BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3429
Both the TDX and SEV support needs to reserve a page in MEMFD as a work
area. The page will contain meta data specific to the guest type.
Currently, the SEV-ES support reserves a page in MEMFD
(PcdSevEsWorkArea) for the work area. This page can be reused as a TDX
work area when Intel TDX is enabled.
Based on the discussion [1], it was agreed to rename the SevEsWorkArea
to the OvmfWorkArea, and add a header that can be used to indicate the
work area type.
[1] https://edk2.groups.io/g/devel/message/78262?p=,,,20,0,0,0::\
created,0,SNP,20,2,0,
84476064
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Erdem Aktas <erdemaktas@google.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Min Xu <min.m.xu@intel.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
#define _MEM_ENCRYPT_SEV_LIB_H_\r
\r
#include <Base.h>\r
+#include <WorkArea.h>\r
\r
//\r
// Define the maximum number of #VCs allowed (e.g. the level of nesting\r
VOID *GhcbBackupPages;\r
} SEV_ES_PER_CPU_DATA;\r
\r
-//\r
-// Internal structure for holding SEV-ES information needed during SEC phase\r
-// and valid only during SEC phase and early PEI during platform\r
-// initialization.\r
-//\r
-// This structure is also used by assembler files:\r
-// OvmfPkg/ResetVector/ResetVector.nasmb\r
-// OvmfPkg/ResetVector/Ia32/PageTables64.asm\r
-// OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm\r
-// any changes must stay in sync with its usage.\r
-//\r
-typedef struct _SEC_SEV_ES_WORK_AREA {\r
- UINT8 SevEsEnabled;\r
- UINT8 Reserved1[7];\r
-\r
- UINT64 RandomData;\r
-\r
- UINT64 EncryptionMask;\r
-} SEC_SEV_ES_WORK_AREA;\r
-\r
//\r
// Memory encryption address range states.\r
//\r
--- /dev/null
+/** @file\r
+\r
+ Work Area structure definition\r
+\r
+ Copyright (c) 2021, AMD Inc.\r
+\r
+ SPDX-License-Identifier: BSD-2-Clause-Patent\r
+**/\r
+\r
+#ifndef __OVMF_WORK_AREA_H__\r
+#define __OVMF_WORK_AREA_H__\r
+\r
+//\r
+// Guest type for the work area\r
+//\r
+typedef enum {\r
+ GUEST_TYPE_NON_ENCRYPTED,\r
+ GUEST_TYPE_AMD_SEV,\r
+ GUEST_TYPE_INTEL_TDX,\r
+\r
+} GUEST_TYPE;\r
+\r
+//\r
+// Confidential computing work area header definition. Any change\r
+// to the structure need to be kept in sync with the\r
+// PcdOvmfConfidentialComputingWorkAreaHeader.\r
+//\r
+typedef struct _CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER {\r
+ UINT8 GuestType;\r
+ UINT8 Reserved1[3];\r
+} CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER;\r
+\r
+//\r
+// Internal structure for holding SEV-ES information needed during SEC phase\r
+// and valid only during SEC phase and early PEI during platform\r
+// initialization.\r
+//\r
+// This structure is also used by assembler files:\r
+// OvmfPkg/ResetVector/ResetVector.nasmb\r
+// OvmfPkg/ResetVector/Ia32/PageTables64.asm\r
+// OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm\r
+// any changes must stay in sync with its usage.\r
+//\r
+typedef struct _SEC_SEV_ES_WORK_AREA {\r
+ UINT8 SevEsEnabled;\r
+ UINT8 Reserved1[7];\r
+\r
+ UINT64 RandomData;\r
+\r
+ UINT64 EncryptionMask;\r
+} SEC_SEV_ES_WORK_AREA;\r
+\r
+//\r
+// The SEV work area definition.\r
+//\r
+typedef struct _SEV_WORK_AREA {\r
+ CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER Header;\r
+\r
+ SEC_SEV_ES_WORK_AREA SevEsWorkArea;\r
+} SEV_WORK_AREA;\r
+\r
+typedef union {\r
+ CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER Header;\r
+ SEV_WORK_AREA SevWorkArea;\r
+} OVMF_WORK_AREA;\r
+\r
+#endif\r
gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase|0x0|UINT32|0x47\r
gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize|0x0|UINT32|0x48\r
\r
+ ## The base address and size of the work area used during the SEC\r
+ # phase by the SEV and TDX supports.\r
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase|0|UINT32|0x49\r
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize|0|UINT32|0x50\r
+\r
+ ## The work area contains a fixed size header in the Include/WorkArea.h.\r
+ # The size of this header is used early boot, and is provided through\r
+ # a fixed PCD. It need to be kept in sync with any changes to the\r
+ # header definition.\r
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader|0|UINT32|0x51\r
+\r
+\r
[PcdsDynamic, PcdsDynamicEx]\r
gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2\r
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10\r
SET gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashNvStorageFtwSpareBase = gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashNvStorageFtwWorkingBase + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize\r
SET gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize = $(VARS_SPARE_SIZE)\r
\r
+# The OVMF WorkArea contains a fixed size header followed by the actual data.\r
+# The size of header is accessed through a fixed PCD in the reset vector code.\r
+# The value need to be kept in sync with the any changes to the Confidential\r
+# Computing Work Area header defined in the Include/WorkArea.h\r
+SET gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader = 4\r
+\r
!if $(SMM_REQUIRE) == TRUE\r
SET gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64 = gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashNvStorageVariableBase\r
SET gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase = gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashNvStorageFtwWorkingBase\r
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize\r
\r
0x00B000|0x001000\r
-gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize\r
+gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize\r
\r
0x00C000|0x001000\r
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize\r
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize\r
FV = DXEFV\r
\r
+##########################################################################################\r
+# Set the SEV-ES specific work area PCDs\r
+#\r
+SET gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase = $(MEMFD_BASE_ADDRESS) + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader\r
+SET gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize = gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize - gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader\r
+##########################################################################################\r
+\r
################################################################################\r
\r
[FV.SECFV]\r
}\r
\r
#ifdef MDE_CPU_X64\r
- if (MemEncryptSevEsIsEnabled ()) {\r
+ if (FixedPcdGet32 (PcdOvmfWorkAreaSize) != 0) {\r
//\r
- // If SEV-ES is enabled, reserve the SEV-ES work area.\r
+ // Reserve the work area.\r
//\r
// Since this memory range will be used by the Reset Vector on S3\r
// resume, it must be reserved as ACPI NVS.\r
// such that they would overlap the work area.\r
//\r
BuildMemoryAllocationHob (\r
- (EFI_PHYSICAL_ADDRESS)(UINTN) FixedPcdGet32 (PcdSevEsWorkAreaBase),\r
- (UINT64)(UINTN) FixedPcdGet32 (PcdSevEsWorkAreaSize),\r
+ (EFI_PHYSICAL_ADDRESS)(UINTN) FixedPcdGet32 (PcdOvmfWorkAreaBase),\r
+ (UINT64)(UINTN) FixedPcdGet32 (PcdOvmfWorkAreaSize),\r
mS3Supported ? EfiACPIMemoryNVS : EfiBootServicesData\r
);\r
}\r
gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiRuntimeServicesData\r
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase\r
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize\r
- gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase\r
- gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize\r
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase\r
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize\r
\r
[FeaturePcd]\r
gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable\r