[mirror_edk2.git] / OvmfPkg / PlatformPei / AmdSev.c

/**@file\r
  Initialize Secure Encrypted Virtualization (SEV) support\r
\r
  Copyright (c) 2017, Advanced Micro Devices. All rights reserved.<BR>\r
\r
  This program and the accompanying materials\r
  are licensed and made available under the terms and conditions of the BSD\r
  License which accompanies this distribution.  The full text of the license\r
  may be found at http://opensource.org/licenses/bsd-license.php\r
\r
  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
\r
**/\r
//\r
// The package level header files this module uses\r
//\r
#include <Library/DebugLib.h>\r
#include <Library/HobLib.h>\r
#include <Library/MemEncryptSevLib.h>\r
#include <Library/PcdLib.h>\r
#include <PiPei.h>\r
#include <Register/Amd/Cpuid.h>\r
#include <Register/Cpuid.h>\r
\r
#include "Platform.h"\r
\r
/**\r
\r
  Function checks if SEV support is available, if present then it sets\r
  the dynamic PcdPteMemoryEncryptionAddressOrMask with memory encryption mask.\r
\r
  **/\r
VOID\r
AmdSevInitialize (\r
  VOID\r
  )\r
{\r
  CPUID_MEMORY_ENCRYPTION_INFO_EBX  Ebx;\r
  UINT64                            EncryptionMask;\r
  RETURN_STATUS                     PcdStatus;\r
\r
  //\r
  // Check if SEV is enabled\r
  //\r
  if (!MemEncryptSevIsEnabled ()) {\r
    return;\r
  }\r
\r
  //\r
  // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position)\r
  //\r
  AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL);\r
  EncryptionMask = LShiftU64 (1, Ebx.Bits.PtePosBits);\r
\r
  //\r
  // Set Memory Encryption Mask PCD\r
  //\r
  PcdStatus = PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, EncryptionMask);\r
  ASSERT_RETURN_ERROR (PcdStatus);\r
\r
  DEBUG ((DEBUG_INFO, "SEV is enabled (mask 0x%lx)\n", EncryptionMask));\r
\r
  //\r
  // Set Pcd to Deny the execution of option ROM when security\r
  // violation.\r
  //\r
  PcdStatus = PcdSet32S (PcdOptionRomImageVerificationPolicy, 0x4);\r
  ASSERT_RETURN_ERROR (PcdStatus);\r
\r
  //\r
  // When SMM is required, cover the pages containing the initial SMRAM Save\r
  // State Map with a memory allocation HOB:\r
  //\r
  // There's going to be a time interval between our decrypting those pages for\r
  // SMBASE relocation and re-encrypting the same pages after SMBASE\r
  // relocation. We shall ensure that the DXE phase stay away from those pages\r
  // until after re-encryption, in order to prevent an information leak to the\r
  // hypervisor.\r
  //\r
  if (FeaturePcdGet (PcdSmmSmramRequire) && (mBootMode != BOOT_ON_S3_RESUME)) {\r
    RETURN_STATUS LocateMapStatus;\r
    UINTN         MapPagesBase;\r
    UINTN         MapPagesCount;\r
\r
    LocateMapStatus = MemEncryptSevLocateInitialSmramSaveStateMapPages (\r
                        &MapPagesBase,\r
                        &MapPagesCount\r
                        );\r
    ASSERT_RETURN_ERROR (LocateMapStatus);\r
\r
    BuildMemoryAllocationHob (\r
      MapPagesBase,                      // BaseAddress\r
      EFI_PAGES_TO_SIZE (MapPagesCount), // Length\r
      EfiBootServicesData                // MemoryType\r
      );\r
  }\r
}\r
Commit	Line	Data
13b5d743 BS	1	/**@file\r
	2	Initialize Secure Encrypted Virtualization (SEV) support\r
	3	\r
	4	Copyright (c) 2017, Advanced Micro Devices. All rights reserved.<BR>\r
	5	\r
	6	This program and the accompanying materials\r
	7	are licensed and made available under the terms and conditions of the BSD\r
	8	License which accompanies this distribution. The full text of the license\r
	9	may be found at http://opensource.org/licenses/bsd-license.php\r
	10	\r
	11	THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
	12	WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
	13	\r
	14	**/\r
	15	//\r
	16	// The package level header files this module uses\r
	17	//\r
13b5d743	18	#include <Library/DebugLib.h>\r
86defc2c	19	#include <Library/HobLib.h>\r
6d576e7a	20	#include <Library/MemEncryptSevLib.h>\r
13b5d743	21	#include <Library/PcdLib.h>\r
6d576e7a	22	#include <PiPei.h>\r
13b5d743	23	#include <Register/Amd/Cpuid.h>\r
6d576e7a	24	#include <Register/Cpuid.h>\r
13b5d743	25	\r
c0d221a3 LE	26	#include "Platform.h"\r
c0d221a3 LE	27	\r
13b5d743 BS	28	/**\r
	29	\r
	30	Function checks if SEV support is available, if present then it sets\r
	31	the dynamic PcdPteMemoryEncryptionAddressOrMask with memory encryption mask.\r
	32	\r
	33	**/\r
	34	VOID\r
13b5d743 BS	35	AmdSevInitialize (\r
	36	VOID\r
	37	)\r
	38	{\r
	39	CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx;\r
	40	UINT64 EncryptionMask;\r
	41	RETURN_STATUS PcdStatus;\r
	42	\r
	43	//\r
	44	// Check if SEV is enabled\r
	45	//\r
	46	if (!MemEncryptSevIsEnabled ()) {\r
	47	return;\r
	48	}\r
	49	\r
	50	//\r
	51	// CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position)\r
	52	//\r
	53	AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL);\r
	54	EncryptionMask = LShiftU64 (1, Ebx.Bits.PtePosBits);\r
	55	\r
	56	//\r
	57	// Set Memory Encryption Mask PCD\r
	58	//\r
	59	PcdStatus = PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, EncryptionMask);\r
	60	ASSERT_RETURN_ERROR (PcdStatus);\r
	61	\r
	62	DEBUG ((DEBUG_INFO, "SEV is enabled (mask 0x%lx)\n", EncryptionMask));\r
6041ac65 BS	63	\r
	64	//\r
	65	// Set Pcd to Deny the execution of option ROM when security\r
	66	// violation.\r
	67	//\r
	68	PcdStatus = PcdSet32S (PcdOptionRomImageVerificationPolicy, 0x4);\r
	69	ASSERT_RETURN_ERROR (PcdStatus);\r
86defc2c LE	70	\r
	71	//\r
	72	// When SMM is required, cover the pages containing the initial SMRAM Save\r
	73	// State Map with a memory allocation HOB:\r
	74	//\r
	75	// There's going to be a time interval between our decrypting those pages for\r
	76	// SMBASE relocation and re-encrypting the same pages after SMBASE\r
	77	// relocation. We shall ensure that the DXE phase stay away from those pages\r
	78	// until after re-encryption, in order to prevent an information leak to the\r
	79	// hypervisor.\r
	80	//\r
	81	if (FeaturePcdGet (PcdSmmSmramRequire) && (mBootMode != BOOT_ON_S3_RESUME)) {\r
	82	RETURN_STATUS LocateMapStatus;\r
	83	UINTN MapPagesBase;\r
	84	UINTN MapPagesCount;\r
	85	\r
	86	LocateMapStatus = MemEncryptSevLocateInitialSmramSaveStateMapPages (\r
	87	&MapPagesBase,\r
	88	&MapPagesCount\r
	89	);\r
	90	ASSERT_RETURN_ERROR (LocateMapStatus);\r
	91	\r
	92	BuildMemoryAllocationHob (\r
	93	MapPagesBase, // BaseAddress\r
	94	EFI_PAGES_TO_SIZE (MapPagesCount), // Length\r
	95	EfiBootServicesData // MemoryType\r
	96	);\r
	97	}\r
13b5d743	98	}\r