3 Virtual Memory Management Services to set or clear the memory encryption bit
5 Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
6 Copyright (c) 2017, AMD Incorporated. All rights reserved.<BR>
8 This program and the accompanying materials are licensed and made available
9 under the terms and conditions of the BSD License which accompanies this
10 distribution. The full text of the license may be found at
11 http://opensource.org/licenses/bsd-license.php
13 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT
14 WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
16 Code is derived from MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.c
20 #include <Library/CpuLib.h>
21 #include <Register/Amd/Cpuid.h>
22 #include <Register/Cpuid.h>
24 #include "VirtualMemory.h"
26 STATIC BOOLEAN mAddressEncMaskChecked
= FALSE
;
27 STATIC UINT64 mAddressEncMask
;
28 STATIC PAGE_TABLE_POOL
*mPageTablePool
= NULL
;
36 Get the memory encryption mask
38 @param[out] EncryptionMask contains the pte mask.
43 GetMemEncryptionAddressMask (
47 UINT64 EncryptionMask
;
48 CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx
;
50 if (mAddressEncMaskChecked
) {
51 return mAddressEncMask
;
55 // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position)
57 AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO
, NULL
, &Ebx
.Uint32
, NULL
, NULL
);
58 EncryptionMask
= LShiftU64 (1, Ebx
.Bits
.PtePosBits
);
60 mAddressEncMask
= EncryptionMask
& PAGING_1G_ADDRESS_MASK_64
;
61 mAddressEncMaskChecked
= TRUE
;
63 return mAddressEncMask
;
67 Initialize a buffer pool for page table use only.
69 To reduce the potential split operation on page table, the pages reserved for
70 page table should be allocated in the times of PAGE_TABLE_POOL_UNIT_PAGES and
71 at the boundary of PAGE_TABLE_POOL_ALIGNMENT. So the page pool is always
72 initialized with number of pages greater than or equal to the given
75 Once the pages in the pool are used up, this method should be called again to
76 reserve at least another PAGE_TABLE_POOL_UNIT_PAGES. Usually this won't
77 happen often in practice.
79 @param[in] PoolPages The least page number of the pool to be created.
81 @retval TRUE The pool is initialized successfully.
82 @retval FALSE The memory is out of resource.
86 InitializePageTablePool (
93 // Always reserve at least PAGE_TABLE_POOL_UNIT_PAGES, including one page for
96 PoolPages
+= 1; // Add one page for header.
97 PoolPages
= ((PoolPages
- 1) / PAGE_TABLE_POOL_UNIT_PAGES
+ 1) *
98 PAGE_TABLE_POOL_UNIT_PAGES
;
99 Buffer
= AllocateAlignedPages (PoolPages
, PAGE_TABLE_POOL_ALIGNMENT
);
100 if (Buffer
== NULL
) {
101 DEBUG ((DEBUG_ERROR
, "ERROR: Out of aligned pages\r\n"));
106 // Link all pools into a list for easier track later.
108 if (mPageTablePool
== NULL
) {
109 mPageTablePool
= Buffer
;
110 mPageTablePool
->NextPool
= mPageTablePool
;
112 ((PAGE_TABLE_POOL
*)Buffer
)->NextPool
= mPageTablePool
->NextPool
;
113 mPageTablePool
->NextPool
= Buffer
;
114 mPageTablePool
= Buffer
;
118 // Reserve one page for pool header.
120 mPageTablePool
->FreePages
= PoolPages
- 1;
121 mPageTablePool
->Offset
= EFI_PAGES_TO_SIZE (1);
127 This API provides a way to allocate memory for page table.
129 This API can be called more than once to allocate memory for page tables.
131 Allocates the number of 4KB pages and returns a pointer to the allocated
132 buffer. The buffer returned is aligned on a 4KB boundary.
134 If Pages is 0, then NULL is returned.
135 If there is not enough memory remaining to satisfy the request, then NULL is
138 @param Pages The number of 4 KB pages to allocate.
140 @return A pointer to the allocated buffer or NULL if allocation fails.
146 AllocatePageTableMemory (
157 // Renew the pool if necessary.
159 if (mPageTablePool
== NULL
||
160 Pages
> mPageTablePool
->FreePages
) {
161 if (!InitializePageTablePool (Pages
)) {
166 Buffer
= (UINT8
*)mPageTablePool
+ mPageTablePool
->Offset
;
168 mPageTablePool
->Offset
+= EFI_PAGES_TO_SIZE (Pages
);
169 mPageTablePool
->FreePages
-= Pages
;
173 "%a:%a: Buffer=0x%Lx Pages=%ld\n",
187 @param[in] PhysicalAddress Start physical address the 2M page
189 @param[in, out] PageEntry2M Pointer to 2M page entry.
190 @param[in] StackBase Stack base address.
191 @param[in] StackSize Stack size.
197 IN PHYSICAL_ADDRESS PhysicalAddress
,
198 IN OUT UINT64
*PageEntry2M
,
199 IN PHYSICAL_ADDRESS StackBase
,
203 PHYSICAL_ADDRESS PhysicalAddress4K
;
204 UINTN IndexOfPageTableEntries
;
205 PAGE_TABLE_4K_ENTRY
*PageTableEntry
, *PageTableEntry1
;
206 UINT64 AddressEncMask
;
208 PageTableEntry
= AllocatePageTableMemory(1);
210 PageTableEntry1
= PageTableEntry
;
212 AddressEncMask
= GetMemEncryptionAddressMask ();
214 ASSERT (PageTableEntry
!= NULL
);
215 ASSERT (*PageEntry2M
& AddressEncMask
);
217 PhysicalAddress4K
= PhysicalAddress
;
218 for (IndexOfPageTableEntries
= 0;
219 IndexOfPageTableEntries
< 512;
220 (IndexOfPageTableEntries
++,
222 PhysicalAddress4K
+= SIZE_4KB
)) {
224 // Fill in the Page Table entries
226 PageTableEntry
->Uint64
= (UINT64
) PhysicalAddress4K
| AddressEncMask
;
227 PageTableEntry
->Bits
.ReadWrite
= 1;
228 PageTableEntry
->Bits
.Present
= 1;
229 if ((PhysicalAddress4K
>= StackBase
) &&
230 (PhysicalAddress4K
< StackBase
+ StackSize
)) {
232 // Set Nx bit for stack.
234 PageTableEntry
->Bits
.Nx
= 1;
239 // Fill in 2M page entry.
241 *PageEntry2M
= ((UINT64
)(UINTN
)PageTableEntry1
|
242 IA32_PG_P
| IA32_PG_RW
| AddressEncMask
);
246 Set one page of page table pool memory to be read-only.
248 @param[in] PageTableBase Base address of page table (CR3).
249 @param[in] Address Start address of a page to be set as read-only.
250 @param[in] Level4Paging Level 4 paging flag.
255 SetPageTablePoolReadOnly (
256 IN UINTN PageTableBase
,
257 IN EFI_PHYSICAL_ADDRESS Address
,
258 IN BOOLEAN Level4Paging
263 UINT64 AddressEncMask
;
264 EFI_PHYSICAL_ADDRESS PhysicalAddress
;
266 UINT64
*NewPageTable
;
274 ASSERT (PageTableBase
!= 0);
277 // Since the page table is always from page table pool, which is always
278 // located at the boundary of PcdPageTablePoolAlignment, we just need to
279 // set the whole pool unit to be read-only.
281 Address
= Address
& PAGE_TABLE_POOL_ALIGN_MASK
;
283 LevelShift
[1] = PAGING_L1_ADDRESS_SHIFT
;
284 LevelShift
[2] = PAGING_L2_ADDRESS_SHIFT
;
285 LevelShift
[3] = PAGING_L3_ADDRESS_SHIFT
;
286 LevelShift
[4] = PAGING_L4_ADDRESS_SHIFT
;
288 LevelMask
[1] = PAGING_4K_ADDRESS_MASK_64
;
289 LevelMask
[2] = PAGING_2M_ADDRESS_MASK_64
;
290 LevelMask
[3] = PAGING_1G_ADDRESS_MASK_64
;
291 LevelMask
[4] = PAGING_1G_ADDRESS_MASK_64
;
293 LevelSize
[1] = SIZE_4KB
;
294 LevelSize
[2] = SIZE_2MB
;
295 LevelSize
[3] = SIZE_1GB
;
296 LevelSize
[4] = SIZE_512GB
;
298 AddressEncMask
= GetMemEncryptionAddressMask() &
299 PAGING_1G_ADDRESS_MASK_64
;
300 PageTable
= (UINT64
*)(UINTN
)PageTableBase
;
301 PoolUnitSize
= PAGE_TABLE_POOL_UNIT_SIZE
;
303 for (Level
= (Level4Paging
) ? 4 : 3; Level
> 0; --Level
) {
304 Index
= ((UINTN
)RShiftU64 (Address
, LevelShift
[Level
]));
305 Index
&= PAGING_PAE_INDEX_MASK
;
307 PageAttr
= PageTable
[Index
];
308 if ((PageAttr
& IA32_PG_PS
) == 0) {
310 // Go to next level of table.
312 PageTable
= (UINT64
*)(UINTN
)(PageAttr
& ~AddressEncMask
&
313 PAGING_4K_ADDRESS_MASK_64
);
317 if (PoolUnitSize
>= LevelSize
[Level
]) {
319 // Clear R/W bit if current page granularity is not larger than pool unit
322 if ((PageAttr
& IA32_PG_RW
) != 0) {
323 while (PoolUnitSize
> 0) {
325 // PAGE_TABLE_POOL_UNIT_SIZE and PAGE_TABLE_POOL_ALIGNMENT are fit in
326 // one page (2MB). Then we don't need to update attributes for pages
327 // crossing page directory. ASSERT below is for that purpose.
329 ASSERT (Index
< EFI_PAGE_SIZE
/sizeof (UINT64
));
331 PageTable
[Index
] &= ~(UINT64
)IA32_PG_RW
;
332 PoolUnitSize
-= LevelSize
[Level
];
342 // The smaller granularity of page must be needed.
346 NewPageTable
= AllocatePageTableMemory (1);
347 ASSERT (NewPageTable
!= NULL
);
349 PhysicalAddress
= PageAttr
& LevelMask
[Level
];
351 EntryIndex
< EFI_PAGE_SIZE
/sizeof (UINT64
);
353 NewPageTable
[EntryIndex
] = PhysicalAddress
| AddressEncMask
|
354 IA32_PG_P
| IA32_PG_RW
;
356 NewPageTable
[EntryIndex
] |= IA32_PG_PS
;
358 PhysicalAddress
+= LevelSize
[Level
- 1];
361 PageTable
[Index
] = (UINT64
)(UINTN
)NewPageTable
| AddressEncMask
|
362 IA32_PG_P
| IA32_PG_RW
;
363 PageTable
= NewPageTable
;
369 Prevent the memory pages used for page table from been overwritten.
371 @param[in] PageTableBase Base address of page table (CR3).
372 @param[in] Level4Paging Level 4 paging flag.
377 EnablePageTableProtection (
378 IN UINTN PageTableBase
,
379 IN BOOLEAN Level4Paging
382 PAGE_TABLE_POOL
*HeadPool
;
383 PAGE_TABLE_POOL
*Pool
;
385 EFI_PHYSICAL_ADDRESS Address
;
387 if (mPageTablePool
== NULL
) {
392 // SetPageTablePoolReadOnly might update mPageTablePool. It's safer to
393 // remember original one in advance.
395 HeadPool
= mPageTablePool
;
398 Address
= (EFI_PHYSICAL_ADDRESS
)(UINTN
)Pool
;
399 PoolSize
= Pool
->Offset
+ EFI_PAGES_TO_SIZE (Pool
->FreePages
);
402 // The size of one pool must be multiple of PAGE_TABLE_POOL_UNIT_SIZE,
403 // which is one of page size of the processor (2MB by default). Let's apply
404 // the protection to them one by one.
406 while (PoolSize
> 0) {
407 SetPageTablePoolReadOnly(PageTableBase
, Address
, Level4Paging
);
408 Address
+= PAGE_TABLE_POOL_UNIT_SIZE
;
409 PoolSize
-= PAGE_TABLE_POOL_UNIT_SIZE
;
412 Pool
= Pool
->NextPool
;
413 } while (Pool
!= HeadPool
);
421 @param[in] PhysicalAddress Start physical address the 1G page
423 @param[in, out] PageEntry1G Pointer to 1G page entry.
424 @param[in] StackBase Stack base address.
425 @param[in] StackSize Stack size.
431 IN PHYSICAL_ADDRESS PhysicalAddress
,
432 IN OUT UINT64
*PageEntry1G
,
433 IN PHYSICAL_ADDRESS StackBase
,
437 PHYSICAL_ADDRESS PhysicalAddress2M
;
438 UINTN IndexOfPageDirectoryEntries
;
439 PAGE_TABLE_ENTRY
*PageDirectoryEntry
;
440 UINT64 AddressEncMask
;
442 PageDirectoryEntry
= AllocatePageTableMemory(1);
444 AddressEncMask
= GetMemEncryptionAddressMask ();
445 ASSERT (PageDirectoryEntry
!= NULL
);
446 ASSERT (*PageEntry1G
& GetMemEncryptionAddressMask ());
448 // Fill in 1G page entry.
450 *PageEntry1G
= ((UINT64
)(UINTN
)PageDirectoryEntry
|
451 IA32_PG_P
| IA32_PG_RW
| AddressEncMask
);
453 PhysicalAddress2M
= PhysicalAddress
;
454 for (IndexOfPageDirectoryEntries
= 0;
455 IndexOfPageDirectoryEntries
< 512;
456 (IndexOfPageDirectoryEntries
++,
457 PageDirectoryEntry
++,
458 PhysicalAddress2M
+= SIZE_2MB
)) {
459 if ((PhysicalAddress2M
< StackBase
+ StackSize
) &&
460 ((PhysicalAddress2M
+ SIZE_2MB
) > StackBase
)) {
462 // Need to split this 2M page that covers stack range.
466 (UINT64
*)PageDirectoryEntry
,
472 // Fill in the Page Directory entries
474 PageDirectoryEntry
->Uint64
= (UINT64
) PhysicalAddress2M
| AddressEncMask
;
475 PageDirectoryEntry
->Bits
.ReadWrite
= 1;
476 PageDirectoryEntry
->Bits
.Present
= 1;
477 PageDirectoryEntry
->Bits
.MustBe1
= 1;
484 Set or Clear the memory encryption bit
486 @param[in] PagetablePoint Page table entry pointer (PTE).
487 @param[in] Mode Set or Clear encryption bit
492 IN OUT UINT64
* PageTablePointer
,
493 IN MAP_RANGE_MODE Mode
496 UINT64 AddressEncMask
;
498 AddressEncMask
= GetMemEncryptionAddressMask ();
500 if (Mode
== SetCBit
) {
501 *PageTablePointer
|= AddressEncMask
;
503 *PageTablePointer
&= ~AddressEncMask
;
509 Check the WP status in CR0 register. This bit is used to lock or unlock write
510 access to pages marked as read-only.
512 @retval TRUE Write protection is enabled.
513 @retval FALSE Write protection is disabled.
517 IsReadOnlyPageWriteProtected (
521 return ((AsmReadCr0 () & BIT16
) != 0);
526 Disable Write Protect on pages marked as read-only.
530 DisableReadOnlyPageWriteProtect (
534 AsmWriteCr0 (AsmReadCr0() & ~BIT16
);
538 Enable Write Protect on pages marked as read-only.
541 EnableReadOnlyPageWriteProtect (
545 AsmWriteCr0 (AsmReadCr0() | BIT16
);
550 This function either sets or clears memory encryption bit for the memory
551 region specified by PhysicalAddress and Length from the current page table
554 The function iterates through the PhysicalAddress one page at a time, and set
555 or clears the memory encryption mask in the page table. If it encounters
556 that a given physical address range is part of large page then it attempts to
557 change the attribute at one go (based on size), otherwise it splits the
558 large pages into smaller (e.g 2M page into 4K pages) and then try to set or
559 clear the encryption bit on the smallest page size.
561 @param[in] Cr3BaseAddress Cr3 Base Address (if zero then use
563 @param[in] PhysicalAddress The physical address that is the start
564 address of a memory region.
565 @param[in] Length The length of memory region
566 @param[in] Mode Set or Clear mode
567 @param[in] CacheFlush Flush the caches before applying the
570 @retval RETURN_SUCCESS The attributes were cleared for the
572 @retval RETURN_INVALID_PARAMETER Number of pages is zero.
573 @retval RETURN_UNSUPPORTED Setting the memory encyrption attribute
581 IN PHYSICAL_ADDRESS Cr3BaseAddress
,
582 IN PHYSICAL_ADDRESS PhysicalAddress
,
584 IN MAP_RANGE_MODE Mode
,
585 IN BOOLEAN CacheFlush
588 PAGE_MAP_AND_DIRECTORY_POINTER
*PageMapLevel4Entry
;
589 PAGE_MAP_AND_DIRECTORY_POINTER
*PageUpperDirectoryPointerEntry
;
590 PAGE_MAP_AND_DIRECTORY_POINTER
*PageDirectoryPointerEntry
;
591 PAGE_TABLE_1G_ENTRY
*PageDirectory1GEntry
;
592 PAGE_TABLE_ENTRY
*PageDirectory2MEntry
;
593 PAGE_TABLE_4K_ENTRY
*PageTableEntry
;
595 UINT64 AddressEncMask
;
597 RETURN_STATUS Status
;
600 // Set PageMapLevel4Entry to suppress incorrect compiler/analyzer warnings.
602 PageMapLevel4Entry
= NULL
;
606 "%a:%a: Cr3Base=0x%Lx Physical=0x%Lx Length=0x%Lx Mode=%a CacheFlush=%u\n",
612 (Mode
== SetCBit
) ? "Encrypt" : "Decrypt",
617 // Check if we have a valid memory encryption mask
619 AddressEncMask
= GetMemEncryptionAddressMask ();
620 if (!AddressEncMask
) {
621 return RETURN_ACCESS_DENIED
;
624 PgTableMask
= AddressEncMask
| EFI_PAGE_MASK
;
627 return RETURN_INVALID_PARAMETER
;
631 // We are going to change the memory encryption attribute from C=0 -> C=1 or
632 // vice versa Flush the caches to ensure that data is written into memory
633 // with correct C-bit
636 WriteBackInvalidateDataCacheRange((VOID
*) (UINTN
)PhysicalAddress
, Length
);
640 // Make sure that the page table is changeable.
642 IsWpEnabled
= IsReadOnlyPageWriteProtected ();
644 DisableReadOnlyPageWriteProtect ();
647 Status
= EFI_SUCCESS
;
652 // If Cr3BaseAddress is not specified then read the current CR3
654 if (Cr3BaseAddress
== 0) {
655 Cr3BaseAddress
= AsmReadCr3();
658 PageMapLevel4Entry
= (VOID
*) (Cr3BaseAddress
& ~PgTableMask
);
659 PageMapLevel4Entry
+= PML4_OFFSET(PhysicalAddress
);
660 if (!PageMapLevel4Entry
->Bits
.Present
) {
663 "%a:%a: bad PML4 for Physical=0x%Lx\n",
668 Status
= RETURN_NO_MAPPING
;
672 PageDirectory1GEntry
= (VOID
*)(
673 (PageMapLevel4Entry
->Bits
.PageTableBaseAddress
<<
676 PageDirectory1GEntry
+= PDP_OFFSET(PhysicalAddress
);
677 if (!PageDirectory1GEntry
->Bits
.Present
) {
680 "%a:%a: bad PDPE for Physical=0x%Lx\n",
685 Status
= RETURN_NO_MAPPING
;
690 // If the MustBe1 bit is not 1, it's not actually a 1GB entry
692 if (PageDirectory1GEntry
->Bits
.MustBe1
) {
695 // If we have at least 1GB to go, we can just update this entry
697 if (!(PhysicalAddress
& (BIT30
- 1)) && Length
>= BIT30
) {
698 SetOrClearCBit(&PageDirectory1GEntry
->Uint64
, Mode
);
701 "%a:%a: updated 1GB entry for Physical=0x%Lx\n",
706 PhysicalAddress
+= BIT30
;
710 // We must split the page
714 "%a:%a: splitting 1GB page for Physical=0x%Lx\n",
720 (UINT64
)PageDirectory1GEntry
->Bits
.PageTableBaseAddress
<< 30,
721 (UINT64
*)PageDirectory1GEntry
,
731 PageUpperDirectoryPointerEntry
=
732 (PAGE_MAP_AND_DIRECTORY_POINTER
*)PageDirectory1GEntry
;
733 PageDirectory2MEntry
=
735 (PageUpperDirectoryPointerEntry
->Bits
.PageTableBaseAddress
<<
738 PageDirectory2MEntry
+= PDE_OFFSET(PhysicalAddress
);
739 if (!PageDirectory2MEntry
->Bits
.Present
) {
742 "%a:%a: bad PDE for Physical=0x%Lx\n",
747 Status
= RETURN_NO_MAPPING
;
751 // If the MustBe1 bit is not a 1, it's not a 2MB entry
753 if (PageDirectory2MEntry
->Bits
.MustBe1
) {
756 // If we have at least 2MB left to go, we can just update this entry
758 if (!(PhysicalAddress
& (BIT21
-1)) && Length
>= BIT21
) {
759 SetOrClearCBit (&PageDirectory2MEntry
->Uint64
, Mode
);
760 PhysicalAddress
+= BIT21
;
764 // We must split up this page into 4K pages
768 "%a:%a: splitting 2MB page for Physical=0x%Lx\n",
774 (UINT64
)PageDirectory2MEntry
->Bits
.PageTableBaseAddress
<< 21,
775 (UINT64
*)PageDirectory2MEntry
,
782 PageDirectoryPointerEntry
=
783 (PAGE_MAP_AND_DIRECTORY_POINTER
*)PageDirectory2MEntry
;
786 (PageDirectoryPointerEntry
->Bits
.PageTableBaseAddress
<<
789 PageTableEntry
+= PTE_OFFSET(PhysicalAddress
);
790 if (!PageTableEntry
->Bits
.Present
) {
793 "%a:%a: bad PTE for Physical=0x%Lx\n",
798 Status
= RETURN_NO_MAPPING
;
801 SetOrClearCBit (&PageTableEntry
->Uint64
, Mode
);
802 PhysicalAddress
+= EFI_PAGE_SIZE
;
803 Length
-= EFI_PAGE_SIZE
;
809 // Protect the page table by marking the memory used for page table to be
813 EnablePageTableProtection ((UINTN
)PageMapLevel4Entry
, TRUE
);
823 // Restore page table write protection, if any.
826 EnableReadOnlyPageWriteProtect ();
833 This function clears memory encryption bit for the memory region specified by
834 PhysicalAddress and Length from the current page table context.
836 @param[in] Cr3BaseAddress Cr3 Base Address (if zero then use
838 @param[in] PhysicalAddress The physical address that is the start
839 address of a memory region.
840 @param[in] Length The length of memory region
841 @param[in] Flush Flush the caches before applying the
844 @retval RETURN_SUCCESS The attributes were cleared for the
846 @retval RETURN_INVALID_PARAMETER Number of pages is zero.
847 @retval RETURN_UNSUPPORTED Clearing the memory encyrption attribute
852 InternalMemEncryptSevSetMemoryDecrypted (
853 IN PHYSICAL_ADDRESS Cr3BaseAddress
,
854 IN PHYSICAL_ADDRESS PhysicalAddress
,
860 return SetMemoryEncDec (
870 This function sets memory encryption bit for the memory region specified by
871 PhysicalAddress and Length from the current page table context.
873 @param[in] Cr3BaseAddress Cr3 Base Address (if zero then use
875 @param[in] PhysicalAddress The physical address that is the start
876 address of a memory region.
877 @param[in] Length The length of memory region
878 @param[in] Flush Flush the caches before applying the
881 @retval RETURN_SUCCESS The attributes were set for the memory
883 @retval RETURN_INVALID_PARAMETER Number of pages is zero.
884 @retval RETURN_UNSUPPORTED Setting the memory encyrption attribute
889 InternalMemEncryptSevSetMemoryEncrypted (
890 IN PHYSICAL_ADDRESS Cr3BaseAddress
,
891 IN PHYSICAL_ADDRESS PhysicalAddress
,
896 return SetMemoryEncDec (