From ab77b6031b03733c28fa5f477d802fd67b3f3ee0 Mon Sep 17 00:00:00 2001 From: Brijesh Singh Date: Tue, 17 Aug 2021 21:46:50 +0800 Subject: [PATCH] OvmfPkg/ResetVector: update SEV support to use new work area format BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3429 Update the SEV support to switch to using the newer work area format. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Signed-off-by: Brijesh Singh Reviewed-by: Min Xu Reviewed-by: Jiewen Yao --- OvmfPkg/ResetVector/Ia32/AmdSev.asm | 8 +++++ OvmfPkg/ResetVector/Ia32/PageTables64.asm | 4 +++ OvmfPkg/ResetVector/ResetVector.inf | 1 + OvmfPkg/ResetVector/ResetVector.nasmb | 1 + OvmfPkg/Sec/SecMain.c | 36 ++++++++++++++++++++++- OvmfPkg/Sec/SecMain.inf | 2 ++ 6 files changed, 51 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia32/AmdSev.asm index aa95d06ead..87d81b01e2 100644 --- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm +++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm @@ -171,6 +171,9 @@ CheckSevFeatures: bt eax, 0 jnc NoSev + ; Set the work area header to indicate that the SEV is enabled + mov byte[WORK_AREA_GUEST_TYPE], 1 + ; Check for SEV-ES memory encryption feature: ; CPUID Fn8000_001F[EAX] - Bit 3 ; CPUID raises a #VC exception if running as an SEV-ES guest @@ -257,6 +260,11 @@ SevExit: IsSevEsEnabled: xor eax, eax + ; During CheckSevFeatures, the WORK_AREA_GUEST_TYPE is set + ; to 1 if SEV is enabled. + cmp byte[WORK_AREA_GUEST_TYPE], 1 + jne SevEsDisabled + ; During CheckSevFeatures, the SEV_ES_WORK_AREA was set to 1 if ; SEV-ES is enabled. cmp byte[SEV_ES_WORK_AREA], 1 diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm index eacdb69ddb..f688909f1c 100644 --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm @@ -42,6 +42,10 @@ BITS 32 ; SetCr3ForPageTables64: + ; Clear the WorkArea header. The SEV probe routines will populate the + ; work area when detected. + mov byte[WORK_AREA_GUEST_TYPE], 0 + OneTimeCall CheckSevFeatures xor edx, edx test eax, eax diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/ResetVector.inf index d028c92d8c..a2520dde55 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -43,6 +43,7 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb index acec46a324..d1d800c567 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -72,6 +72,7 @@ %define GHCB_PT_ADDR (FixedPcdGet32 (PcdOvmfSecGhcbPageTableBase)) %define GHCB_BASE (FixedPcdGet32 (PcdOvmfSecGhcbBase)) %define GHCB_SIZE (FixedPcdGet32 (PcdOvmfSecGhcbSize)) + %define WORK_AREA_GUEST_TYPE (FixedPcdGet32 (PcdOvmfWorkAreaBase)) %define SEV_ES_WORK_AREA (FixedPcdGet32 (PcdSevEsWorkAreaBase)) %define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 8) %define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 16) diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c index 9db67e17b2..707b0d4bbf 100644 --- a/OvmfPkg/Sec/SecMain.c +++ b/OvmfPkg/Sec/SecMain.c @@ -807,6 +807,36 @@ SevEsProtocolCheck ( Ghcb->GhcbUsage = GHCB_STANDARD_USAGE; } +/** + Determine if the SEV is active. + + During the early booting, GuestType is set in the work area. Verify that it + is an SEV guest. + + @retval TRUE SEV is enabled + @retval FALSE SEV is not enabled + +**/ +STATIC +BOOLEAN +IsSevGuest ( + VOID + ) +{ + OVMF_WORK_AREA *WorkArea; + + // + // Ensure that the size of the Confidential Computing work area header + // is same as what is provided through a fixed PCD. + // + ASSERT ((UINTN) FixedPcdGet32 (PcdOvmfConfidentialComputingWorkAreaHeader) == + sizeof(CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER)); + + WorkArea = (OVMF_WORK_AREA *) FixedPcdGet32 (PcdOvmfWorkAreaBase); + + return ((WorkArea != NULL) && (WorkArea->Header.GuestType == GUEST_TYPE_AMD_SEV)); +} + /** Determine if SEV-ES is active. @@ -826,9 +856,13 @@ SevEsIsEnabled ( { SEC_SEV_ES_WORK_AREA *SevEsWorkArea; + if (!IsSevGuest()) { + return FALSE; + } + SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase); - return ((SevEsWorkArea != NULL) && (SevEsWorkArea->SevEsEnabled != 0)); + return (SevEsWorkArea->SevEsEnabled != 0); } VOID diff --git a/OvmfPkg/Sec/SecMain.inf b/OvmfPkg/Sec/SecMain.inf index 7f78dcee27..ea4b9611f5 100644 --- a/OvmfPkg/Sec/SecMain.inf +++ b/OvmfPkg/Sec/SecMain.inf @@ -70,6 +70,8 @@ gUefiOvmfPkgTokenSpaceGuid.PcdGuidedExtractHandlerTableSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDecompressionScratchEnd gEfiMdeModulePkgTokenSpaceGuid.PcdInitValueInTempStack + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase [FeaturePcd] gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire -- 2.39.2