audk/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c

/** @file

  SEV-SNP Page Validation functions.

  Copyright (c) 2021 AMD Incorporated. All rights reserved.<BR>

  SPDX-License-Identifier: BSD-2-Clause-Patent

**/

#include <Uefi/UefiBaseType.h>
#include <Library/BaseLib.h>
#include <Library/MemEncryptSevLib.h>

#include "SnpPageStateChange.h"

//
// The variable used for the VMPL check.
//
STATIC UINT8  gVmpl0Data[4096];

/**
 The function checks whether SEV-SNP guest is booted under VMPL0.

 @retval  TRUE      The guest is booted under VMPL0
 @retval  FALSE     The guest is not booted under VMPL0
 **/
STATIC
BOOLEAN
SevSnpIsVmpl0 (
  VOID
  )
{
  UINT64      Rdx;
  EFI_STATUS  Status;

  //
  // There is no straightforward way to query the current VMPL level.
  // The simplest method is to use the RMPADJUST instruction to change
  // a page permission to a VMPL level-1, and if the guest kernel is
  // launched at a level <= 1, then RMPADJUST instruction will return
  // an error.
  //
  Rdx = 1;

  Status = AsmRmpAdjust ((UINT64)gVmpl0Data, 0, Rdx);
  if (EFI_ERROR (Status)) {
    return FALSE;
  }

  return TRUE;
}

/**
  Pre-validate the system RAM when SEV-SNP is enabled in the guest VM.

  @param[in]  BaseAddress             Base address
  @param[in]  NumPages                Number of pages starting from the base address

**/
VOID
EFIAPI
MemEncryptSevSnpPreValidateSystemRam (
  IN PHYSICAL_ADDRESS  BaseAddress,
  IN UINTN             NumPages
  )
{
  if (!MemEncryptSevSnpIsEnabled ()) {
    return;
  }

  //
  // The page state change uses the PVALIDATE instruction. The instruction
  // can be run on VMPL-0 only. If its not VMPL-0 guest then terminate
  // the boot.
  //
  if (!SevSnpIsVmpl0 ()) {
    SnpPageStateFailureTerminate ();
  }

  InternalSetPageState (BaseAddress, NumPages, SevSnpPagePrivate, TRUE);
}
OvmfPkg/MemEncryptSevLib: add support to validate system RAM BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Many of the integrity guarantees of SEV-SNP are enforced through the Reverse Map Table (RMP). Each RMP entry contains the GPA at which a particular page of DRAM should be mapped. The guest can request the hypervisor to add pages in the RMP table via the Page State Change VMGEXIT defined in the GHCB specification section 2.5.1 and 4.1.6. Inside each RMP entry is a Validated flag; this flag is automatically cleared to 0 by the CPU hardware when a new RMP entry is created for a guest. Each VM page can be either validated or invalidated, as indicated by the Validated flag in the RMP entry. Memory access to a private page that is not validated generates a #VC. A VM can use the PVALIDATE instruction to validate the private page before using it. During the guest creation, the boot ROM memory is pre-validated by the AMD-SEV firmware. The MemEncryptSevSnpValidateSystemRam() can be called during the SEC and PEI phase to validate the detected system RAM. One of the fields in the Page State Change NAE is the RMP page size. The page size input parameter indicates that either a 4KB or 2MB page should be used while adding the RMP entry. During the validation, when possible, the MemEncryptSevSnpValidateSystemRam() will use the 2MB entry. A hypervisor backing the memory may choose to use the different page size in the RMP entry. In those cases, the PVALIDATE instruction should return SIZEMISMATCH. If a SIZEMISMATCH is detected, then validate all 512-pages constituting a 2MB region. Upon completion, the PVALIDATE instruction sets the rFLAGS.CF to 0 if instruction changed the RMP entry and to 1 if the instruction did not change the RMP entry. The rFlags.CF will be 1 only when a memory region is already validated. We should not double validate a memory as it could lead to a security compromise. If double validation is detected, terminate the boot. Cc: Michael Roth <michael.roth@amd.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Min Xu <min.m.xu@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Jiewen Yao <Jiewen.yao@intel.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> 2021-12-09 04:27:42 +01:00			`/** @file`

			`SEV-SNP Page Validation functions.`

			`Copyright (c) 2021 AMD Incorporated. All rights reserved.<BR>`

			`SPDX-License-Identifier: BSD-2-Clause-Patent`

			`**/`

			`#include <Uefi/UefiBaseType.h>`
			`#include <Library/BaseLib.h>`
			`#include <Library/MemEncryptSevLib.h>`

			`#include "SnpPageStateChange.h"`

OvmfPkg/MemEncryptSevLib: add function to check the VMPL0 BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Virtual Machine Privilege Level (VMPL) feature in the SEV-SNP architecture allows a guest VM to divide its address space into four levels. The level can be used to provide the hardware isolated abstraction layers with a VM. The VMPL0 is the highest privilege, and VMPL3 is the least privilege. Certain operations must be done by the VMPL0 software, such as: * Validate or invalidate memory range (PVALIDATE instruction) * Allocate VMSA page (RMPADJUST instruction when VMSA=1) The initial SEV-SNP support assumes that the guest is running on VMPL0. Let's add function in the MemEncryptSevLib that can be used for checking whether guest is booted under the VMPL0. Cc: Michael Roth <michael.roth@amd.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Min Xu <min.m.xu@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> 2021-12-09 04:27:43 +01:00			`//`
			`// The variable used for the VMPL check.`
			`//`
			`STATIC UINT8 gVmpl0Data[4096];`

			`/**`
			`The function checks whether SEV-SNP guest is booted under VMPL0.`

			`@retval TRUE The guest is booted under VMPL0`
			`@retval FALSE The guest is not booted under VMPL0`
			`**/`
			`STATIC`
			`BOOLEAN`
			`SevSnpIsVmpl0 (`
			`VOID`
			`)`
			`{`
			`UINT64 Rdx;`
			`EFI_STATUS Status;`

			`//`
			`// There is no straightforward way to query the current VMPL level.`
			`// The simplest method is to use the RMPADJUST instruction to change`
			`// a page permission to a VMPL level-1, and if the guest kernel is`
			`// launched at a level <= 1, then RMPADJUST instruction will return`
			`// an error.`
			`//`
			`Rdx = 1;`

			`Status = AsmRmpAdjust ((UINT64)gVmpl0Data, 0, Rdx);`
			`if (EFI_ERROR (Status)) {`
			`return FALSE;`
			`}`

			`return TRUE;`
			`}`

OvmfPkg/MemEncryptSevLib: add support to validate system RAM BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Many of the integrity guarantees of SEV-SNP are enforced through the Reverse Map Table (RMP). Each RMP entry contains the GPA at which a particular page of DRAM should be mapped. The guest can request the hypervisor to add pages in the RMP table via the Page State Change VMGEXIT defined in the GHCB specification section 2.5.1 and 4.1.6. Inside each RMP entry is a Validated flag; this flag is automatically cleared to 0 by the CPU hardware when a new RMP entry is created for a guest. Each VM page can be either validated or invalidated, as indicated by the Validated flag in the RMP entry. Memory access to a private page that is not validated generates a #VC. A VM can use the PVALIDATE instruction to validate the private page before using it. During the guest creation, the boot ROM memory is pre-validated by the AMD-SEV firmware. The MemEncryptSevSnpValidateSystemRam() can be called during the SEC and PEI phase to validate the detected system RAM. One of the fields in the Page State Change NAE is the RMP page size. The page size input parameter indicates that either a 4KB or 2MB page should be used while adding the RMP entry. During the validation, when possible, the MemEncryptSevSnpValidateSystemRam() will use the 2MB entry. A hypervisor backing the memory may choose to use the different page size in the RMP entry. In those cases, the PVALIDATE instruction should return SIZEMISMATCH. If a SIZEMISMATCH is detected, then validate all 512-pages constituting a 2MB region. Upon completion, the PVALIDATE instruction sets the rFLAGS.CF to 0 if instruction changed the RMP entry and to 1 if the instruction did not change the RMP entry. The rFlags.CF will be 1 only when a memory region is already validated. We should not double validate a memory as it could lead to a security compromise. If double validation is detected, terminate the boot. Cc: Michael Roth <michael.roth@amd.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Min Xu <min.m.xu@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Jiewen Yao <Jiewen.yao@intel.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> 2021-12-09 04:27:42 +01:00			`/**`
			`Pre-validate the system RAM when SEV-SNP is enabled in the guest VM.`

			`@param[in] BaseAddress Base address`
			`@param[in] NumPages Number of pages starting from the base address`

			`**/`
			`VOID`
			`EFIAPI`
			`MemEncryptSevSnpPreValidateSystemRam (`
			`IN PHYSICAL_ADDRESS BaseAddress,`
			`IN UINTN NumPages`
			`)`
			`{`
			`if (!MemEncryptSevSnpIsEnabled ()) {`
			`return;`
			`}`

OvmfPkg/MemEncryptSevLib: add function to check the VMPL0 BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Virtual Machine Privilege Level (VMPL) feature in the SEV-SNP architecture allows a guest VM to divide its address space into four levels. The level can be used to provide the hardware isolated abstraction layers with a VM. The VMPL0 is the highest privilege, and VMPL3 is the least privilege. Certain operations must be done by the VMPL0 software, such as: * Validate or invalidate memory range (PVALIDATE instruction) * Allocate VMSA page (RMPADJUST instruction when VMSA=1) The initial SEV-SNP support assumes that the guest is running on VMPL0. Let's add function in the MemEncryptSevLib that can be used for checking whether guest is booted under the VMPL0. Cc: Michael Roth <michael.roth@amd.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Min Xu <min.m.xu@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> 2021-12-09 04:27:43 +01:00			`//`
			`// The page state change uses the PVALIDATE instruction. The instruction`
			`// can be run on VMPL-0 only. If its not VMPL-0 guest then terminate`
			`// the boot.`
			`//`
			`if (!SevSnpIsVmpl0 ()) {`
			`SnpPageStateFailureTerminate ();`
			`}`

OvmfPkg/MemEncryptSevLib: add support to validate system RAM BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Many of the integrity guarantees of SEV-SNP are enforced through the Reverse Map Table (RMP). Each RMP entry contains the GPA at which a particular page of DRAM should be mapped. The guest can request the hypervisor to add pages in the RMP table via the Page State Change VMGEXIT defined in the GHCB specification section 2.5.1 and 4.1.6. Inside each RMP entry is a Validated flag; this flag is automatically cleared to 0 by the CPU hardware when a new RMP entry is created for a guest. Each VM page can be either validated or invalidated, as indicated by the Validated flag in the RMP entry. Memory access to a private page that is not validated generates a #VC. A VM can use the PVALIDATE instruction to validate the private page before using it. During the guest creation, the boot ROM memory is pre-validated by the AMD-SEV firmware. The MemEncryptSevSnpValidateSystemRam() can be called during the SEC and PEI phase to validate the detected system RAM. One of the fields in the Page State Change NAE is the RMP page size. The page size input parameter indicates that either a 4KB or 2MB page should be used while adding the RMP entry. During the validation, when possible, the MemEncryptSevSnpValidateSystemRam() will use the 2MB entry. A hypervisor backing the memory may choose to use the different page size in the RMP entry. In those cases, the PVALIDATE instruction should return SIZEMISMATCH. If a SIZEMISMATCH is detected, then validate all 512-pages constituting a 2MB region. Upon completion, the PVALIDATE instruction sets the rFLAGS.CF to 0 if instruction changed the RMP entry and to 1 if the instruction did not change the RMP entry. The rFlags.CF will be 1 only when a memory region is already validated. We should not double validate a memory as it could lead to a security compromise. If double validation is detected, terminate the boot. Cc: Michael Roth <michael.roth@amd.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Min Xu <min.m.xu@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Jiewen Yao <Jiewen.yao@intel.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> 2021-12-09 04:27:42 +01:00			`InternalSetPageState (BaseAddress, NumPages, SevSnpPagePrivate, TRUE);`
			`}`