OvmfPkg/Bhyve/PlatformPei/AmdSev.c

   1 /**@file
   2   Initialize Secure Encrypted Virtualization (SEV) support
   3
   4   Copyright (c) 2017 - 2020, Advanced Micro Devices. All rights reserved.<BR>
   5
   6   SPDX-License-Identifier: BSD-2-Clause-Patent
   7
   8 **/
   9 //
  10 // The package level header files this module uses
  11 //
  12 #include <IndustryStandard/Q35MchIch9.h>
  13 #include <Library/DebugLib.h>
  14 #include <Library/HobLib.h>
  15 #include <Library/MemEncryptSevLib.h>
  16 #include <Library/PcdLib.h>
  17 #include <PiPei.h>
  18 #include <Register/Intel/SmramSaveStateMap.h>
  19
  20 #include "Platform.h"
  21
  22 /**
  23
  24   Function checks if SEV support is available, if present then it sets
  25   the dynamic PcdPteMemoryEncryptionAddressOrMask with memory encryption mask.
  26
  27   **/
  28 VOID
  29 AmdSevInitialize (
  30   VOID
  31   )
  32 {
  33   UINT64         EncryptionMask;
  34   RETURN_STATUS  PcdStatus;
  35
  36   //
  37   // Check if SEV is enabled
  38   //
  39   if (!MemEncryptSevIsEnabled ()) {
  40     return;
  41   }
  42
  43   //
  44   // Set Memory Encryption Mask PCD
  45   //
  46   EncryptionMask = MemEncryptSevGetEncryptionMask ();
  47   PcdStatus      = PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, EncryptionMask);
  48   ASSERT_RETURN_ERROR (PcdStatus);
  49
  50   DEBUG ((DEBUG_INFO, "SEV is enabled (mask 0x%lx)\n", EncryptionMask));
  51
  52   //
  53   // Set Pcd to Deny the execution of option ROM when security
  54   // violation.
  55   //
  56   PcdStatus = PcdSet32S (PcdOptionRomImageVerificationPolicy, 0x4);
  57   ASSERT_RETURN_ERROR (PcdStatus);
  58
  59   //
  60   // When SMM is required, cover the pages containing the initial SMRAM Save
  61   // State Map with a memory allocation HOB:
  62   //
  63   // There's going to be a time interval between our decrypting those pages for
  64   // SMBASE relocation and re-encrypting the same pages after SMBASE
  65   // relocation. We shall ensure that the DXE phase stay away from those pages
  66   // until after re-encryption, in order to prevent an information leak to the
  67   // hypervisor.
  68   //
  69   if (FeaturePcdGet (PcdSmmSmramRequire) && (mBootMode != BOOT_ON_S3_RESUME)) {
  70     RETURN_STATUS  LocateMapStatus;
  71     UINTN          MapPagesBase;
  72     UINTN          MapPagesCount;
  73
  74     LocateMapStatus = MemEncryptSevLocateInitialSmramSaveStateMapPages (
  75                         &MapPagesBase,
  76                         &MapPagesCount
  77                         );
  78     ASSERT_RETURN_ERROR (LocateMapStatus);
  79
  80     if (mQ35SmramAtDefaultSmbase) {
  81       //
  82       // The initial SMRAM Save State Map has been covered as part of a larger
  83       // reserved memory allocation in InitializeRamRegions().
  84       //
  85       ASSERT (SMM_DEFAULT_SMBASE <= MapPagesBase);
  86       ASSERT (
  87         (MapPagesBase + EFI_PAGES_TO_SIZE (MapPagesCount) <=
  88          SMM_DEFAULT_SMBASE + MCH_DEFAULT_SMBASE_SIZE)
  89         );
  90     } else {
  91       BuildMemoryAllocationHob (
  92         MapPagesBase,                      // BaseAddress
  93         EFI_PAGES_TO_SIZE (MapPagesCount), // Length
  94         EfiBootServicesData                // MemoryType
  95         );
  96     }
  97   }
  98 }