OvmfPkg/PlatformPei/AmdSev.c

   1 /**@file
   2   Initialize Secure Encrypted Virtualization (SEV) support
   3
   4   Copyright (c) 2017, Advanced Micro Devices. All rights reserved.<BR>
   5
   6   This program and the accompanying materials
   7   are licensed and made available under the terms and conditions of the BSD
   8   License which accompanies this distribution.  The full text of the license
   9   may be found at http://opensource.org/licenses/bsd-license.php
  10
  11   THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
  12   WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
  13
  14 **/
  15 //
  16 // The package level header files this module uses
  17 //
  18 #include <Library/DebugLib.h>
  19 #include <Library/HobLib.h>
  20 #include <Library/MemEncryptSevLib.h>
  21 #include <Library/PcdLib.h>
  22 #include <PiPei.h>
  23 #include <Register/Amd/Cpuid.h>
  24 #include <Register/Cpuid.h>
  25
  26 #include "Platform.h"
  27
  28 /**
  29
  30   Function checks if SEV support is available, if present then it sets
  31   the dynamic PcdPteMemoryEncryptionAddressOrMask with memory encryption mask.
  32
  33   **/
  34 VOID
  35 AmdSevInitialize (
  36   VOID
  37   )
  38 {
  39   CPUID_MEMORY_ENCRYPTION_INFO_EBX  Ebx;
  40   UINT64                            EncryptionMask;
  41   RETURN_STATUS                     PcdStatus;
  42
  43   //
  44   // Check if SEV is enabled
  45   //
  46   if (!MemEncryptSevIsEnabled ()) {
  47     return;
  48   }
  49
  50   //
  51   // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position)
  52   //
  53   AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL);
  54   EncryptionMask = LShiftU64 (1, Ebx.Bits.PtePosBits);
  55
  56   //
  57   // Set Memory Encryption Mask PCD
  58   //
  59   PcdStatus = PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, EncryptionMask);
  60   ASSERT_RETURN_ERROR (PcdStatus);
  61
  62   DEBUG ((DEBUG_INFO, "SEV is enabled (mask 0x%lx)\n", EncryptionMask));
  63
  64   //
  65   // Set Pcd to Deny the execution of option ROM when security
  66   // violation.
  67   //
  68   PcdStatus = PcdSet32S (PcdOptionRomImageVerificationPolicy, 0x4);
  69   ASSERT_RETURN_ERROR (PcdStatus);
  70
  71   //
  72   // When SMM is required, cover the pages containing the initial SMRAM Save
  73   // State Map with a memory allocation HOB:
  74   //
  75   // There's going to be a time interval between our decrypting those pages for
  76   // SMBASE relocation and re-encrypting the same pages after SMBASE
  77   // relocation. We shall ensure that the DXE phase stay away from those pages
  78   // until after re-encryption, in order to prevent an information leak to the
  79   // hypervisor.
  80   //
  81   if (FeaturePcdGet (PcdSmmSmramRequire) && (mBootMode != BOOT_ON_S3_RESUME)) {
  82     RETURN_STATUS LocateMapStatus;
  83     UINTN         MapPagesBase;
  84     UINTN         MapPagesCount;
  85
  86     LocateMapStatus = MemEncryptSevLocateInitialSmramSaveStateMapPages (
  87                         &MapPagesBase,
  88                         &MapPagesCount
  89                         );
  90     ASSERT_RETURN_ERROR (LocateMapStatus);
  91
  92     BuildMemoryAllocationHob (
  93       MapPagesBase,                      // BaseAddress
  94       EFI_PAGES_TO_SIZE (MapPagesCount), // Length
  95       EfiBootServicesData                // MemoryType
  96       );
  97   }
  98 }