OvmfPkg: introduce a common work area

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3429

Both the TDX and SEV support needs to reserve a page in MEMFD as a work
area. The page will contain meta data specific to the guest type.
Currently, the SEV-ES support reserves a page in MEMFD
(PcdSevEsWorkArea) for the work area. This page can be reused as a TDX
work area when Intel TDX is enabled.

Based on the discussion [1], it was agreed to rename the SevEsWorkArea
to the OvmfWorkArea, and add a header that can be used to indicate the
work area type.

[1] https://edk2.groups.io/g/devel/message/78262?p=,,,20,0,0,0::\
    created,0,SNP,20,2,0,84476064

Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Erdem Aktas <erdemaktas@google.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Min Xu <min.m.xu@intel.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>

diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/Library/MemEncryptSevLib.h
index 76d06c206c8b5cd9973d58c8a9ddb2d1a4fabbcb..adc490e466ec139cf0908cb69462e626e4f960cf 100644 (file)
--- a/OvmfPkg/Include/Library/MemEncryptSevLib.h
+++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h
@@ -12,6 +12,7 @@
 #define _MEM_ENCRYPT_SEV_LIB_H_\r
 \r
 #include <Base.h>\r
+#include <WorkArea.h>\r
 \r
 //\r
 // Define the maximum number of #VCs allowed (e.g. the level of nesting\r
@@ -36,26 +37,6 @@ typedef struct {
   VOID    *GhcbBackupPages;\r
 } SEV_ES_PER_CPU_DATA;\r
 \r
-//\r
-// Internal structure for holding SEV-ES information needed during SEC phase\r
-// and valid only during SEC phase and early PEI during platform\r
-// initialization.\r
-//\r
-// This structure is also used by assembler files:\r
-//   OvmfPkg/ResetVector/ResetVector.nasmb\r
-//   OvmfPkg/ResetVector/Ia32/PageTables64.asm\r
-//   OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm\r
-// any changes must stay in sync with its usage.\r
-//\r
-typedef struct _SEC_SEV_ES_WORK_AREA {\r
-  UINT8    SevEsEnabled;\r
-  UINT8    Reserved1[7];\r
-\r
-  UINT64   RandomData;\r
-\r
-  UINT64   EncryptionMask;\r
-} SEC_SEV_ES_WORK_AREA;\r
-\r
 //\r
 // Memory encryption address range states.\r
 //\r

diff --git a/OvmfPkg/Include/WorkArea.h b/OvmfPkg/Include/WorkArea.h
new file mode 100644 (file)
index 0000000..c16030e
--- /dev/null
+++ b/OvmfPkg/Include/WorkArea.h
@@ -0,0 +1,67 @@
+/** @file\r
+\r
+  Work Area structure definition\r
+\r
+  Copyright (c) 2021, AMD Inc.\r
+\r
+  SPDX-License-Identifier: BSD-2-Clause-Patent\r
+**/\r
+\r
+#ifndef __OVMF_WORK_AREA_H__\r
+#define __OVMF_WORK_AREA_H__\r
+\r
+//\r
+// Guest type for the work area\r
+//\r
+typedef enum {\r
+  GUEST_TYPE_NON_ENCRYPTED,\r
+  GUEST_TYPE_AMD_SEV,\r
+  GUEST_TYPE_INTEL_TDX,\r
+\r
+} GUEST_TYPE;\r
+\r
+//\r
+// Confidential computing work area header definition. Any change\r
+// to the structure need to be kept in sync with the\r
+// PcdOvmfConfidentialComputingWorkAreaHeader.\r
+//\r
+typedef struct _CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER {\r
+  UINT8                   GuestType;\r
+  UINT8                   Reserved1[3];\r
+} CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER;\r
+\r
+//\r
+// Internal structure for holding SEV-ES information needed during SEC phase\r
+// and valid only during SEC phase and early PEI during platform\r
+// initialization.\r
+//\r
+// This structure is also used by assembler files:\r
+//   OvmfPkg/ResetVector/ResetVector.nasmb\r
+//   OvmfPkg/ResetVector/Ia32/PageTables64.asm\r
+//   OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm\r
+// any changes must stay in sync with its usage.\r
+//\r
+typedef struct _SEC_SEV_ES_WORK_AREA {\r
+  UINT8    SevEsEnabled;\r
+  UINT8    Reserved1[7];\r
+\r
+  UINT64   RandomData;\r
+\r
+  UINT64   EncryptionMask;\r
+} SEC_SEV_ES_WORK_AREA;\r
+\r
+//\r
+// The SEV work area definition.\r
+//\r
+typedef struct _SEV_WORK_AREA {\r
+  CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER   Header;\r
+\r
+  SEC_SEV_ES_WORK_AREA                      SevEsWorkArea;\r
+} SEV_WORK_AREA;\r
+\r
+typedef union {\r
+  CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER   Header;\r
+  SEV_WORK_AREA                             SevWorkArea;\r
+} OVMF_WORK_AREA;\r
+\r
+#endif\r

diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index 8fb6f257e8e847baf03e294a0b5e3ff886bf5bd9..c37dafad49bb4c72c1fec7517a2c50c97546c91b 100644 (file)
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -329,6 +329,18 @@
   gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase|0x0|UINT32|0x47\r
   gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize|0x0|UINT32|0x48\r
 \r
+  ## The base address and size of the work area used during the SEC\r
+  # phase by the SEV and TDX supports.\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase|0|UINT32|0x49\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize|0|UINT32|0x50\r
+\r
+  ## The work area contains a fixed size header in the Include/WorkArea.h.\r
+  # The size of this header is used early boot, and is provided through\r
+  # a fixed PCD. It need to be kept in sync with any changes to the\r
+  # header definition.\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader|0|UINT32|0x51\r
+\r
+\r
 [PcdsDynamic, PcdsDynamicEx]\r
   gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2\r
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10\r

diff --git a/OvmfPkg/OvmfPkgDefines.fdf.inc b/OvmfPkg/OvmfPkgDefines.fdf.inc
index 35fd454b97ab883456b5aff5b5506604f618ce4d..3b5e452539165a42e1d5ff19d553e23c7e42a9ab 100644 (file)
--- a/OvmfPkg/OvmfPkgDefines.fdf.inc
+++ b/OvmfPkg/OvmfPkgDefines.fdf.inc
@@ -82,6 +82,12 @@ SET gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize = $(BLOCK_SIZ
 SET gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashNvStorageFtwSpareBase = gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashNvStorageFtwWorkingBase + gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingSize\r
 SET gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize = $(VARS_SPARE_SIZE)\r
 \r
+# The OVMF WorkArea contains a fixed size header followed by the actual data.\r
+# The size of header is accessed through a fixed PCD in the reset vector code.\r
+# The value need to be kept in sync with the any changes to the Confidential\r
+# Computing Work Area header defined in the Include/WorkArea.h\r
+SET gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader  = 4\r
+\r
 !if $(SMM_REQUIRE) == TRUE\r
 SET gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64 = gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashNvStorageVariableBase\r
 SET gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase = gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashNvStorageFtwWorkingBase\r

diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 5fa8c08958081b50ce062d6fff6c5b735ecf1f38..23936242e74a1379eb20beca0a73eb38152021c3 100644 (file)
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -83,7 +83,7 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbPageTableBase|gUefiOvmfPkgTokenSpaceGui
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize\r
 \r
 0x00B000|0x001000\r
-gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize\r
+gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize\r
 \r
 0x00C000|0x001000\r
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize\r
@@ -99,6 +99,13 @@ FV = PEIFV
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize\r
 FV = DXEFV\r
 \r
+##########################################################################################\r
+# Set the SEV-ES specific work area PCDs\r
+#\r
+SET gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase = $(MEMFD_BASE_ADDRESS) +  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader\r
+SET gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize = gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize - gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader\r
+##########################################################################################\r
+\r
 ################################################################################\r
 \r
 [FV.SECFV]\r

diff --git a/OvmfPkg/PlatformPei/MemDetect.c b/OvmfPkg/PlatformPei/MemDetect.c
index 2deec128f464e127697583ca7f0ca9fc1166ba57..2c2c4641ec8aae7c26a7338b78ccc64b495e0a23 100644 (file)
--- a/OvmfPkg/PlatformPei/MemDetect.c
+++ b/OvmfPkg/PlatformPei/MemDetect.c
@@ -939,9 +939,9 @@ InitializeRamRegions (
     }\r
 \r
 #ifdef MDE_CPU_X64\r
-    if (MemEncryptSevEsIsEnabled ()) {\r
+    if (FixedPcdGet32 (PcdOvmfWorkAreaSize) != 0) {\r
       //\r
-      // If SEV-ES is enabled, reserve the SEV-ES work area.\r
+      // Reserve the work area.\r
       //\r
       // Since this memory range will be used by the Reset Vector on S3\r
       // resume, it must be reserved as ACPI NVS.\r
@@ -951,8 +951,8 @@ InitializeRamRegions (
       // such that they would overlap the work area.\r
       //\r
       BuildMemoryAllocationHob (\r
-        (EFI_PHYSICAL_ADDRESS)(UINTN) FixedPcdGet32 (PcdSevEsWorkAreaBase),\r
-        (UINT64)(UINTN) FixedPcdGet32 (PcdSevEsWorkAreaSize),\r
+        (EFI_PHYSICAL_ADDRESS)(UINTN) FixedPcdGet32 (PcdOvmfWorkAreaBase),\r
+        (UINT64)(UINTN) FixedPcdGet32 (PcdOvmfWorkAreaSize),\r
         mS3Supported ? EfiACPIMemoryNVS : EfiBootServicesData\r
         );\r
     }\r

diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
index 89d1f7636870603063688fd4284bdab268957864..67eb7aa7166b5abfb590ef79802b472c399d8a64 100644 (file)
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -116,8 +116,8 @@
   gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiRuntimeServicesData\r
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase\r
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize\r
-  gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase\r
-  gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize\r
 \r
 [FeaturePcd]\r
   gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable\r