2 Initialize Secure Encrypted Virtualization (SEV) support
4 Copyright (c) 2017, Advanced Micro Devices. All rights reserved.<BR>
6 SPDX-License-Identifier: BSD-2-Clause-Patent
10 // The package level header files this module uses
12 #include <IndustryStandard/Q35MchIch9.h>
13 #include <Library/DebugLib.h>
14 #include <Library/HobLib.h>
15 #include <Library/MemEncryptSevLib.h>
16 #include <Library/PcdLib.h>
18 #include <Register/Amd/Cpuid.h>
19 #include <Register/Cpuid.h>
20 #include <Register/Intel/SmramSaveStateMap.h>
26 Initialize SEV-ES support if running as an SEV-ES guest.
35 RETURN_STATUS PcdStatus
;
37 if (!MemEncryptSevEsIsEnabled ()) {
41 PcdStatus
= PcdSetBoolS (PcdSevEsIsEnabled
, TRUE
);
42 ASSERT_RETURN_ERROR (PcdStatus
);
47 Function checks if SEV support is available, if present then it sets
48 the dynamic PcdPteMemoryEncryptionAddressOrMask with memory encryption mask.
56 CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx
;
57 UINT64 EncryptionMask
;
58 RETURN_STATUS PcdStatus
;
61 // Check if SEV is enabled
63 if (!MemEncryptSevIsEnabled ()) {
68 // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position)
70 AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO
, NULL
, &Ebx
.Uint32
, NULL
, NULL
);
71 EncryptionMask
= LShiftU64 (1, Ebx
.Bits
.PtePosBits
);
74 // Set Memory Encryption Mask PCD
76 PcdStatus
= PcdSet64S (PcdPteMemoryEncryptionAddressOrMask
, EncryptionMask
);
77 ASSERT_RETURN_ERROR (PcdStatus
);
79 DEBUG ((DEBUG_INFO
, "SEV is enabled (mask 0x%lx)\n", EncryptionMask
));
82 // Set Pcd to Deny the execution of option ROM when security
85 PcdStatus
= PcdSet32S (PcdOptionRomImageVerificationPolicy
, 0x4);
86 ASSERT_RETURN_ERROR (PcdStatus
);
89 // When SMM is required, cover the pages containing the initial SMRAM Save
90 // State Map with a memory allocation HOB:
92 // There's going to be a time interval between our decrypting those pages for
93 // SMBASE relocation and re-encrypting the same pages after SMBASE
94 // relocation. We shall ensure that the DXE phase stay away from those pages
95 // until after re-encryption, in order to prevent an information leak to the
98 if (FeaturePcdGet (PcdSmmSmramRequire
) && (mBootMode
!= BOOT_ON_S3_RESUME
)) {
99 RETURN_STATUS LocateMapStatus
;
103 LocateMapStatus
= MemEncryptSevLocateInitialSmramSaveStateMapPages (
107 ASSERT_RETURN_ERROR (LocateMapStatus
);
109 if (mQ35SmramAtDefaultSmbase
) {
111 // The initial SMRAM Save State Map has been covered as part of a larger
112 // reserved memory allocation in InitializeRamRegions().
114 ASSERT (SMM_DEFAULT_SMBASE
<= MapPagesBase
);
116 (MapPagesBase
+ EFI_PAGES_TO_SIZE (MapPagesCount
) <=
117 SMM_DEFAULT_SMBASE
+ MCH_DEFAULT_SMBASE_SIZE
)
120 BuildMemoryAllocationHob (
121 MapPagesBase
, // BaseAddress
122 EFI_PAGES_TO_SIZE (MapPagesCount
), // Length
123 EfiBootServicesData
// MemoryType
129 // Check and perform SEV-ES initialization if required.
131 AmdSevEsInitialize ();