OvmfPkg/PlatformPei: Validate SEC's GHCB page

When running under SEV-ES, a page of shared memory is allocated for the
GHCB during the SEC phase at address 0x809000. This page of memory is
eventually passed to the OS as EfiConventionalMemory. When running
SEV-SNP, this page is not PVALIDATE'd in the RMP table, meaning that if
the guest OS tries to access the page, it will think that the host has
voilated the security guarantees and will likely crash.

This patch validates this page immediately after EDK2 switches to using
the GHCB page allocated for the PEI phase.

This was tested by writing a UEFI application that reads to and writes
from one byte of each page of memory and checks to see if a #VC
exception is generated indicating that the page was not validated.

Fixes: 6995a1b79bab ("OvmfPkg: Create a GHCB page for use during Sec phase")
Signed-off-by: Adam Dunlap <acdunlap@google.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>

diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
index c23fae7fcae0a16200c2cfa23d2c430055efbd98..e4e7b72e67926a55442d35e4cf17c80f6b73f98a 100644 (file)
--- a/OvmfPkg/PlatformPei/AmdSev.c
+++ b/OvmfPkg/PlatformPei/AmdSev.c
@@ -212,7 +212,7 @@ AmdSevEsInitialize (
   UINTN                GhcbBackupPageCount;\r
   SEV_ES_PER_CPU_DATA  *SevEsData;\r
   UINTN                PageCount;\r
-  RETURN_STATUS        PcdStatus, DecryptStatus;\r
+  RETURN_STATUS        Status;\r
   IA32_DESCRIPTOR      Gdtr;\r
   VOID                 *Gdt;\r
 \r
@@ -220,8 +220,8 @@ AmdSevEsInitialize (
     return;\r
   }\r
 \r
-  PcdStatus = PcdSetBoolS (PcdSevEsIsEnabled, TRUE);\r
-  ASSERT_RETURN_ERROR (PcdStatus);\r
+  Status = PcdSetBoolS (PcdSevEsIsEnabled, TRUE);\r
+  ASSERT_RETURN_ERROR (Status);\r
 \r
   //\r
   // Allocate GHCB and per-CPU variable pages.\r
@@ -240,20 +240,20 @@ AmdSevEsInitialize (
   // only clear the encryption mask for the GHCB pages.\r
   //\r
   for (PageCount = 0; PageCount < GhcbPageCount; PageCount += 2) {\r
-    DecryptStatus = MemEncryptSevClearPageEncMask (\r
-                      0,\r
-                      GhcbBasePa + EFI_PAGES_TO_SIZE (PageCount),\r
-                      1\r
-                      );\r
-    ASSERT_RETURN_ERROR (DecryptStatus);\r
+    Status = MemEncryptSevClearPageEncMask (\r
+               0,\r
+               GhcbBasePa + EFI_PAGES_TO_SIZE (PageCount),\r
+               1\r
+               );\r
+    ASSERT_RETURN_ERROR (Status);\r
   }\r
 \r
   ZeroMem (GhcbBase, EFI_PAGES_TO_SIZE (GhcbPageCount));\r
 \r
-  PcdStatus = PcdSet64S (PcdGhcbBase, GhcbBasePa);\r
-  ASSERT_RETURN_ERROR (PcdStatus);\r
-  PcdStatus = PcdSet64S (PcdGhcbSize, EFI_PAGES_TO_SIZE (GhcbPageCount));\r
-  ASSERT_RETURN_ERROR (PcdStatus);\r
+  Status = PcdSet64S (PcdGhcbBase, GhcbBasePa);\r
+  ASSERT_RETURN_ERROR (Status);\r
+  Status = PcdSet64S (PcdGhcbSize, EFI_PAGES_TO_SIZE (GhcbPageCount));\r
+  ASSERT_RETURN_ERROR (Status);\r
 \r
   DEBUG ((\r
     DEBUG_INFO,\r
@@ -295,6 +295,20 @@ AmdSevEsInitialize (
 \r
   AsmWriteMsr64 (MSR_SEV_ES_GHCB, GhcbBasePa);\r
 \r
+  //\r
+  // Now that the PEI GHCB is set up, the SEC GHCB page is no longer necessary\r
+  // to keep shared. Later, it is exposed to the OS as EfiConventionalMemory, so\r
+  // it needs to be marked private. The size of the region is hardcoded in\r
+  // OvmfPkg/ResetVector/ResetVector.nasmb in the definition of\r
+  // SNP_SEC_MEM_BASE_DESC_2.\r
+  //\r
+  Status = MemEncryptSevSetPageEncMask (\r
+             0,                                  // Cr3 -- use system Cr3\r
+             FixedPcdGet32 (PcdOvmfSecGhcbBase), // BaseAddress\r
+             1                                   // NumPages\r
+             );\r
+  ASSERT_RETURN_ERROR (Status);\r
+\r
   //\r
   // The SEV support will clear the C-bit from non-RAM areas.  The early GDT\r
   // lives in a non-RAM area, so when an exception occurs (like a #VC) the GDT\r