projects / mirror_edk2.git / blame
| Commit | Line | Data |
|---|---|---|
| 656419f9 RC |
1 | /**@file\r |
| 2 | Initialize Secure Encrypted Virtualization (SEV) support\r | |
| 3 | \r | |
| 45388d04 | 4 | Copyright (c) 2017 - 2020, Advanced Micro Devices. All rights reserved.<BR>\r |
| 656419f9 RC |
5 | \r |
| 6 | SPDX-License-Identifier: BSD-2-Clause-Patent\r | |
| 7 | \r | |
| 8 | **/\r | |
| 9 | //\r | |
| 10 | // The package level header files this module uses\r | |
| 11 | //\r | |
| 12 | #include <IndustryStandard/Q35MchIch9.h>\r | |
| 13 | #include <Library/DebugLib.h>\r | |
| 14 | #include <Library/HobLib.h>\r | |
| 15 | #include <Library/MemEncryptSevLib.h>\r | |
| 16 | #include <Library/PcdLib.h>\r | |
| 17 | #include <PiPei.h>\r | |
| 656419f9 RC |
18 | #include <Register/Intel/SmramSaveStateMap.h>\r |
| 19 | \r | |
| 20 | #include "Platform.h"\r | |
| 21 | \r | |
| 22 | /**\r | |
| 23 | \r | |
| 24 | Function checks if SEV support is available, if present then it sets\r | |
| 25 | the dynamic PcdPteMemoryEncryptionAddressOrMask with memory encryption mask.\r | |
| 26 | \r | |
| 27 | **/\r | |
| 28 | VOID\r | |
| 29 | AmdSevInitialize (\r | |
| 30 | VOID\r | |
| 31 | )\r | |
| 32 | {\r | |
| ac0a286f MK |
33 | UINT64 EncryptionMask;\r |
| 34 | RETURN_STATUS PcdStatus;\r | |
| 656419f9 RC |
35 | \r |
| 36 | //\r | |
| 37 | // Check if SEV is enabled\r | |
| 38 | //\r | |
| 39 | if (!MemEncryptSevIsEnabled ()) {\r | |
| 40 | return;\r | |
| 41 | }\r | |
| 42 | \r | |
| 656419f9 RC |
43 | //\r |
| 44 | // Set Memory Encryption Mask PCD\r | |
| 45 | //\r | |
| 45388d04 | 46 | EncryptionMask = MemEncryptSevGetEncryptionMask ();\r |
| ac0a286f | 47 | PcdStatus = PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, EncryptionMask);\r |
| 656419f9 RC |
48 | ASSERT_RETURN_ERROR (PcdStatus);\r |
| 49 | \r | |
| 50 | DEBUG ((DEBUG_INFO, "SEV is enabled (mask 0x%lx)\n", EncryptionMask));\r | |
| 51 | \r | |
| 52 | //\r | |
| 53 | // Set Pcd to Deny the execution of option ROM when security\r | |
| 54 | // violation.\r | |
| 55 | //\r | |
| 56 | PcdStatus = PcdSet32S (PcdOptionRomImageVerificationPolicy, 0x4);\r | |
| 57 | ASSERT_RETURN_ERROR (PcdStatus);\r | |
| 58 | \r | |
| 59 | //\r | |
| 60 | // When SMM is required, cover the pages containing the initial SMRAM Save\r | |
| 61 | // State Map with a memory allocation HOB:\r | |
| 62 | //\r | |
| 63 | // There's going to be a time interval between our decrypting those pages for\r | |
| 64 | // SMBASE relocation and re-encrypting the same pages after SMBASE\r | |
| 65 | // relocation. We shall ensure that the DXE phase stay away from those pages\r | |
| 66 | // until after re-encryption, in order to prevent an information leak to the\r | |
| 67 | // hypervisor.\r | |
| 68 | //\r | |
| 69 | if (FeaturePcdGet (PcdSmmSmramRequire) && (mBootMode != BOOT_ON_S3_RESUME)) {\r | |
| ac0a286f MK |
70 | RETURN_STATUS LocateMapStatus;\r |
| 71 | UINTN MapPagesBase;\r | |
| 72 | UINTN MapPagesCount;\r | |
| 656419f9 RC |
73 | \r |
| 74 | LocateMapStatus = MemEncryptSevLocateInitialSmramSaveStateMapPages (\r | |
| 75 | &MapPagesBase,\r | |
| 76 | &MapPagesCount\r | |
| 77 | );\r | |
| 78 | ASSERT_RETURN_ERROR (LocateMapStatus);\r | |
| 79 | \r | |
| 80 | if (mQ35SmramAtDefaultSmbase) {\r | |
| 81 | //\r | |
| 82 | // The initial SMRAM Save State Map has been covered as part of a larger\r | |
| 83 | // reserved memory allocation in InitializeRamRegions().\r | |
| 84 | //\r | |
| 85 | ASSERT (SMM_DEFAULT_SMBASE <= MapPagesBase);\r | |
| 86 | ASSERT (\r | |
| 87 | (MapPagesBase + EFI_PAGES_TO_SIZE (MapPagesCount) <=\r | |
| 88 | SMM_DEFAULT_SMBASE + MCH_DEFAULT_SMBASE_SIZE)\r | |
| 89 | );\r | |
| 90 | } else {\r | |
| 91 | BuildMemoryAllocationHob (\r | |
| 92 | MapPagesBase, // BaseAddress\r | |
| 93 | EFI_PAGES_TO_SIZE (MapPagesCount), // Length\r | |
| 94 | EfiBootServicesData // MemoryType\r | |
| 95 | );\r | |
| 96 | }\r | |
| 97 | }\r | |
| 98 | }\r |