tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
audk/OvmfPkg/PlatformPei
History
Tom Lendacky 0bbed0664f OvmfPkg/PlatformPei: Reserve GHCB-related areas if S3 is supported 
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198

Protect the memory used by an SEV-ES guest when S3 is supported. This
includes the page table used to break down the 2MB page that contains
the GHCB so that it can be marked un-encrypted, as well as the GHCB
area.

Regarding the lifecycle of the GHCB-related memory areas:
  PcdOvmfSecGhcbPageTableBase
  PcdOvmfSecGhcbBase

(a) when and how it is initialized after first boot of the VM

  If SEV-ES is enabled, the GHCB-related areas are initialized during
  the SEC phase [OvmfPkg/ResetVector/Ia32/PageTables64.asm].

(b) how it is protected from memory allocations during DXE

  If S3 and SEV-ES are enabled, then InitializeRamRegions()
  [OvmfPkg/PlatformPei/MemDetect.c] protects the ranges with an AcpiNVS
  memory allocation HOB, in PEI.

  If S3 is disabled, then these ranges are not protected. DXE's own page
  tables are first built while still in PEI (see HandOffToDxeCore()
  [MdeModulePkg/Core/DxeIplPeim/X64/DxeLoadFunc.c]). Those tables are
  located in permanent PEI memory. After CR3 is switched over to them
  (which occurs before jumping to the DXE core entry point), we don't have
  to preserve PcdOvmfSecGhcbPageTableBase. PEI switches to GHCB pages in
  permanent PEI memory and DXE will use these PEI GHCB pages, so we don't
  have to preserve PcdOvmfSecGhcbBase.

(c) how it is protected from the OS

  If S3 is enabled, then (b) reserves it from the OS too.

  If S3 is disabled, then the range needs no protection.

(d) how it is accessed on the S3 resume path

  It is rewritten same as in (a), which is fine because (b) reserved it.

(e) how it is accessed on the warm reset path

  It is rewritten same as in (a).

Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Julien Grall <julien@xen.org>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
 		2020-08-17 02:46:39 +00:00
..
AmdSev.c OvmfPkg: Add support to perform SEV-ES initialization 2020-08-17 02:46:39 +00:00
ClearCache.c OvmfPkg: Replace BSD License with BSD+Patent License 2019-04-09 10:58:19 -07:00
Cmos.c OvmfPkg: Replace BSD License with BSD+Patent License 2019-04-09 10:58:19 -07:00
Cmos.h OvmfPkg: Replace BSD License with BSD+Patent License 2019-04-09 10:58:19 -07:00
FeatureControl.c OvmfPkg: replace old EFI_D_ debug levels with new DEBUG_ ones 2020-04-30 13:01:16 +00:00
Fv.c OvmfPkg: replace old EFI_D_ debug levels with new DEBUG_ ones 2020-04-30 13:01:16 +00:00
MemDetect.c OvmfPkg/PlatformPei: Reserve GHCB-related areas if S3 is supported 2020-08-17 02:46:39 +00:00
MemTypeInfo.c OvmfPkg/PlatformPei: extract memory type info defaults to PCDs 2020-05-18 15:48:48 +00:00
Platform.c OvmfPkg: replace old EFI_D_ debug levels with new DEBUG_ ones 2020-04-30 13:01:16 +00:00
Platform.h OvmfPkg: improve SMM comms security with adaptive MemoryTypeInformation 2020-03-12 21:14:46 +00:00
PlatformPei.inf OvmfPkg/PlatformPei: Reserve GHCB-related areas if S3 is supported 2020-08-17 02:46:39 +00:00
Xen.c OvmfPkg: replace old EFI_D_ debug levels with new DEBUG_ ones 2020-04-30 13:01:16 +00:00
Xen.h OvmfPkg: Replace BSD License with BSD+Patent License 2019-04-09 10:58:19 -07:00