diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/Library/MemEncryptSevLib.h index 4fa9c0d700..c5653539d8 100644 --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h @@ -166,6 +166,18 @@ MemEncryptSevGetEncryptionMask ( VOID ); +/** + Returns a boolean to indicate whether DebugVirtualization is enabled. + + @retval TRUE DebugVirtualization is enabled + @retval FALSE DebugVirtualization is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevEsDebugVirtualizationIsEnabled ( + VOID + ); + /** Returns the encryption state of the specified virtual address range. diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c index 4aba0075b9..9947d663de 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c @@ -40,19 +40,25 @@ AmdMemEncryptionAttrCheck ( IN CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr ) { + UINT64 CurrentLevel; + + CurrentLevel = CurrentAttr & CCAttrTypeMask; + switch (Attr) { case CCAttrAmdSev: // // SEV is automatically enabled if SEV-ES or SEV-SNP is active. // - return CurrentAttr >= CCAttrAmdSev; + return CurrentLevel >= CCAttrAmdSev; case CCAttrAmdSevEs: // // SEV-ES is automatically enabled if SEV-SNP is active. // - return CurrentAttr >= CCAttrAmdSevEs; + return CurrentLevel >= CCAttrAmdSevEs; case CCAttrAmdSevSnp: - return CurrentAttr == CCAttrAmdSevSnp; + return CurrentLevel == CCAttrAmdSevSnp; + case CCAttrFeatureAmdSevEsDebugVirtualization: + return !!(CurrentAttr & CCAttrFeatureAmdSevEsDebugVirtualization); default: return FALSE; } @@ -159,3 +165,18 @@ MemEncryptSevGetEncryptionMask ( return mSevEncryptionMask; } + +/** + Returns a boolean to indicate whether DebugVirtualization is enabled. + + @retval TRUE DebugVirtualization is enabled + @retval FALSE DebugVirtualization is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevEsDebugVirtualizationIsEnabled ( + VOID + ) +{ + return ConfidentialComputingGuestHas (CCAttrFeatureAmdSevEsDebugVirtualization); +} diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c index 41d1246a5b..7d823ad639 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c @@ -141,3 +141,18 @@ MemEncryptSevGetEncryptionMask ( return SevEsWorkArea->EncryptionMask; } + +/** + Returns a boolean to indicate whether DebugVirtualization is enabled. + + @retval TRUE DebugVirtualization is enabled + @retval FALSE DebugVirtualization is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevEsDebugVirtualizationIsEnabled ( + VOID + ) +{ + return FALSE; +} diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c index 27148c7e33..33a326ac15 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c @@ -142,6 +142,21 @@ MemEncryptSevGetEncryptionMask ( return SevEsWorkArea->EncryptionMask; } +/** + Returns a boolean to indicate whether DebugVirtualization is enabled. + + @retval TRUE DebugVirtualization is enabled + @retval FALSE DebugVirtualization is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevEsDebugVirtualizationIsEnabled ( + VOID + ) +{ + return FALSE; +} + /** Locate the page range that covers the initial (pre-SMBASE-relocation) SMRAM Save State Map. diff --git a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c b/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c index da8f1e5db9..2031fa9e22 100644 --- a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c +++ b/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c @@ -1609,6 +1609,10 @@ Dr7WriteExit ( UINT64 *Register; UINT64 Status; + if (MemEncryptSevEsDebugVirtualizationIsEnabled ()) { + return UnsupportedExit (Ghcb, Regs, InstructionData); + } + Ext = &InstructionData->Ext; SevEsData = (SEV_ES_PER_CPU_DATA *)(Ghcb + 1); @@ -1659,6 +1663,10 @@ Dr7ReadExit ( SEV_ES_PER_CPU_DATA *SevEsData; UINT64 *Register; + if (MemEncryptSevEsDebugVirtualizationIsEnabled ()) { + return UnsupportedExit (Ghcb, Regs, InstructionData); + } + Ext = &InstructionData->Ext; SevEsData = (SEV_ES_PER_CPU_DATA *)(Ghcb + 1);