tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
audk/OvmfPkg/ResetVector/ResetVector.nasmb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

163 lines
7.0 KiB
Plaintext
Raw Normal View History

OvmfPkg: Support building OVMF's ResetVector during the EDK II build Using NASM we build OVMF's ResetVector as part of the EDK II build process. v2: * Use EDK II extension of .nasmb rather than .nasmbin Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jordan Justen <jordan.l.justen@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15823 6f19259b-4bc3-4df7-8a09-765794883524
2014-08-19 01:03:53 +02:00
;------------------------------------------------------------------------------
; @file
; This file includes all other code files to assemble the reset vector code
;
; Copyright (c) 2008 - 2013, Intel Corporation. All rights reserved.<BR>
OvmfPkg: Create a calling area used to communicate with the SVSM BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4654 An SVSM requires a calling area page whose address (CAA) is used by the SVSM to communicate and process the SVSM request. Add a pre-defined page area to the OvmfPkg and AmdSev packages and define corresponding PCDs used to communicate the location and size of the area. Keep the AmdSev package in sync with the OvmfPkg and adjust the AmdSev launch and hash area memory locations. Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Michael Roth <michael.roth@amd.com> Cc: Min Xu <min.m.xu@intel.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
2024-03-08 16:32:16 +01:00
; Copyright (c) 2020 - 2024, Advanced Micro Devices, Inc. All rights reserved.<BR>
OvmfPkg: Replace BSD License with BSD+Patent License https://bugzilla.tianocore.org/show_bug.cgi?id=1373 Replace BSD 2-Clause License with BSD+Patent License. This change is based on the following emails: https://lists.01.org/pipermail/edk2-devel/2019-February/036260.html https://lists.01.org/pipermail/edk2-devel/2018-October/030385.html RFCs with detailed process for the license change: V3: https://lists.01.org/pipermail/edk2-devel/2019-March/038116.html V2: https://lists.01.org/pipermail/edk2-devel/2019-March/037669.html V1: https://lists.01.org/pipermail/edk2-devel/2019-March/037500.html Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2019-04-04 01:06:33 +02:00
; SPDX-License-Identifier: BSD-2-Clause-Patent
OvmfPkg: Support building OVMF's ResetVector during the EDK II build Using NASM we build OVMF's ResetVector as part of the EDK II build process. v2: * Use EDK II extension of .nasmb rather than .nasmbin Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jordan Justen <jordan.l.justen@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15823 6f19259b-4bc3-4df7-8a09-765794883524
2014-08-19 01:03:53 +02:00
;
;------------------------------------------------------------------------------
;
; If neither ARCH_IA32 nor ARCH_X64 are defined, then try to include
; Base.h to use the C pre-processor to determine the architecture.
;
%ifndef ARCH_IA32
%ifndef ARCH_X64
#include <Base.h>
#if defined (MDE_CPU_IA32)
%define ARCH_IA32
#elif defined (MDE_CPU_X64)
%define ARCH_X64
#endif
%endif
%endif
%ifdef ARCH_IA32
%ifdef ARCH_X64
%error "Only one of ARCH_IA32 or ARCH_X64 can be defined."
%endif
%elifdef ARCH_X64
%else
%error "Either ARCH_IA32 or ARCH_X64 must be defined."
%endif
%include "CommonMacros.inc"
%include "PostCodes.inc"
%ifdef DEBUG_PORT80
%include "Port80Debug.asm"
%elifdef DEBUG_SERIAL
%include "SerialDebug.asm"
OvmfPkg/ResetVector: send post codes to qemu debug console Neat when doing ResetVector coding. Incompatible with TDX and SEV, therefore not enabled by default. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Tom Lendacky <thomas.lendacky@amd.com> Acked-by: Erdem Aktas <erdemaktas@google.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Message-Id: <20240129122929.349726-1-kraxel@redhat.com> [lersek@redhat.com: replace "SEV" with "SEV-ES/SEV-SNP" in comment]
2024-01-29 13:29:29 +01:00
%elif 0
; Set ^ this to 1 to enable postcodes on the qemu debug console.
; Disabled by default because it is incompatible with SEV-ES/SEV-SNP and TDX.
%include "QemuDebugCon.asm"
OvmfPkg: Support building OVMF's ResetVector during the EDK II build Using NASM we build OVMF's ResetVector as part of the EDK II build process. v2: * Use EDK II extension of .nasmb rather than .nasmbin Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jordan Justen <jordan.l.justen@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15823 6f19259b-4bc3-4df7-8a09-765794883524
2014-08-19 01:03:53 +02:00
%else
%include "DebugDisabled.asm"
%endif
%include "Ia32/SearchForBfvBase.asm"
%include "Ia32/SearchForSecEntry.asm"
OvmfPkg: Make an Ia32/X64 hybrid build work with SEV The BaseMemEncryptSevLib functionality was updated to rely on the use of the OVMF/SEV workarea to check for SEV guests. However, this area is only updated when running the X64 OVMF build, not the hybrid Ia32/X64 build. Base SEV support is allowed under the Ia32/X64 build, but it now fails to boot as a result of the change. Update the ResetVector code to check for SEV features when built for 32-bit mode, not just 64-bit mode (requiring updates to both the Ia32 and Ia32X64 fdf files). Fixes: f1d1c337e7c0575da7fd248b2dd9cffc755940df Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Michael Roth <michael.roth@amd.com> Cc: Min Xu <min.m.xu@intel.com> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
2022-05-16 22:24:02 +02:00
%define WORK_AREA_GUEST_TYPE (FixedPcdGet32 (PcdOvmfWorkAreaBase))
%define PT_ADDR(Offset) (FixedPcdGet32 (PcdOvmfSecPageTablesBase) + (Offset))
OvmfPkg/ResetVector: add 5-level paging support Add macros to check for 5-level paging and gigabyte page support. Enable 5-level paging for the non-confidential-computing case. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-Id: <20240301074402.98625-7-kraxel@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Oliver Steffen <osteffen@redhat.com> Cc: Michael Roth <michael.roth@amd.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Min Xu <min.m.xu@intel.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Tom Lendacky <thomas.lendacky@amd.com> [lersek@redhat.com: turn the "Cc:" message headers from Gerd's on-list posting into "Cc:" tags in the commit message, in order to pacify "PatchCheck.py"]
2024-03-01 08:43:58 +01:00
%define PG_5_LEVEL (FixedPcdGetBool (PcdUse5LevelPageTable))
OvmfPkg: Make an Ia32/X64 hybrid build work with SEV The BaseMemEncryptSevLib functionality was updated to rely on the use of the OVMF/SEV workarea to check for SEV guests. However, this area is only updated when running the X64 OVMF build, not the hybrid Ia32/X64 build. Base SEV support is allowed under the Ia32/X64 build, but it now fails to boot as a result of the change. Update the ResetVector code to check for SEV features when built for 32-bit mode, not just 64-bit mode (requiring updates to both the Ia32 and Ia32X64 fdf files). Fixes: f1d1c337e7c0575da7fd248b2dd9cffc755940df Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Michael Roth <michael.roth@amd.com> Cc: Min Xu <min.m.xu@intel.com> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
2022-05-16 22:24:02 +02:00
%define GHCB_PT_ADDR (FixedPcdGet32 (PcdOvmfSecGhcbPageTableBase))
%define GHCB_BASE (FixedPcdGet32 (PcdOvmfSecGhcbBase))
%define GHCB_SIZE (FixedPcdGet32 (PcdOvmfSecGhcbSize))
%define SEV_ES_WORK_AREA (FixedPcdGet32 (PcdSevEsWorkAreaBase))
%define SEV_ES_WORK_AREA_SIZE 25
%define SEV_ES_WORK_AREA_STATUS_MSR (FixedPcdGet32 (PcdSevEsWorkAreaBase))
%define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 8)
%define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 16)
%define SEV_ES_WORK_AREA_RECEIVED_VC (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 24)
%define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase) + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize))
%define SEV_SNP_SECRETS_BASE (FixedPcdGet32 (PcdOvmfSnpSecretsBase))
%define SEV_SNP_SECRETS_SIZE (FixedPcdGet32 (PcdOvmfSnpSecretsSize))
%define CPUID_BASE (FixedPcdGet32 (PcdOvmfCpuidBase))
%define CPUID_SIZE (FixedPcdGet32 (PcdOvmfCpuidSize))
OvmfPkg: Create a calling area used to communicate with the SVSM BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4654 An SVSM requires a calling area page whose address (CAA) is used by the SVSM to communicate and process the SVSM request. Add a pre-defined page area to the OvmfPkg and AmdSev packages and define corresponding PCDs used to communicate the location and size of the area. Keep the AmdSev package in sync with the OvmfPkg and adjust the AmdSev launch and hash area memory locations. Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Michael Roth <michael.roth@amd.com> Cc: Min Xu <min.m.xu@intel.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
2024-03-08 16:32:16 +01:00
%define SVSM_CAA_BASE (FixedPcdGet32 (PcdOvmfSecSvsmCaaBase))
%define SVSM_CAA_SIZE (FixedPcdGet32 (PcdOvmfSecSvsmCaaSize))
OvmfPkg/ResetVector: Define SNP metadata for kernel hashes In order to allow the VMM (such as QEMU) to add a page with hashes of kernel/initrd/cmdline for measured direct boot on SNP, add it explicitly to the SNP metadata list report to the VMM. In such case, VMM should fill the page with the hashes content, or explicitly update it as a zero page (if kernel hashes are not used). Note that for SNP, the launch secret part of the page (lower 3KB) are not relevant and will remain zero. The last 1KB is used for the hashes. This should have no effect on OvmfPkgX64 targets (which don't define PcdSevLaunchSecretBase). Signed-off-by: Dov Murik <dovmurik@linux.ibm.com> Acked-by: Tom Lendacky <thomas.lendacky@amd.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com>
2022-03-28 20:11:09 +02:00
%if (FixedPcdGet32 (PcdSevLaunchSecretBase) > 0)
; There's a reserved page for SEV secrets and hashes; the VMM will fill and
; validate the page, or mark it as a zero page.
%define SEV_SNP_KERNEL_HASHES_BASE (FixedPcdGet32 (PcdSevLaunchSecretBase))
%define SEV_SNP_KERNEL_HASHES_SIZE (FixedPcdGet32 (PcdSevLaunchSecretSize) + FixedPcdGet32 (PcdQemuHashTableSize))
%else
%define SEV_SNP_KERNEL_HASHES_BASE 0
%define SEV_SNP_KERNEL_HASHES_SIZE 0
%endif
OvmfPkg: Make an Ia32/X64 hybrid build work with SEV The BaseMemEncryptSevLib functionality was updated to rely on the use of the OVMF/SEV workarea to check for SEV guests. However, this area is only updated when running the X64 OVMF build, not the hybrid Ia32/X64 build. Base SEV support is allowed under the Ia32/X64 build, but it now fails to boot as a result of the change. Update the ResetVector code to check for SEV features when built for 32-bit mode, not just 64-bit mode (requiring updates to both the Ia32 and Ia32X64 fdf files). Fixes: f1d1c337e7c0575da7fd248b2dd9cffc755940df Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Michael Roth <michael.roth@amd.com> Cc: Min Xu <min.m.xu@intel.com> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
2022-05-16 22:24:02 +02:00
%define SNP_SEC_MEM_BASE_DESC_1 (FixedPcdGet32 (PcdOvmfSecPageTablesBase))
%define SNP_SEC_MEM_SIZE_DESC_1 (FixedPcdGet32 (PcdOvmfSecGhcbBase) - SNP_SEC_MEM_BASE_DESC_1)
;
; The PcdOvmfSecGhcbBase reserves two GHCB pages. The first page is used
; as GHCB shared page and second is used for bookkeeping to support the
; nested GHCB in SEC phase. The bookkeeping page is mapped private. The VMM
; does not need to validate the shared page but it need to validate the
; bookkeeping page.
;
%define SNP_SEC_MEM_BASE_DESC_2 (GHCB_BASE + 0x1000)
%define SNP_SEC_MEM_SIZE_DESC_2 (SEV_SNP_SECRETS_BASE - SNP_SEC_MEM_BASE_DESC_2)
OvmfPkg: Create a calling area used to communicate with the SVSM BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4654 An SVSM requires a calling area page whose address (CAA) is used by the SVSM to communicate and process the SVSM request. Add a pre-defined page area to the OvmfPkg and AmdSev packages and define corresponding PCDs used to communicate the location and size of the area. Keep the AmdSev package in sync with the OvmfPkg and adjust the AmdSev launch and hash area memory locations. Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Michael Roth <michael.roth@amd.com> Cc: Min Xu <min.m.xu@intel.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
2024-03-08 16:32:16 +01:00
%define SNP_SEC_MEM_BASE_DESC_3 (SVSM_CAA_BASE + SVSM_CAA_SIZE + SEV_SNP_KERNEL_HASHES_SIZE)
OvmfPkg: Make an Ia32/X64 hybrid build work with SEV The BaseMemEncryptSevLib functionality was updated to rely on the use of the OVMF/SEV workarea to check for SEV guests. However, this area is only updated when running the X64 OVMF build, not the hybrid Ia32/X64 build. Base SEV support is allowed under the Ia32/X64 build, but it now fails to boot as a result of the change. Update the ResetVector code to check for SEV features when built for 32-bit mode, not just 64-bit mode (requiring updates to both the Ia32 and Ia32X64 fdf files). Fixes: f1d1c337e7c0575da7fd248b2dd9cffc755940df Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Michael Roth <michael.roth@amd.com> Cc: Min Xu <min.m.xu@intel.com> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
2022-05-16 22:24:02 +02:00
%define SNP_SEC_MEM_SIZE_DESC_3 (FixedPcdGet32 (PcdOvmfPeiMemFvBase) - SNP_SEC_MEM_BASE_DESC_3)
Ovmfpkg: update Ia32 build to use new work area The commit 80e67af9afca added support for the generic work area concept used mainly by the encrypted VMs. In the past, the work area was preliminary used by the SEV-ES VMs. The SEV-ES support is available for the X64 builds only. But now, that work area header contains fields that nonencrypted VMs and SEV VMs can use. They can be built for IA32. So, moving the work area defines outside of X64. Fixes: 80e67af9afca ("OvmfPkg: introduce a common work area") Cc: James Bottomley <jejb@linux.ibm.com> Cc: Min Xu <min.m.xu@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2021-10-14 20:17:10 +02:00
OvmfPkg: Support building OVMF's ResetVector during the EDK II build Using NASM we build OVMF's ResetVector as part of the EDK II build process. v2: * Use EDK II extension of .nasmb rather than .nasmbin Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jordan Justen <jordan.l.justen@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15823 6f19259b-4bc3-4df7-8a09-765794883524
2014-08-19 01:03:53 +02:00
%ifdef ARCH_X64
OvmfPkg/ResetVector: Depend on PCD values of the page tables. Currently, the value of the page tables' address is hard-coded in the ResetVector. This patch replaces these values with a PCD dependency. A check for the size has been added to alert the developer to rewrite the ASM according to the new size, if it has been changed. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Marvin Haeuser <Marvin.Haeuser@outlook.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Tested-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
2016-11-04 14:32:39 +01:00
#include <AutoGen.h>
%if (FixedPcdGet32 (PcdOvmfSecPageTablesSize) != 0x6000)
%error "This implementation inherently depends on PcdOvmfSecPageTablesSize"
%endif
OvmfPkg: Create a GHCB page for use during Sec phase BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198 A GHCB page is needed during the Sec phase, so this new page must be created. Since the #VC exception handler routines assume that a per-CPU variable area is immediately after the GHCB, this per-CPU variable area must also be created. Since the GHCB must be marked as an un-encrypted, or shared, page, an additional pagetable page is required to break down the 2MB region where the GHCB page lives into 4K pagetable entries. Create a new entry in the OVMF memory layout for the new page table page and for the SEC GHCB and per-CPU variable pages. After breaking down the 2MB page, update the GHCB page table entry to remove the encryption mask. The GHCB page will be used by the SEC #VC exception handler. The #VC exception handler will fill in the necessary fields of the GHCB and exit to the hypervisor using the VMGEXIT instruction. The hypervisor then accesses the GHCB in order to perform the requested function. Four new fixed PCDs are needed to support the SEC GHCB page: - PcdOvmfSecGhcbBase UINT32 value that is the base address of the GHCB used during the SEC phase. - PcdOvmfSecGhcbSize UINT32 value that is the size, in bytes, of the GHCB area used during the SEC phase. - PcdOvmfSecGhcbPageTableBase UINT32 value that is address of a page table page used to break down the 2MB page into 512 4K pages. - PcdOvmfSecGhcbPageTableSize UINT32 value that is the size, in bytes, of the page table page. Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
2020-08-12 22:21:40 +02:00
%if (FixedPcdGet32 (PcdOvmfSecGhcbPageTableSize) != 0x1000)
%error "This implementation inherently depends on PcdOvmfSecGhcbPageTableSize"
%endif
%if (FixedPcdGet32 (PcdOvmfSecGhcbSize) != 0x2000)
%error "This implementation inherently depends on PcdOvmfSecGhcbSize"
%endif
%if ((FixedPcdGet32 (PcdOvmfSecGhcbBase) >> 21) != \
((FixedPcdGet32 (PcdOvmfSecGhcbBase) + FixedPcdGet32 (PcdOvmfSecGhcbSize) - 1) >> 21))
%error "This implementation inherently depends on PcdOvmfSecGhcbBase not straddling a 2MB boundary"
%endif
OvmfPkg: Add IntelTdxMetadata.asm RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3429 In TDX when host VMM creates a new guest TD, some initial set of TD-private pages are added using the TDH.MEM.PAGE.ADD function. These pages typically contain Virtual BIOS code and data along with some clear pages for stacks and heap. In the meanwhile, some configuration data need be measured by host VMM. Tdx Metadata is designed for this purpose to indicate host VMM how to do the above tasks. More detailed information of Metadata is in [TDVF] Section 11. Tdx Metadata describes the information about the image for VMM use. For example, the base address and length of the TdHob, Bfv, Cfv, etc. The offset of the Metadata is stored in a GUID-ed structure which is appended in the GUID-ed chain from a fixed GPA (0xffffffd0). In this commit there are 2 new definitions of BFV & CFV. Tdx Virtual Firmware (TDVF) includes one Firmware Volume (FV) known as the Boot Firmware Volume (BFV). The FV format is defined in the UEFI Platform Initialization (PI) spec. BFV includes all TDVF components required during boot. TDVF also include a configuration firmware volume (CFV) that is separated from the BFV. The reason is because the CFV is measured in RTMR, while the BFV is measured in MRTD. In practice BFV is the code part of Ovmf image (OVMF_CODE.fd). CFV is the vars part of Ovmf image (OVMF_VARS.fd). Since AMD SEV has already defined some SEV specific memory region in MEMFD. TDX re-uses some of the memory regions defined by SEV. - MailBox : PcdOvmfSecGhcbBackupBase|PcdOvmfSecGhcbBackupSize - TdHob : PcdOvmfSecGhcbBase|PcdOvmfSecGhcbSize [TDVF] https://software.intel.com/content/dam/develop/external/us/en/ documents/tdx-virtual-firmware-design-guide-rev-1.pdf Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Brijesh Singh <brijesh.singh@amd.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Min Xu <min.m.xu@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2021-09-28 04:47:29 +02:00
%define TDX_BFV_RAW_DATA_OFFSET FixedPcdGet32 (PcdBfvRawDataOffset)
%define TDX_BFV_RAW_DATA_SIZE FixedPcdGet32 (PcdBfvRawDataSize)
%define TDX_BFV_MEMORY_BASE FixedPcdGet32 (PcdBfvBase)
%define TDX_BFV_MEMORY_SIZE FixedPcdGet32 (PcdBfvRawDataSize)
%define TDX_CFV_RAW_DATA_OFFSET FixedPcdGet32 (PcdCfvRawDataOffset)
%define TDX_CFV_RAW_DATA_SIZE FixedPcdGet32 (PcdCfvRawDataSize)
%define TDX_CFV_MEMORY_BASE FixedPcdGet32 (PcdCfvBase),
%define TDX_CFV_MEMORY_SIZE FixedPcdGet32 (PcdCfvRawDataSize),
%define TDX_HEAP_STACK_BASE FixedPcdGet32 (PcdOvmfSecPeiTempRamBase)
%define TDX_HEAP_STACK_SIZE FixedPcdGet32 (PcdOvmfSecPeiTempRamSize)
%define TDX_HOB_MEMORY_BASE FixedPcdGet32 (PcdOvmfSecGhcbBase)
%define TDX_HOB_MEMORY_SIZE FixedPcdGet32 (PcdOvmfSecGhcbSize)
%define TDX_INIT_MEMORY_BASE FixedPcdGet32 (PcdOvmfWorkAreaBase)
%define TDX_INIT_MEMORY_SIZE (FixedPcdGet32 (PcdOvmfWorkAreaSize) + FixedPcdGet32 (PcdOvmfSecGhcbBackupSize))
%define OVMF_PAGE_TABLE_BASE FixedPcdGet32 (PcdOvmfSecPageTablesBase)
%define OVMF_PAGE_TABLE_SIZE FixedPcdGet32 (PcdOvmfSecPageTablesSize)
%define TDX_WORK_AREA_PGTBL_READY (FixedPcdGet32 (PcdOvmfWorkAreaBase) + 4)
%define TDX_WORK_AREA_GPAW (FixedPcdGet32 (PcdOvmfWorkAreaBase) + 8)
OvmfPkg: Make an Ia32/X64 hybrid build work with SEV The BaseMemEncryptSevLib functionality was updated to rely on the use of the OVMF/SEV workarea to check for SEV guests. However, this area is only updated when running the X64 OVMF build, not the hybrid Ia32/X64 build. Base SEV support is allowed under the Ia32/X64 build, but it now fails to boot as a result of the change. Update the ResetVector code to check for SEV features when built for 32-bit mode, not just 64-bit mode (requiring updates to both the Ia32 and Ia32X64 fdf files). Fixes: f1d1c337e7c0575da7fd248b2dd9cffc755940df Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Michael Roth <michael.roth@amd.com> Cc: Min Xu <min.m.xu@intel.com> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
2022-05-16 22:24:02 +02:00
%include "X64/IntelTdxMetadata.asm"
%include "Ia32/Flat32ToFlat64.asm"
%include "Ia32/PageTables64.asm"
%include "Ia32/IntelTdx.asm"
%include "X64/OvmfSevMetadata.asm"
OvmfPkg: Support building OVMF's ResetVector during the EDK II build Using NASM we build OVMF's ResetVector as part of the EDK II build process. v2: * Use EDK II extension of .nasmb rather than .nasmbin Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jordan Justen <jordan.l.justen@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15823 6f19259b-4bc3-4df7-8a09-765794883524
2014-08-19 01:03:53 +02:00
%endif
OvmfPkg: Make an Ia32/X64 hybrid build work with SEV The BaseMemEncryptSevLib functionality was updated to rely on the use of the OVMF/SEV workarea to check for SEV guests. However, this area is only updated when running the X64 OVMF build, not the hybrid Ia32/X64 build. Base SEV support is allowed under the Ia32/X64 build, but it now fails to boot as a result of the change. Update the ResetVector code to check for SEV features when built for 32-bit mode, not just 64-bit mode (requiring updates to both the Ia32 and Ia32X64 fdf files). Fixes: f1d1c337e7c0575da7fd248b2dd9cffc755940df Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Michael Roth <michael.roth@amd.com> Cc: Min Xu <min.m.xu@intel.com> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
2022-05-16 22:24:02 +02:00
%include "Ia32/AmdSev.asm"
OvmfPkg: Support building OVMF's ResetVector during the EDK II build Using NASM we build OVMF's ResetVector as part of the EDK II build process. v2: * Use EDK II extension of .nasmb rather than .nasmbin Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jordan Justen <jordan.l.justen@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15823 6f19259b-4bc3-4df7-8a09-765794883524
2014-08-19 01:03:53 +02:00
%include "Ia16/Real16ToFlat32.asm"
%include "Ia16/Init16.asm"
%include "Main.asm"
OvmfPkg: Use the SEV-ES work area for the SEV-ES AP reset vector BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198 A hypervisor is not allowed to update an SEV-ES guest's register state, so when booting an SEV-ES guest AP, the hypervisor is not allowed to set the RIP to the guest requested value. Instead an SEV-ES AP must be re-directed from within the guest to the actual requested staring location as specified in the INIT-SIPI-SIPI sequence. Use the SEV-ES work area for the reset vector code that contains support to jump to the desired RIP location after having been started. This is required for only the very first AP reset. This new OVMF source file, ResetVectorVtf0.asm, is used in place of the original file through the use of the include path order set in OvmfPkg/ResetVector/ResetVector.inf under "[BuildOptions]". Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
2020-08-12 22:21:42 +02:00
%define SEV_ES_AP_RESET_IP FixedPcdGet32 (PcdSevEsWorkAreaBase)
OvmfPkg: create a SEV secret area in the AmdSev memfd SEV needs an area to place an injected secret where OVMF can find it and pass it up as a ConfigurationTable. This patch implements the area itself as an addition to the SEV enhanced reset vector table using an additional guid (4c2eb361-7d9b-4cc3-8081-127c90d3d294). Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077 Signed-off-by: James Bottomley <jejb@linux.ibm.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Message-Id: <20201130202819.3910-5-jejb@linux.ibm.com> Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com> [lersek@redhat.com: fix typo in "ResetVectorVtf0.asm" comments]
2020-11-30 21:28:17 +01:00
%define SEV_LAUNCH_SECRET_BASE FixedPcdGet32 (PcdSevLaunchSecretBase)
%define SEV_LAUNCH_SECRET_SIZE FixedPcdGet32 (PcdSevLaunchSecretSize)
OvmfPkg/AmdSev: reserve MEMFD space for for firmware config hashes Split the existing 4KB page reserved for SEV launch secrets into two parts: first 3KB for SEV launch secrets and last 1KB for firmware config hashes. The area of the firmware config hashes will be attested (measured) by the PSP and thus the untrusted VMM can't pass in different files from what the guest owner allows. Declare this in the Reset Vector table using GUID 7255371f-3a3b-4b04-927b-1da6efa8d454 and a uint32_t table of a base and size value (similar to the structure used to declare the launch secret block). Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Ashish Kalra <ashish.kalra@amd.com> Cc: Brijesh Singh <brijesh.singh@amd.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Min Xu <min.m.xu@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457 Co-developed-by: Dov Murik <dovmurik@linux.ibm.com> Signed-off-by: Dov Murik <dovmurik@linux.ibm.com> Signed-off-by: James Bottomley <jejb@linux.ibm.com> Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Reviewed-by: Brijesh Singh <brijesh.singh@amd.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2021-01-16 23:42:44 +01:00
%define SEV_FW_HASH_BLOCK_BASE FixedPcdGet32 (PcdQemuHashTableBase)
%define SEV_FW_HASH_BLOCK_SIZE FixedPcdGet32 (PcdQemuHashTableSize)
OvmfPkg: Support building OVMF's ResetVector during the EDK II build Using NASM we build OVMF's ResetVector as part of the EDK II build process. v2: * Use EDK II extension of .nasmb rather than .nasmbin Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jordan Justen <jordan.l.justen@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15823 6f19259b-4bc3-4df7-8a09-765794883524
2014-08-19 01:03:53 +02:00
%include "Ia16/ResetVectorVtf0.asm"