audk/OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf

## @file
# Map TPM MMIO range unencrypted when SEV-ES is active.
# Install gOvmfTpmMmioAccessiblePpiGuid unconditionally.
#
# Copyright (C) 2021, Advanced Micro Devices, Inc.
#
# SPDX-License-Identifier: BSD-2-Clause-Patent
##

[Defines]
  INF_VERSION                    = 1.29
  BASE_NAME                      = TpmMmioSevDecryptPei
  FILE_GUID                      = F12F698A-E506-4A1B-B32E-6920E55DA1C4
  MODULE_TYPE                    = PEIM
  VERSION_STRING                 = 1.0
  ENTRY_POINT                    = TpmMmioSevDecryptPeimEntryPoint

[Sources]
  TpmMmioSevDecryptPeim.c

[Packages]
  MdePkg/MdePkg.dec
  OvmfPkg/OvmfPkg.dec
  SecurityPkg/SecurityPkg.dec

[LibraryClasses]
  DebugLib
  MemEncryptSevLib
  PcdLib
  PeimEntryPoint
  PeiServicesLib

[Ppis]
  gOvmfTpmMmioAccessiblePpiGuid                      ## PRODUCES

[FixedPcd]
  gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress    ## CONSUMES

[Depex]
  gEfiPeiMemoryDiscoveredPpiGuid
OvmfPkg/TpmMmioSevDecryptPei: Mark TPM MMIO range as unencrypted for SEV-ES BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3345 During PEI, the MMIO range for the TPM is marked as encrypted when running as an SEV guest. While this isn't an issue for an SEV guest because of the way the nested page fault is handled, it does result in an SEV-ES guest terminating because of a mitigation check in the #VC handler to prevent MMIO to an encrypted address. For an SEV-ES guest, this range must be marked as unencrypted. Create a new x86 PEIM for TPM support that will map the TPM MMIO range as unencrypted when SEV-ES is active. The gOvmfTpmMmioAccessiblePpiGuid PPI will be unconditionally installed before exiting. The PEIM will exit with the EFI_ABORTED status so that the PEIM does not stay resident. This new PEIM will depend on the installation of the permanent PEI RAM, by PlatformPei, so that in case page table splitting is required during the clearing of the encryption bit, the new page table(s) will be allocated from permanent PEI RAM. Update all OVMF Ia32 and X64 build packages to include this new PEIM. Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Brijesh Singh <brijesh.singh@amd.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Min Xu <min.m.xu@intel.com> Cc: Marc-André Lureau <marcandre.lureau@redhat.com> Cc: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Message-Id: <42794cec1f9d5bc24cbfb9dcdbe5e281ef259ef5.1619716333.git.thomas.lendacky@amd.com> [lersek@redhat.com: refresh subject line] Reviewed-by: Laszlo Ersek <lersek@redhat.com> 2021-04-29 19:12:13 +02:00			`## @file`
			`# Map TPM MMIO range unencrypted when SEV-ES is active.`
			`# Install gOvmfTpmMmioAccessiblePpiGuid unconditionally.`
			`#`
			`# Copyright (C) 2021, Advanced Micro Devices, Inc.`
			`#`
			`# SPDX-License-Identifier: BSD-2-Clause-Patent`
			`##`

			`[Defines]`
			`INF_VERSION = 1.29`
			`BASE_NAME = TpmMmioSevDecryptPei`
			`FILE_GUID = F12F698A-E506-4A1B-B32E-6920E55DA1C4`
			`MODULE_TYPE = PEIM`
			`VERSION_STRING = 1.0`
			`ENTRY_POINT = TpmMmioSevDecryptPeimEntryPoint`

			`[Sources]`
			`TpmMmioSevDecryptPeim.c`

			`[Packages]`
			`MdePkg/MdePkg.dec`
			`OvmfPkg/OvmfPkg.dec`
			`SecurityPkg/SecurityPkg.dec`

			`[LibraryClasses]`
			`DebugLib`
			`MemEncryptSevLib`
			`PcdLib`
			`PeimEntryPoint`
			`PeiServicesLib`

			`[Ppis]`
			`gOvmfTpmMmioAccessiblePpiGuid ## PRODUCES`

			`[FixedPcd]`
			`gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress ## CONSUMES`

			`[Depex]`
			`gEfiPeiMemoryDiscoveredPpiGuid`