MdePkg: Add TME-MK related CPUID and MSR definitions

TME (Total Memory Encryption) is the capability to encrypt
the entirety of physical memory of a system.
TME-MK (Total Memory Encryption-Multi-Key) builds on TME and adds
support for multiple encryption keys.

The patch adds some necessary CPUID/MSR definitions for TME-MK.

Signed-off-by: Ray Ni <ray.ni@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>

MdePkg/Include/Register/Intel/ArchitecturalMsr.h

@@ -6,7 +6,7 @@
   returned is a single 32-bit or 64-bit value, then a data structure is not
   provided for that MSR.
 
-  Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2016 - 2023, Intel Corporation. All rights reserved.<BR>
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
   @par Specification Reference:
@@ -5679,6 +5679,110 @@ typedef union {
 **/
 #define MSR_IA32_X2APIC_SELF_IPI  0x0000083F
 
+/**
+  Memory Encryption Activation MSR. If CPUID.07H:ECX.[13] = 1.
+
+  @param  ECX  MSR_IA32_TME_ACTIVATE (0x00000982)
+  @param  EAX  Lower 32-bits of MSR value.
+               Described by the type MSR_IA32_TME_ACTIVATE_REGISTER.
+  @param  EDX  Upper 32-bits of MSR value.
+               Described by the type MSR_IA32_TME_ACTIVATE_REGISTER.
+
+  <b>Example usage</b>
+  @code
+  MSR_IA32_TME_ACTIVATE_REGISTER  Msr;
+
+  Msr.Uint64 = AsmReadMsr64 (MSR_IA32_TME_ACTIVATE);
+  AsmWriteMsr64 (MSR_IA32_TME_ACTIVATE, Msr.Uint64);
+  @endcode
+  @note MSR_IA32_TME_ACTIVATE is defined as IA32_TME_ACTIVATE in SDM.
+**/
+#define MSR_IA32_TME_ACTIVATE  0x00000982
+
+/**
+  MSR information returned for MSR index #MSR_IA32_TME_ACTIVATE
+**/
+typedef union {
+  ///
+  /// Individual bit fields
+  ///
+  struct {
+    ///
+    /// [Bit 0] Lock R/O: Will be set upon successful WRMSR (or first SMI);
+    /// written value ignored..
+    ///
+    UINT32    Lock              : 1;
+    ///
+    /// [Bit 1] Hardware Encryption Enable: This bit also enables MKTME; MKTME
+    /// cannot be enabled without enabling encryption hardware.
+    ///
+    UINT32    TmeEnable         : 1;
+    ///
+    /// [Bit 2] Key Select:
+    /// 0: Create a new TME key (expected cold/warm boot).
+    /// 1: Restore the TME key from storage (Expected when resume from standby).
+    ///
+    UINT32    KeySelect         : 1;
+    ///
+    /// [Bit 3] Save TME Key for Standby: Save key into storage to be used when
+    /// resume from standby.
+    /// Note: This may not be supported in all processors.
+    ///
+    UINT32    SaveKeyForStandby : 1;
+    ///
+    /// [Bit 7:4] TME Policy/Encryption Algorithm: Only algorithms enumerated in
+    /// IA32_TME_CAPABILITY are allowed.
+    /// For example:
+    ///   0000 – AES-XTS-128.
+    ///   0001 – AES-XTS-128 with integrity.
+    ///   0010 – AES-XTS-256.
+    ///   Other values are invalid.
+    ///
+    UINT32    TmePolicy : 4;
+    UINT32    Reserved  : 23;
+    ///
+    /// [Bit 31] TME Encryption Bypass Enable: When encryption hardware is enabled:
+    /// * Total Memory Encryption is enabled using a CPU generated ephemeral key
+    ///   based on a hardware random number generator when this bit is set to 0.
+    /// * Total Memory Encryption is bypassed (no encryption/decryption for KeyID0)
+    ///   when this bit is set to 1.
+    /// Software must inspect Hardware Encryption Enable (bit 1) and TME encryption
+    /// bypass Enable (bit 31) to determine if TME encryption is enabled.
+    ///
+    UINT32    TmeBypassMode : 1;
+    ///
+    /// [Bit 35:32] MK_TME_KEYID_BITS: Reserved if MKTME is not enumerated, otherwise:
+    /// The number of key identifier bits to allocate to MKTME usage.
+    /// Similar to enumeration, this is an encoded value.
+    /// Writing a value greater than MK_TME_MAX_KEYID_BITS will result in #GP.
+    /// Writing a non-zero value to this field will #GP if bit 1 of EAX (Hardware
+    /// Encryption Enable) is not also set to ‘1, as encryption hardware must be
+    /// enabled to use MKTME.
+    /// Example: To support 255 keys, this field would be set to a value of 8.
+    ///
+    UINT32    MkTmeKeyidBits : 4;
+    UINT32    Reserved2      : 12;
+    ///
+    /// [Bit 63:48] MK_TME_CRYPTO_ALGS: Reserved if MKTME is not enumerated, otherwise:
+    ///   Bit 48: AES-XTS 128.
+    ///   Bit 49: AES-XTS 128 with integrity.
+    ///   Bit 50: AES-XTS 256.
+    ///   Bit 63:51: Reserved (#GP)
+    /// Bitmask for BIOS to set which encryption algorithms are allowed for MKTME, would
+    /// be later enforced by the key loading ISA ('1= allowed)
+    ///
+    UINT32    MkTmeCryptoAlgs : 16;
+  } Bits;
+  ///
+  /// All bit fields as a 32-bit value
+  ///
+  UINT32    Uint32[2];
+  ///
+  /// All bit fields as a 64-bit value
+  ///
+  UINT64    Uint64;
+} MSR_IA32_TME_ACTIVATE_REGISTER;
+
 /**
   Silicon Debug Feature Control (R/W). If CPUID.01H:ECX.[11] = 1.
 

MdePkg/Include/Register/Intel/Cpuid.h

@@ -6,7 +6,7 @@
   If a register returned is a single 32-bit value, then a data structure is
   not provided for that register.
 
-  Copyright (c) 2015 - 2021, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2015 - 2023, Intel Corporation. All rights reserved.<BR>
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
   @par Specification Reference:
@@ -1490,7 +1490,12 @@ typedef union {
     /// RDPKRU/WRPKRU instructions).
     ///
     UINT32    OSPKE            : 1;
-    UINT32    Reserved5        : 9;
+    UINT32    Reserved8        : 8;
+    ///
+    /// [Bit 13] If 1, the following MSRs are supported: IA32_TME_CAPABILITY, IA32_TME_ACTIVATE,
+    /// IA32_TME_EXCLUDE_MASK, and IA32_TME_EXCLUDE_BASE.
+    ///
+    UINT32    TME_EN           : 1;
     ///
     /// [Bits 14] AVX512_VPOPCNTDQ. (Intel Xeon Phi only.).
     ///