mirror of
https://github.com/acidanthera/audk.git
synced 2025-08-20 17:18:11 +02:00
9f06feb5d2
The SEV-ES DebugVirtualization feature enables type B swapping of debug registers on #VMEXIT and makes #DB and DR7 intercepts unnecessary and unwanted. When DebugVirtualization is enabled, this stops booting if interaction from the HV. Add new API to PEI, SEC, DXE. This does not change the existing behaviour yet. Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Erdem Aktas <erdemaktas@google.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Michael Roth <michael.roth@amd.com> Cc: Min Xu <min.m.xu@intel.com> Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Alexey Kardashevskiy <aik@amd.com> --- Changes: v5: * "rb" from Tom v4: * s/DebugSwap/DebugVirtualization/
244 lines
7.4 KiB
C
244 lines
7.4 KiB
C
/** @file
|
|
|
|
Define Secure Encrypted Virtualization (SEV) base library helper function
|
|
|
|
Copyright (c) 2017 - 2020, AMD Incorporated. All rights reserved.<BR>
|
|
|
|
SPDX-License-Identifier: BSD-2-Clause-Patent
|
|
|
|
**/
|
|
|
|
#ifndef _MEM_ENCRYPT_SEV_LIB_H_
|
|
#define _MEM_ENCRYPT_SEV_LIB_H_
|
|
|
|
#include <Base.h>
|
|
#include <WorkArea.h>
|
|
|
|
//
|
|
// Define the maximum number of #VCs allowed (e.g. the level of nesting
|
|
// that is allowed => 2 allows for 1 nested #VCs). I this value is changed,
|
|
// be sure to increase the size of
|
|
// gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize
|
|
// in any FDF file using this PCD.
|
|
//
|
|
#define VMGEXIT_MAXIMUM_VC_COUNT 2
|
|
|
|
//
|
|
// Per-CPU data mapping structure
|
|
// Use UINT32 for cached indicators and compare to a specific value
|
|
// so that the hypervisor can't indicate a value is cached by just
|
|
// writing random data to that area.
|
|
//
|
|
typedef struct {
|
|
UINT32 Dr7Cached;
|
|
UINT64 Dr7;
|
|
|
|
UINTN VcCount;
|
|
VOID *GhcbBackupPages;
|
|
} SEV_ES_PER_CPU_DATA;
|
|
|
|
//
|
|
// Memory encryption address range states.
|
|
//
|
|
typedef enum {
|
|
MemEncryptSevAddressRangeUnencrypted,
|
|
MemEncryptSevAddressRangeEncrypted,
|
|
MemEncryptSevAddressRangeMixed,
|
|
MemEncryptSevAddressRangeError,
|
|
} MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE;
|
|
|
|
/**
|
|
Returns a boolean to indicate whether SEV-SNP is enabled
|
|
|
|
@retval TRUE SEV-SNP is enabled
|
|
@retval FALSE SEV-SNP is not enabled
|
|
**/
|
|
BOOLEAN
|
|
EFIAPI
|
|
MemEncryptSevSnpIsEnabled (
|
|
VOID
|
|
);
|
|
|
|
/**
|
|
Returns a boolean to indicate whether SEV-ES is enabled.
|
|
|
|
@retval TRUE SEV-ES is enabled
|
|
@retval FALSE SEV-ES is not enabled
|
|
**/
|
|
BOOLEAN
|
|
EFIAPI
|
|
MemEncryptSevEsIsEnabled (
|
|
VOID
|
|
);
|
|
|
|
/**
|
|
Returns a boolean to indicate whether SEV is enabled
|
|
|
|
@retval TRUE SEV is enabled
|
|
@retval FALSE SEV is not enabled
|
|
**/
|
|
BOOLEAN
|
|
EFIAPI
|
|
MemEncryptSevIsEnabled (
|
|
VOID
|
|
);
|
|
|
|
/**
|
|
This function clears memory encryption bit for the memory region specified by
|
|
BaseAddress and NumPages from the current page table context.
|
|
|
|
@param[in] Cr3BaseAddress Cr3 Base Address (if zero then use
|
|
current CR3)
|
|
@param[in] BaseAddress The physical address that is the start
|
|
address of a memory region.
|
|
@param[in] NumPages The number of pages from start memory
|
|
region.
|
|
|
|
@retval RETURN_SUCCESS The attributes were cleared for the
|
|
memory region.
|
|
@retval RETURN_INVALID_PARAMETER Number of pages is zero.
|
|
@retval RETURN_UNSUPPORTED Clearing the memory encryption attribute
|
|
is not supported
|
|
**/
|
|
RETURN_STATUS
|
|
EFIAPI
|
|
MemEncryptSevClearPageEncMask (
|
|
IN PHYSICAL_ADDRESS Cr3BaseAddress,
|
|
IN PHYSICAL_ADDRESS BaseAddress,
|
|
IN UINTN NumPages
|
|
);
|
|
|
|
/**
|
|
This function sets memory encryption bit for the memory region specified by
|
|
BaseAddress and NumPages from the current page table context.
|
|
|
|
@param[in] Cr3BaseAddress Cr3 Base Address (if zero then use
|
|
current CR3)
|
|
@param[in] BaseAddress The physical address that is the start
|
|
address of a memory region.
|
|
@param[in] NumPages The number of pages from start memory
|
|
region.
|
|
|
|
@retval RETURN_SUCCESS The attributes were set for the memory
|
|
region.
|
|
@retval RETURN_INVALID_PARAMETER Number of pages is zero.
|
|
@retval RETURN_UNSUPPORTED Setting the memory encryption attribute
|
|
is not supported
|
|
**/
|
|
RETURN_STATUS
|
|
EFIAPI
|
|
MemEncryptSevSetPageEncMask (
|
|
IN PHYSICAL_ADDRESS Cr3BaseAddress,
|
|
IN PHYSICAL_ADDRESS BaseAddress,
|
|
IN UINTN NumPages
|
|
);
|
|
|
|
/**
|
|
Locate the page range that covers the initial (pre-SMBASE-relocation) SMRAM
|
|
Save State Map.
|
|
|
|
@param[out] BaseAddress The base address of the lowest-address page that
|
|
covers the initial SMRAM Save State Map.
|
|
|
|
@param[out] NumberOfPages The number of pages in the page range that covers
|
|
the initial SMRAM Save State Map.
|
|
|
|
@retval RETURN_SUCCESS BaseAddress and NumberOfPages have been set on
|
|
output.
|
|
|
|
@retval RETURN_UNSUPPORTED SMM is unavailable.
|
|
**/
|
|
RETURN_STATUS
|
|
EFIAPI
|
|
MemEncryptSevLocateInitialSmramSaveStateMapPages (
|
|
OUT UINTN *BaseAddress,
|
|
OUT UINTN *NumberOfPages
|
|
);
|
|
|
|
/**
|
|
Returns the SEV encryption mask.
|
|
|
|
@return The SEV pagetable encryption mask
|
|
**/
|
|
UINT64
|
|
EFIAPI
|
|
MemEncryptSevGetEncryptionMask (
|
|
VOID
|
|
);
|
|
|
|
/**
|
|
Returns a boolean to indicate whether DebugVirtualization is enabled.
|
|
|
|
@retval TRUE DebugVirtualization is enabled
|
|
@retval FALSE DebugVirtualization is not enabled
|
|
**/
|
|
BOOLEAN
|
|
EFIAPI
|
|
MemEncryptSevEsDebugVirtualizationIsEnabled (
|
|
VOID
|
|
);
|
|
|
|
/**
|
|
Returns the encryption state of the specified virtual address range.
|
|
|
|
@param[in] Cr3BaseAddress Cr3 Base Address (if zero then use
|
|
current CR3)
|
|
@param[in] BaseAddress Base address to check
|
|
@param[in] Length Length of virtual address range
|
|
|
|
@retval MemEncryptSevAddressRangeUnencrypted Address range is mapped
|
|
unencrypted
|
|
@retval MemEncryptSevAddressRangeEncrypted Address range is mapped
|
|
encrypted
|
|
@retval MemEncryptSevAddressRangeMixed Address range is mapped mixed
|
|
@retval MemEncryptSevAddressRangeError Address range is not mapped
|
|
**/
|
|
MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE
|
|
EFIAPI
|
|
MemEncryptSevGetAddressRangeState (
|
|
IN PHYSICAL_ADDRESS Cr3BaseAddress,
|
|
IN PHYSICAL_ADDRESS BaseAddress,
|
|
IN UINTN Length
|
|
);
|
|
|
|
/**
|
|
This function clears memory encryption bit for the MMIO region specified by
|
|
BaseAddress and NumPages.
|
|
|
|
@param[in] Cr3BaseAddress Cr3 Base Address (if zero then use
|
|
current CR3)
|
|
@param[in] BaseAddress The physical address that is the start
|
|
address of a MMIO region.
|
|
@param[in] NumPages The number of pages from start memory
|
|
region.
|
|
|
|
@retval RETURN_SUCCESS The attributes were cleared for the
|
|
memory region.
|
|
@retval RETURN_INVALID_PARAMETER Number of pages is zero.
|
|
@retval RETURN_UNSUPPORTED Clearing the memory encryption attribute
|
|
is not supported
|
|
**/
|
|
RETURN_STATUS
|
|
EFIAPI
|
|
MemEncryptSevClearMmioPageEncMask (
|
|
IN PHYSICAL_ADDRESS Cr3BaseAddress,
|
|
IN PHYSICAL_ADDRESS BaseAddress,
|
|
IN UINTN NumPages
|
|
);
|
|
|
|
/**
|
|
Pre-validate the system RAM when SEV-SNP is enabled in the guest VM.
|
|
|
|
@param[in] BaseAddress Base address
|
|
@param[in] NumPages Number of pages starting from the base address
|
|
|
|
**/
|
|
VOID
|
|
EFIAPI
|
|
MemEncryptSevSnpPreValidateSystemRam (
|
|
IN PHYSICAL_ADDRESS BaseAddress,
|
|
IN UINTN NumPages
|
|
);
|
|
|
|
#endif // _MEM_ENCRYPT_SEV_LIB_H_
|