X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=OvmfPkg%2FInclude%2FLibrary%2FMemEncryptSevLib.h;h=4fa9c0d7008391f0680d1f23885e5aff0d806fb8;hb=ade62c18f4742301bbef474ac10518bde5972fba;hp=a6d82dac7facb85a57e75bc393620eed7479b11c;hpb=b78de543d8a2caad5b981f4d6eebc38a365dc387;p=mirror_edk2.git diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/Library/MemEncryptSevLib.h index a6d82dac7f..4fa9c0d700 100644 --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h @@ -12,20 +12,52 @@ #define _MEM_ENCRYPT_SEV_LIB_H_ #include +#include // -// Internal structure for holding SEV-ES information needed during SEC phase -// and valid only during SEC phase and early PEI during platform -// initialization. +// Define the maximum number of #VCs allowed (e.g. the level of nesting +// that is allowed => 2 allows for 1 nested #VCs). I this value is changed, +// be sure to increase the size of +// gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize +// in any FDF file using this PCD. // -// This structure is also used by assembler files: -// OvmfPkg/ResetVector/ResetVector.nasmb -// OvmfPkg/ResetVector/Ia32/PageTables64.asm -// any changes must stay in sync with its usage. +#define VMGEXIT_MAXIMUM_VC_COUNT 2 + +// +// Per-CPU data mapping structure +// Use UINT32 for cached indicators and compare to a specific value +// so that the hypervisor can't indicate a value is cached by just +// writing random data to that area. // -typedef struct _SEC_SEV_ES_WORK_AREA { - UINT8 SevEsEnabled; -} SEC_SEV_ES_WORK_AREA; +typedef struct { + UINT32 Dr7Cached; + UINT64 Dr7; + + UINTN VcCount; + VOID *GhcbBackupPages; +} SEV_ES_PER_CPU_DATA; + +// +// Memory encryption address range states. +// +typedef enum { + MemEncryptSevAddressRangeUnencrypted, + MemEncryptSevAddressRangeEncrypted, + MemEncryptSevAddressRangeMixed, + MemEncryptSevAddressRangeError, +} MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE; + +/** + Returns a boolean to indicate whether SEV-SNP is enabled + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevSnpIsEnabled ( + VOID + ); /** Returns a boolean to indicate whether SEV-ES is enabled. @@ -61,8 +93,6 @@ MemEncryptSevIsEnabled ( address of a memory region. @param[in] NumPages The number of pages from start memory region. - @param[in] Flush Flush the caches before clearing the bit - (mostly TRUE except MMIO addresses) @retval RETURN_SUCCESS The attributes were cleared for the memory region. @@ -73,10 +103,9 @@ MemEncryptSevIsEnabled ( RETURN_STATUS EFIAPI MemEncryptSevClearPageEncMask ( - IN PHYSICAL_ADDRESS Cr3BaseAddress, - IN PHYSICAL_ADDRESS BaseAddress, - IN UINTN NumPages, - IN BOOLEAN Flush + IN PHYSICAL_ADDRESS Cr3BaseAddress, + IN PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages ); /** @@ -89,8 +118,6 @@ MemEncryptSevClearPageEncMask ( address of a memory region. @param[in] NumPages The number of pages from start memory region. - @param[in] Flush Flush the caches before setting the bit - (mostly TRUE except MMIO addresses) @retval RETURN_SUCCESS The attributes were set for the memory region. @@ -101,13 +128,11 @@ MemEncryptSevClearPageEncMask ( RETURN_STATUS EFIAPI MemEncryptSevSetPageEncMask ( - IN PHYSICAL_ADDRESS Cr3BaseAddress, - IN PHYSICAL_ADDRESS BaseAddress, - IN UINTN NumPages, - IN BOOLEAN Flush + IN PHYSICAL_ADDRESS Cr3BaseAddress, + IN PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages ); - /** Locate the page range that covers the initial (pre-SMBASE-relocation) SMRAM Save State Map. @@ -126,7 +151,81 @@ MemEncryptSevSetPageEncMask ( RETURN_STATUS EFIAPI MemEncryptSevLocateInitialSmramSaveStateMapPages ( - OUT UINTN *BaseAddress, - OUT UINTN *NumberOfPages + OUT UINTN *BaseAddress, + OUT UINTN *NumberOfPages + ); + +/** + Returns the SEV encryption mask. + + @return The SEV pagetable encryption mask +**/ +UINT64 +EFIAPI +MemEncryptSevGetEncryptionMask ( + VOID + ); + +/** + Returns the encryption state of the specified virtual address range. + + @param[in] Cr3BaseAddress Cr3 Base Address (if zero then use + current CR3) + @param[in] BaseAddress Base address to check + @param[in] Length Length of virtual address range + + @retval MemEncryptSevAddressRangeUnencrypted Address range is mapped + unencrypted + @retval MemEncryptSevAddressRangeEncrypted Address range is mapped + encrypted + @retval MemEncryptSevAddressRangeMixed Address range is mapped mixed + @retval MemEncryptSevAddressRangeError Address range is not mapped +**/ +MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE +EFIAPI +MemEncryptSevGetAddressRangeState ( + IN PHYSICAL_ADDRESS Cr3BaseAddress, + IN PHYSICAL_ADDRESS BaseAddress, + IN UINTN Length + ); + +/** + This function clears memory encryption bit for the MMIO region specified by + BaseAddress and NumPages. + + @param[in] Cr3BaseAddress Cr3 Base Address (if zero then use + current CR3) + @param[in] BaseAddress The physical address that is the start + address of a MMIO region. + @param[in] NumPages The number of pages from start memory + region. + + @retval RETURN_SUCCESS The attributes were cleared for the + memory region. + @retval RETURN_INVALID_PARAMETER Number of pages is zero. + @retval RETURN_UNSUPPORTED Clearing the memory encryption attribute + is not supported +**/ +RETURN_STATUS +EFIAPI +MemEncryptSevClearMmioPageEncMask ( + IN PHYSICAL_ADDRESS Cr3BaseAddress, + IN PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages + ); + +/** + Pre-validate the system RAM when SEV-SNP is enabled in the guest VM. + + @param[in] BaseAddress Base address + @param[in] NumPages Number of pages starting from the base address + +**/ +VOID +EFIAPI +MemEncryptSevSnpPreValidateSystemRam ( + IN PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages ); + #endif // _MEM_ENCRYPT_SEV_LIB_H_