DEFINE DECOMP_SCRATCH_BASE = (($(DECOMP_SCRATCH_BASE_UNALIGNED) + $(DECOMP_SCRATCH_BASE_ALIGNMENT)) & $(DECOMP_SCRATCH_BASE_MASK))\r
\r
SET gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDecompressionScratchEnd = $(DECOMP_SCRATCH_BASE) + $(DECOMP_SCRATCH_SIZE)\r
+\r
+#\r
+# The range of pages that should be pre-validated during the SEC phase when SEV-SNP is active in the guest VM.\r
+SET gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedStart = $(MEMFD_BASE_ADDRESS) + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase\r
+SET gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedEnd = $(DECOMP_SCRATCH_BASE) + $(DECOMP_SCRATCH_SIZE)\r
gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase\r
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase\r
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase\r
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedEnd\r
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedStart\r
FixedPcdGet32 (PcdOvmfSecPageTablesBase),\r
FixedPcdGet32 (PcdOvmfPeiMemFvBase),\r
},\r
+ // The below range is pre-validated by the Sec/SecMain.c\r
+ {\r
+ FixedPcdGet32 (PcdOvmfSecValidatedStart),\r
+ FixedPcdGet32 (PcdOvmfSecValidatedEnd)\r
+ },\r
};\r
\r
STATIC\r
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|0|UINT32|0x60\r
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize|0|UINT32|0x61\r
\r
+ ## The range of memory that is validated by the SEC phase.\r
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedStart|0|UINT32|0x62\r
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedEnd|0|UINT32|0x63\r
+\r
[PcdsDynamic, PcdsDynamicEx]\r
gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2\r
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10\r
@retval FALSE SEV-SNP is not enabled\r
\r
**/\r
-STATIC\r
BOOLEAN\r
SevSnpIsEnabled (\r
VOID\r
\r
return (SevEsWorkArea->SevEsEnabled != 0);\r
}\r
+\r
+/**\r
+ Validate System RAM used for decompressing the PEI and DXE firmware volumes\r
+ when SEV-SNP is active. The PCDs SecValidatedStart and SecValidatedEnd are\r
+ set in OvmfPkg/FvmainCompactScratchEnd.fdf.inc.\r
+\r
+**/\r
+VOID\r
+SecValidateSystemRam (\r
+ VOID\r
+ )\r
+{\r
+ PHYSICAL_ADDRESS Start, End;\r
+\r
+ if (IsSevGuest () && SevSnpIsEnabled ()) {\r
+ Start = (EFI_PHYSICAL_ADDRESS)(UINTN)PcdGet32 (PcdOvmfSecValidatedStart);\r
+ End = (EFI_PHYSICAL_ADDRESS)(UINTN)PcdGet32 (PcdOvmfSecValidatedEnd);\r
+\r
+ MemEncryptSevSnpPreValidateSystemRam (Start, EFI_SIZE_TO_PAGES ((UINTN)(End - Start)));\r
+ }\r
+}\r
VOID\r
);\r
\r
+/**\r
+ Validate System RAM used for decompressing the PEI and DXE firmware volumes\r
+ when SEV-SNP is active. The PCDs SecValidatedStart and SecValidatedEnd are\r
+ set in OvmfPkg/FvmainCompactScratchEnd.fdf.inc.\r
+\r
+**/\r
+VOID\r
+SecValidateSystemRam (\r
+ VOID\r
+ );\r
+\r
+/**\r
+ Determine if SEV-SNP is active.\r
+\r
+ @retval TRUE SEV-SNP is enabled\r
+ @retval FALSE SEV-SNP is not enabled\r
+\r
+**/\r
+BOOLEAN\r
+SevSnpIsEnabled (\r
+ VOID\r
+ );\r
+\r
#endif\r
SecCoreData.BootFirmwareVolumeBase = BootFv;\r
SecCoreData.BootFirmwareVolumeSize = (UINTN)BootFv->FvLength;\r
\r
+ //\r
+ // Validate the System RAM used in the SEC Phase\r
+ //\r
+ SecValidateSystemRam ();\r
+\r
//\r
// Make sure the 8259 is masked before initializing the Debug Agent and the debug timer is enabled\r
//\r
PeCoffExtraActionLib\r
ExtractGuidedSectionLib\r
LocalApicLib\r
+ MemEncryptSevLib\r
CpuExceptionHandlerLib\r
\r
[Ppis]\r
gEfiMdeModulePkgTokenSpaceGuid.PcdInitValueInTempStack\r
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader\r
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase\r
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedStart\r
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedEnd\r
\r
[FeaturePcd]\r
gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire\r
projects / mirror_edk2.git / commitdiff