2017-07-06 15:21:12 +02:00
|
|
|
/** @file
|
|
|
|
|
|
|
|
Define Secure Encrypted Virtualization (SEV) base library helper function
|
|
|
|
|
2021-01-07 19:48:12 +01:00
|
|
|
Copyright (c) 2017 - 2020, AMD Incorporated. All rights reserved.<BR>
|
2017-07-06 15:21:12 +02:00
|
|
|
|
2019-04-04 01:06:33 +02:00
|
|
|
SPDX-License-Identifier: BSD-2-Clause-Patent
|
2017-07-06 15:21:12 +02:00
|
|
|
|
|
|
|
**/
|
|
|
|
|
|
|
|
#ifndef _MEM_ENCRYPT_SEV_LIB_H_
|
|
|
|
#define _MEM_ENCRYPT_SEV_LIB_H_
|
|
|
|
|
|
|
|
#include <Base.h>
|
OvmfPkg: introduce a common work area
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3429
Both the TDX and SEV support needs to reserve a page in MEMFD as a work
area. The page will contain meta data specific to the guest type.
Currently, the SEV-ES support reserves a page in MEMFD
(PcdSevEsWorkArea) for the work area. This page can be reused as a TDX
work area when Intel TDX is enabled.
Based on the discussion [1], it was agreed to rename the SevEsWorkArea
to the OvmfWorkArea, and add a header that can be used to indicate the
work area type.
[1] https://edk2.groups.io/g/devel/message/78262?p=,,,20,0,0,0::\
created,0,SNP,20,2,0,84476064
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Erdem Aktas <erdemaktas@google.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Min Xu <min.m.xu@intel.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
2021-08-17 15:46:49 +02:00
|
|
|
#include <WorkArea.h>
|
2017-07-06 15:21:12 +02:00
|
|
|
|
2021-01-07 19:48:23 +01:00
|
|
|
//
|
|
|
|
// Define the maximum number of #VCs allowed (e.g. the level of nesting
|
|
|
|
// that is allowed => 2 allows for 1 nested #VCs). I this value is changed,
|
|
|
|
// be sure to increase the size of
|
|
|
|
// gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize
|
|
|
|
// in any FDF file using this PCD.
|
|
|
|
//
|
2021-12-05 23:54:09 +01:00
|
|
|
#define VMGEXIT_MAXIMUM_VC_COUNT 2
|
2021-01-07 19:48:23 +01:00
|
|
|
|
|
|
|
//
|
|
|
|
// Per-CPU data mapping structure
|
|
|
|
// Use UINT32 for cached indicators and compare to a specific value
|
|
|
|
// so that the hypervisor can't indicate a value is cached by just
|
|
|
|
// writing random data to that area.
|
|
|
|
//
|
|
|
|
typedef struct {
|
2021-12-05 23:54:09 +01:00
|
|
|
UINT32 Dr7Cached;
|
|
|
|
UINT64 Dr7;
|
2021-01-07 19:48:23 +01:00
|
|
|
|
2021-12-05 23:54:09 +01:00
|
|
|
UINTN VcCount;
|
|
|
|
VOID *GhcbBackupPages;
|
2021-01-07 19:48:23 +01:00
|
|
|
} SEV_ES_PER_CPU_DATA;
|
|
|
|
|
2021-01-07 19:48:22 +01:00
|
|
|
//
|
|
|
|
// Memory encryption address range states.
|
|
|
|
//
|
|
|
|
typedef enum {
|
|
|
|
MemEncryptSevAddressRangeUnencrypted,
|
|
|
|
MemEncryptSevAddressRangeEncrypted,
|
|
|
|
MemEncryptSevAddressRangeMixed,
|
|
|
|
MemEncryptSevAddressRangeError,
|
|
|
|
} MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE;
|
|
|
|
|
2020-08-12 22:21:39 +02:00
|
|
|
/**
|
|
|
|
Returns a boolean to indicate whether SEV-ES is enabled.
|
|
|
|
|
|
|
|
@retval TRUE SEV-ES is enabled
|
|
|
|
@retval FALSE SEV-ES is not enabled
|
|
|
|
**/
|
|
|
|
BOOLEAN
|
|
|
|
EFIAPI
|
|
|
|
MemEncryptSevEsIsEnabled (
|
|
|
|
VOID
|
|
|
|
);
|
|
|
|
|
2017-07-06 15:21:12 +02:00
|
|
|
/**
|
|
|
|
Returns a boolean to indicate whether SEV is enabled
|
|
|
|
|
2018-03-01 14:41:01 +01:00
|
|
|
@retval TRUE SEV is enabled
|
2017-07-06 15:21:12 +02:00
|
|
|
@retval FALSE SEV is not enabled
|
2018-03-01 14:41:01 +01:00
|
|
|
**/
|
2017-07-06 15:21:12 +02:00
|
|
|
BOOLEAN
|
|
|
|
EFIAPI
|
|
|
|
MemEncryptSevIsEnabled (
|
|
|
|
VOID
|
|
|
|
);
|
|
|
|
|
|
|
|
/**
|
2018-03-01 14:41:01 +01:00
|
|
|
This function clears memory encryption bit for the memory region specified by
|
|
|
|
BaseAddress and NumPages from the current page table context.
|
|
|
|
|
|
|
|
@param[in] Cr3BaseAddress Cr3 Base Address (if zero then use
|
|
|
|
current CR3)
|
|
|
|
@param[in] BaseAddress The physical address that is the start
|
|
|
|
address of a memory region.
|
|
|
|
@param[in] NumPages The number of pages from start memory
|
|
|
|
region.
|
|
|
|
|
|
|
|
@retval RETURN_SUCCESS The attributes were cleared for the
|
|
|
|
memory region.
|
|
|
|
@retval RETURN_INVALID_PARAMETER Number of pages is zero.
|
|
|
|
@retval RETURN_UNSUPPORTED Clearing the memory encryption attribute
|
|
|
|
is not supported
|
|
|
|
**/
|
2017-07-06 15:21:12 +02:00
|
|
|
RETURN_STATUS
|
|
|
|
EFIAPI
|
|
|
|
MemEncryptSevClearPageEncMask (
|
2021-12-05 23:54:09 +01:00
|
|
|
IN PHYSICAL_ADDRESS Cr3BaseAddress,
|
|
|
|
IN PHYSICAL_ADDRESS BaseAddress,
|
|
|
|
IN UINTN NumPages
|
2017-07-06 15:21:12 +02:00
|
|
|
);
|
|
|
|
|
|
|
|
/**
|
|
|
|
This function sets memory encryption bit for the memory region specified by
|
2018-03-01 14:41:01 +01:00
|
|
|
BaseAddress and NumPages from the current page table context.
|
2017-07-06 15:21:12 +02:00
|
|
|
|
2018-03-01 14:41:01 +01:00
|
|
|
@param[in] Cr3BaseAddress Cr3 Base Address (if zero then use
|
|
|
|
current CR3)
|
|
|
|
@param[in] BaseAddress The physical address that is the start
|
|
|
|
address of a memory region.
|
|
|
|
@param[in] NumPages The number of pages from start memory
|
|
|
|
region.
|
2017-07-06 15:21:12 +02:00
|
|
|
|
2018-03-01 14:41:01 +01:00
|
|
|
@retval RETURN_SUCCESS The attributes were set for the memory
|
|
|
|
region.
|
|
|
|
@retval RETURN_INVALID_PARAMETER Number of pages is zero.
|
|
|
|
@retval RETURN_UNSUPPORTED Setting the memory encryption attribute
|
|
|
|
is not supported
|
|
|
|
**/
|
2017-07-06 15:21:12 +02:00
|
|
|
RETURN_STATUS
|
|
|
|
EFIAPI
|
|
|
|
MemEncryptSevSetPageEncMask (
|
2021-12-05 23:54:09 +01:00
|
|
|
IN PHYSICAL_ADDRESS Cr3BaseAddress,
|
|
|
|
IN PHYSICAL_ADDRESS BaseAddress,
|
|
|
|
IN UINTN NumPages
|
2017-07-06 15:21:12 +02:00
|
|
|
);
|
2018-03-01 17:31:44 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
Locate the page range that covers the initial (pre-SMBASE-relocation) SMRAM
|
|
|
|
Save State Map.
|
|
|
|
|
|
|
|
@param[out] BaseAddress The base address of the lowest-address page that
|
|
|
|
covers the initial SMRAM Save State Map.
|
|
|
|
|
|
|
|
@param[out] NumberOfPages The number of pages in the page range that covers
|
|
|
|
the initial SMRAM Save State Map.
|
|
|
|
|
|
|
|
@retval RETURN_SUCCESS BaseAddress and NumberOfPages have been set on
|
|
|
|
output.
|
|
|
|
|
|
|
|
@retval RETURN_UNSUPPORTED SMM is unavailable.
|
|
|
|
**/
|
|
|
|
RETURN_STATUS
|
|
|
|
EFIAPI
|
|
|
|
MemEncryptSevLocateInitialSmramSaveStateMapPages (
|
2021-12-05 23:54:09 +01:00
|
|
|
OUT UINTN *BaseAddress,
|
|
|
|
OUT UINTN *NumberOfPages
|
2018-03-01 17:31:44 +01:00
|
|
|
);
|
2021-01-07 19:48:16 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
Returns the SEV encryption mask.
|
|
|
|
|
|
|
|
@return The SEV pagetable encryption mask
|
|
|
|
**/
|
|
|
|
UINT64
|
|
|
|
EFIAPI
|
|
|
|
MemEncryptSevGetEncryptionMask (
|
|
|
|
VOID
|
|
|
|
);
|
|
|
|
|
2021-01-07 19:48:22 +01:00
|
|
|
/**
|
|
|
|
Returns the encryption state of the specified virtual address range.
|
|
|
|
|
|
|
|
@param[in] Cr3BaseAddress Cr3 Base Address (if zero then use
|
|
|
|
current CR3)
|
|
|
|
@param[in] BaseAddress Base address to check
|
|
|
|
@param[in] Length Length of virtual address range
|
|
|
|
|
|
|
|
@retval MemEncryptSevAddressRangeUnencrypted Address range is mapped
|
|
|
|
unencrypted
|
|
|
|
@retval MemEncryptSevAddressRangeEncrypted Address range is mapped
|
|
|
|
encrypted
|
|
|
|
@retval MemEncryptSevAddressRangeMixed Address range is mapped mixed
|
|
|
|
@retval MemEncryptSevAddressRangeError Address range is not mapped
|
|
|
|
**/
|
|
|
|
MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE
|
|
|
|
EFIAPI
|
|
|
|
MemEncryptSevGetAddressRangeState (
|
2021-12-05 23:54:09 +01:00
|
|
|
IN PHYSICAL_ADDRESS Cr3BaseAddress,
|
|
|
|
IN PHYSICAL_ADDRESS BaseAddress,
|
|
|
|
IN UINTN Length
|
2021-01-07 19:48:22 +01:00
|
|
|
);
|
|
|
|
|
2021-05-19 20:19:45 +02:00
|
|
|
/**
|
|
|
|
This function clears memory encryption bit for the MMIO region specified by
|
|
|
|
BaseAddress and NumPages.
|
|
|
|
|
|
|
|
@param[in] Cr3BaseAddress Cr3 Base Address (if zero then use
|
|
|
|
current CR3)
|
|
|
|
@param[in] BaseAddress The physical address that is the start
|
|
|
|
address of a MMIO region.
|
|
|
|
@param[in] NumPages The number of pages from start memory
|
|
|
|
region.
|
|
|
|
|
|
|
|
@retval RETURN_SUCCESS The attributes were cleared for the
|
|
|
|
memory region.
|
|
|
|
@retval RETURN_INVALID_PARAMETER Number of pages is zero.
|
|
|
|
@retval RETURN_UNSUPPORTED Clearing the memory encryption attribute
|
|
|
|
is not supported
|
|
|
|
**/
|
|
|
|
RETURN_STATUS
|
|
|
|
EFIAPI
|
|
|
|
MemEncryptSevClearMmioPageEncMask (
|
2021-12-05 23:54:09 +01:00
|
|
|
IN PHYSICAL_ADDRESS Cr3BaseAddress,
|
|
|
|
IN PHYSICAL_ADDRESS BaseAddress,
|
|
|
|
IN UINTN NumPages
|
2021-05-19 20:19:45 +02:00
|
|
|
);
|
|
|
|
|
2017-07-06 15:21:12 +02:00
|
|
|
#endif // _MEM_ENCRYPT_SEV_LIB_H_
|