[mirror_edk2.git] / OvmfPkg / PlatformPei / AmdSev.c

/**@file\r
  Initialize Secure Encrypted Virtualization (SEV) support\r
\r
  Copyright (c) 2017, Advanced Micro Devices. All rights reserved.<BR>\r
\r
  SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
**/\r
//\r
// The package level header files this module uses\r
//\r
#include <IndustryStandard/Q35MchIch9.h>\r
#include <Library/DebugLib.h>\r
#include <Library/HobLib.h>\r
#include <Library/MemEncryptSevLib.h>\r
#include <Library/PcdLib.h>\r
#include <PiPei.h>\r
#include <Register/Amd/Cpuid.h>\r
#include <Register/Cpuid.h>\r
#include <Register/Intel/SmramSaveStateMap.h>\r
\r
#include "Platform.h"\r
\r
/**\r
\r
  Function checks if SEV support is available, if present then it sets\r
  the dynamic PcdPteMemoryEncryptionAddressOrMask with memory encryption mask.\r
\r
  **/\r
VOID\r
AmdSevInitialize (\r
  VOID\r
  )\r
{\r
  CPUID_MEMORY_ENCRYPTION_INFO_EBX  Ebx;\r
  UINT64                            EncryptionMask;\r
  RETURN_STATUS                     PcdStatus;\r
\r
  //\r
  // Check if SEV is enabled\r
  //\r
  if (!MemEncryptSevIsEnabled ()) {\r
    return;\r
  }\r
\r
  //\r
  // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position)\r
  //\r
  AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL);\r
  EncryptionMask = LShiftU64 (1, Ebx.Bits.PtePosBits);\r
\r
  //\r
  // Set Memory Encryption Mask PCD\r
  //\r
  PcdStatus = PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, EncryptionMask);\r
  ASSERT_RETURN_ERROR (PcdStatus);\r
\r
  DEBUG ((DEBUG_INFO, "SEV is enabled (mask 0x%lx)\n", EncryptionMask));\r
\r
  //\r
  // Set Pcd to Deny the execution of option ROM when security\r
  // violation.\r
  //\r
  PcdStatus = PcdSet32S (PcdOptionRomImageVerificationPolicy, 0x4);\r
  ASSERT_RETURN_ERROR (PcdStatus);\r
\r
  //\r
  // When SMM is required, cover the pages containing the initial SMRAM Save\r
  // State Map with a memory allocation HOB:\r
  //\r
  // There's going to be a time interval between our decrypting those pages for\r
  // SMBASE relocation and re-encrypting the same pages after SMBASE\r
  // relocation. We shall ensure that the DXE phase stay away from those pages\r
  // until after re-encryption, in order to prevent an information leak to the\r
  // hypervisor.\r
  //\r
  if (FeaturePcdGet (PcdSmmSmramRequire) && (mBootMode != BOOT_ON_S3_RESUME)) {\r
    RETURN_STATUS LocateMapStatus;\r
    UINTN         MapPagesBase;\r
    UINTN         MapPagesCount;\r
\r
    LocateMapStatus = MemEncryptSevLocateInitialSmramSaveStateMapPages (\r
                        &MapPagesBase,\r
                        &MapPagesCount\r
                        );\r
    ASSERT_RETURN_ERROR (LocateMapStatus);\r
\r
    if (mQ35SmramAtDefaultSmbase) {\r
      //\r
      // The initial SMRAM Save State Map has been covered as part of a larger\r
      // reserved memory allocation in InitializeRamRegions().\r
      //\r
      ASSERT (SMM_DEFAULT_SMBASE <= MapPagesBase);\r
      ASSERT (\r
        (MapPagesBase + EFI_PAGES_TO_SIZE (MapPagesCount) <=\r
         SMM_DEFAULT_SMBASE + MCH_DEFAULT_SMBASE_SIZE)\r
        );\r
    } else {\r
      BuildMemoryAllocationHob (\r
        MapPagesBase,                      // BaseAddress\r
        EFI_PAGES_TO_SIZE (MapPagesCount), // Length\r
        EfiBootServicesData                // MemoryType\r
        );\r
    }\r
  }\r
}\r
Commit	Line	Data
13b5d743 BS	1	/**@file\r
	2	Initialize Secure Encrypted Virtualization (SEV) support\r
	3	\r
	4	Copyright (c) 2017, Advanced Micro Devices. All rights reserved.<BR>\r
	5	\r
b26f0cf9	6	SPDX-License-Identifier: BSD-2-Clause-Patent\r
13b5d743 BS	7	\r
	8	**/\r
	9	//\r
	10	// The package level header files this module uses\r
	11	//\r
300aae11	12	#include <IndustryStandard/Q35MchIch9.h>\r
13b5d743	13	#include <Library/DebugLib.h>\r
86defc2c	14	#include <Library/HobLib.h>\r
6d576e7a	15	#include <Library/MemEncryptSevLib.h>\r
13b5d743	16	#include <Library/PcdLib.h>\r
6d576e7a	17	#include <PiPei.h>\r
13b5d743	18	#include <Register/Amd/Cpuid.h>\r
6d576e7a	19	#include <Register/Cpuid.h>\r
300aae11	20	#include <Register/Intel/SmramSaveStateMap.h>\r
13b5d743	21	\r
c0d221a3 LE	22	#include "Platform.h"\r
c0d221a3 LE	23	\r
13b5d743 BS	24	/**\r
	25	\r
	26	Function checks if SEV support is available, if present then it sets\r
	27	the dynamic PcdPteMemoryEncryptionAddressOrMask with memory encryption mask.\r
	28	\r
	29	**/\r
	30	VOID\r
13b5d743 BS	31	AmdSevInitialize (\r
	32	VOID\r
	33	)\r
	34	{\r
	35	CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx;\r
	36	UINT64 EncryptionMask;\r
	37	RETURN_STATUS PcdStatus;\r
	38	\r
	39	//\r
	40	// Check if SEV is enabled\r
	41	//\r
	42	if (!MemEncryptSevIsEnabled ()) {\r
	43	return;\r
	44	}\r
	45	\r
	46	//\r
	47	// CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position)\r
	48	//\r
	49	AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL);\r
	50	EncryptionMask = LShiftU64 (1, Ebx.Bits.PtePosBits);\r
	51	\r
	52	//\r
	53	// Set Memory Encryption Mask PCD\r
	54	//\r
	55	PcdStatus = PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, EncryptionMask);\r
	56	ASSERT_RETURN_ERROR (PcdStatus);\r
	57	\r
	58	DEBUG ((DEBUG_INFO, "SEV is enabled (mask 0x%lx)\n", EncryptionMask));\r
6041ac65 BS	59	\r
	60	//\r
	61	// Set Pcd to Deny the execution of option ROM when security\r
	62	// violation.\r
	63	//\r
	64	PcdStatus = PcdSet32S (PcdOptionRomImageVerificationPolicy, 0x4);\r
	65	ASSERT_RETURN_ERROR (PcdStatus);\r
86defc2c LE	66	\r
	67	//\r
	68	// When SMM is required, cover the pages containing the initial SMRAM Save\r
	69	// State Map with a memory allocation HOB:\r
	70	//\r
	71	// There's going to be a time interval between our decrypting those pages for\r
	72	// SMBASE relocation and re-encrypting the same pages after SMBASE\r
	73	// relocation. We shall ensure that the DXE phase stay away from those pages\r
	74	// until after re-encryption, in order to prevent an information leak to the\r
	75	// hypervisor.\r
	76	//\r
	77	if (FeaturePcdGet (PcdSmmSmramRequire) && (mBootMode != BOOT_ON_S3_RESUME)) {\r
	78	RETURN_STATUS LocateMapStatus;\r
	79	UINTN MapPagesBase;\r
	80	UINTN MapPagesCount;\r
	81	\r
	82	LocateMapStatus = MemEncryptSevLocateInitialSmramSaveStateMapPages (\r
	83	&MapPagesBase,\r
	84	&MapPagesCount\r
	85	);\r
	86	ASSERT_RETURN_ERROR (LocateMapStatus);\r
	87	\r
300aae11 LE	88	if (mQ35SmramAtDefaultSmbase) {\r
	89	//\r
	90	// The initial SMRAM Save State Map has been covered as part of a larger\r
	91	// reserved memory allocation in InitializeRamRegions().\r
	92	//\r
	93	ASSERT (SMM_DEFAULT_SMBASE <= MapPagesBase);\r
	94	ASSERT (\r
	95	(MapPagesBase + EFI_PAGES_TO_SIZE (MapPagesCount) <=\r
	96	SMM_DEFAULT_SMBASE + MCH_DEFAULT_SMBASE_SIZE)\r
	97	);\r
	98	} else {\r
	99	BuildMemoryAllocationHob (\r
	100	MapPagesBase, // BaseAddress\r
	101	EFI_PAGES_TO_SIZE (MapPagesCount), // Length\r
	102	EfiBootServicesData // MemoryType\r
	103	);\r
	104	}\r
86defc2c	105	}\r
13b5d743	106	}\r