|
// State Map with a memory allocation HOB:
|
|
|
|
//
|
|
|
|
// There's going to be a time interval between our decrypting those pages for
|
|
|
|
// SMBASE relocation and re-encrypting the same pages after SMBASE
|
|
|
|
// relocation. We shall ensure that the DXE phase stay away from those pages
|
|
|
|
// until after re-encryption, in order to prevent an information leak to the
|
|
|
|
// hypervisor.
|
|
|
|
//
|
2022-03-06 03:20:36 +01:00
|
|
|
if (mPlatformInfoHob.SmmSmramRequire && (mPlatformInfoHob.BootMode != BOOT_ON_S3_RESUME)) {
|
2021-12-05 23:54:09 +01:00
|
|
|
RETURN_STATUS LocateMapStatus;
|
|
|
|
UINTN MapPagesBase;
|
|
|
|
UINTN MapPagesCount;
|
OvmfPkg/PlatformPei: SEV: allocate pages of initial SMRAM save state map
In the next two patches, we'll temporarily decrypt the pages containing
the initial SMRAM save state map, for SMBASE relocation. (Unlike the
separate, relocated SMRAM save state map of each VCPU, the original,
shared map behaves similarly to a "common buffer" between guest and host.)
The decryption will occur near the beginning of the DXE phase, in
AmdSevDxe, and the re-encryption will occur in PiSmmCpuDxeSmm, via OVMF's
SmmCpuFeaturesLib instance.
There is a non-trivial time gap between these two points, and the DXE
phase might use the pages overlapping the initial SMRAM save state map for
arbitrary purposes meanwhile. In order to prevent any information leak
towards the hypervisor, make sure the DXE phase puts nothing in those
pages until re-encryption is done.
Creating a memalloc HOB for the area in question is safe:
- the temporary SEC/PEI RAM (stack and heap) is based at
PcdOvmfSecPeiTempRamBase, which is above 8MB,
- the permanent PEI RAM (installed in PlatformPei's PublishPeiMemory()
function) never starts below PcdOvmfDxeMemFvBase, which is also above
8MB.
The allocated pages can be released to the DXE phase after SMBASE
relocation and re-encryption are complete.
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Brijesh Singh <brijesh.singh@amd.com>
2018-03-01 17:59:19 +01:00
|
|
|
|
|
|
|
LocateMapStatus = MemEncryptSevLocateInitialSmramSaveStateMapPages (
|
|
|
|
&MapPagesBase,
|
|
|
|
&MapPagesCount
|
|
|
|
);
|
|
|
|
ASSERT_RETURN_ERROR (LocateMapStatus);
|
|
|
|
|
2022-03-06 03:20:36 +01:00
|
|
|
if (mPlatformInfoHob.Q35SmramAtDefaultSmbase) {
|
OvmfPkg/SEV: don't manage the lifecycle of the SMRAM at the default SMBASE
When OVMF runs in a SEV guest, the initial SMM Save State Map is
(1) allocated as EfiBootServicesData type memory in OvmfPkg/PlatformPei,
function AmdSevInitialize(), for preventing unintended information
sharing with the hypervisor;
(2) decrypted in AmdSevDxe;
(3) re-encrypted in OvmfPkg/Library/SmmCpuFeaturesLib, function
SmmCpuFeaturesSmmRelocationComplete(), which is called by
PiSmmCpuDxeSmm right after initial SMBASE relocation;
(4) released to DXE at the same location.
The SMRAM at the default SMBASE is a superset of the initial Save State
Map. The reserved memory allocation in InitializeRamRegions(), from the
previous patch, must override the allocating and freeing in (1) and (4),
respectively. (Note: the decrypting and re-encrypting in (2) and (3) are
unaffected.)
In AmdSevInitialize(), only assert the containment of the initial Save
State Map, in the larger area already allocated by InitializeRamRegions().
In SmmCpuFeaturesSmmRelocationComplete(), preserve the allocation of the
initial Save State Map into OS runtime, as part of the allocation done by
InitializeRamRegions(). Only assert containment.
These changes only affect the normal boot path (the UEFI memory map is
untouched during S3 resume).
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1512
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Message-Id: <20200129214412.2361-9-lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2019-09-20 17:07:43 +02:00
|
|
|
//
|
|
|
|
// The initial SMRAM Save State Map has been covered as part of a larger
|
|
|
|
// reserved memory allocation in InitializeRamRegions().
|
|
|
|
//
|
|
|
|
ASSERT (SMM_DEFAULT_SMBASE <= MapPagesBase);
|
|
|
|
ASSERT (
|
|
|
|
(MapPagesBase + EFI_PAGES_TO_SIZE (MapPagesCount) <=
|
|
|
|
SMM_DEFAULT_SMBASE + MCH_DEFAULT_SMBASE_SIZE)
|
|
|
|
);
|
|
|
|
} else {
|
|
|
|
BuildMemoryAllocationHob (
|
|
|
|
MapPagesBase, // BaseAddress
|
|
|
|
EFI_PAGES_TO_SIZE (MapPagesCount), // Length
|
|
|
|
EfiBootServicesData // MemoryType
|
|
|
|
);
|
|
|
|
}
|
OvmfPkg/PlatformPei: SEV: allocate pages of initial SMRAM save state map
In the next two patches, we'll temporarily decrypt the pages containing
the initial SMRAM save state map, for SMBASE relocation. (Unlike the
separate, relocated SMRAM save state map of each VCPU, the original,
shared map behaves similarly to a "common buffer" between guest and host.)
The decryption will occur near the beginning of the DXE phase, in
AmdSevDxe, and the re-encryption will occur in PiSmmCpuDxeSmm, via OVMF's
SmmCpuFeaturesLib instance.
There is a non-trivial time gap between these two points, and the DXE
phase might use the pages overlapping the initial SMRAM save state map for
arbitrary purposes meanwhile. In order to prevent any information leak
towards the hypervisor, make sure the DXE phase puts nothing in those
pages until re-encryption is done.
Creating a memalloc HOB for the area in question is safe:
- the temporary SEC/PEI RAM (stack and heap) is based at
PcdOvmfSecPeiTempRamBase, which is above 8MB,
- the permanent PEI RAM (installed in PlatformPei's PublishPeiMemory()
function) never starts below PcdOvmfDxeMemFvBase, which is also above
8MB.
The allocated pages can be released to the DXE phase after SMBASE
relocation and re-encryption are complete.
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Brijesh Singh <brijesh.singh@amd.com>
2018-03-01 17:59:19 +01:00
|
|
|
}
|
2020-08-12 22:21:39 +02:00
|
|
|
|
|
|
|
//
|
|
|
|
// Check and perform SEV-ES initialization if required.
|
|
|
|
//
|
|
|
|
AmdSevEsInitialize ();
|
2021-12-09 04:27:49 +01:00
|
|
|
|
|
|
|
//
|
|
|
|
// Set the Confidential computing attr PCD to communicate which SEV
|
|
|
|
// technology is active.
|
|
|
|
//
|
|
|
|
if (MemEncryptSevSnpIsEnabled ()) {
|
|
|
|
PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSevSnp);
|
|
|
|
} else if (MemEncryptSevEsIsEnabled ()) {
|
|
|
|
PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSevEs);
|
|
|
|
} else {
|
|
|
|
PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSev);
|
|
|
|
}
|
|
|
|
|
|
|
|
ASSERT_RETURN_ERROR (PcdStatus);
|
OvmfPkg/PlatformPei: Set memory encryption PCD when SEV is enabled
Secure Encrypted Virtualization (SEV) guest VMs have the concept of
private and shared memory. Private memory is encrypted with the
guest-specific key, while shared memory may be encrypted with hypervisor
key. Certain types of memory (namely instruction pages and guest page
tables) are always treated as private memory by the hardware.
For data memory, SEV guest VMs can choose which pages they would like
to be private. The choice is done using the standard CPU page tables
using the C-bit. When building the initial page table we mark all the
memory as private.
The patch sets the memory encryption PCD. The PCD is consumed by the
following edk2 modules, which manipulate page tables:
- PEI phase modules: CapsulePei, DxeIplPeim, S3Resume2Pei.
CapsulePei is not used by OVMF. DxeIplPeim consumes the PCD at the
end of the PEI phase, when it builds the initial page tables for the
DXE core / DXE phase. S3Resume2Pei does not consume the PCD in its
entry point function, only when DxeIplPeim branches to the S3 resume
path at the end of the PEI phase, and calls S3Resume2Pei's
EFI_PEI_S3_RESUME2_PPI.S3RestoreConfig2() member function.
Therefore it is safe to set the PCD for these modules in PlatformPei.
- DXE phase modules: BootScriptExecutorDxe, CpuDxe, PiSmmCpuDxeSmm.
They are all dispatched after the PEI phase, so setting the PCD for
them in PlatformPei is safe. (BootScriptExecutorDxe is launched "for
real" in the PEI phase during S3 resume, but it caches the PCD into a
static variable when its entry point is originally invoked in DXE.)
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
2017-07-06 15:25:48 +02:00
|
|
|
}
|
2021-12-09 04:27:58 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
The function performs SEV specific region initialization.
|
|
|
|
|
|
|
|
**/
|
|
|
|
VOID
|
|
|
|
SevInitializeRam (
|
|
|
|
VOID
|
|
|
|
)
|
|
|
|
{
|
|
|
|
if (MemEncryptSevSnpIsEnabled ()) {
|
|
|
|
//
|
|
|
|
// If SEV-SNP is enabled, reserve the Secrets and CPUID memory area.
|
|
|
|
//
|
|
|
|
// This memory range is given to the PSP by the hypervisor to populate
|
|
|
|
// the information used during the SNP VM boots, and it need to persist
|
|
|
|
// across the kexec boots. Mark it as EfiReservedMemoryType so that
|
|
|
|
// the guest firmware and OS does not use it as a system memory.
|
|
|
|
//
|
|
|
|
BuildMemoryAllocationHob (
|
|
|
|
(EFI_PHYSICAL_ADDRESS)(UINTN)PcdGet32 (PcdOvmfSnpSecretsBase),
|
|
|
|
(UINT64)(UINTN)PcdGet32 (PcdOvmfSnpSecretsSize),
|
|
|
|
EfiReservedMemoryType
|
|
|
|
);
|
|
|
|
BuildMemoryAllocationHob (
|
|
|
|
(EFI_PHYSICAL_ADDRESS)(UINTN)PcdGet32 (PcdOvmfCpuidBase),
|
|
|
|
(UINT64)(UINTN)PcdGet32 (PcdOvmfCpuidSize),
|
|
|
|
EfiReservedMemoryType
|
|
|
|
);
|
|
|
|
}
|
|
|
|
}
|