2 Map TPM MMIO range unencrypted when SEV-ES is active.
3 Install gOvmfTpmMmioAccessiblePpiGuid unconditionally.
5 Copyright (C) 2021, Advanced Micro Devices, Inc.
7 SPDX-License-Identifier: BSD-2-Clause-Patent
12 #include <Library/DebugLib.h>
13 #include <Library/MemEncryptSevLib.h>
14 #include <Library/PcdLib.h>
15 #include <Library/PeiServicesLib.h>
17 STATIC CONST EFI_PEI_PPI_DESCRIPTOR mTpmMmioRangeAccessible
= {
18 EFI_PEI_PPI_DESCRIPTOR_PPI
| EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST
,
19 &gOvmfTpmMmioAccessiblePpiGuid
,
24 The entry point for TPM MMIO range mapping driver.
26 @param[in] FileHandle Handle of the file being invoked.
27 @param[in] PeiServices Describes the list of possible PEI Services.
29 @retval EFI_ABORTED No need to keep this PEIM resident
33 TpmMmioSevDecryptPeimEntryPoint (
34 IN EFI_PEI_FILE_HANDLE FileHandle
,
35 IN CONST EFI_PEI_SERVICES
**PeiServices
38 RETURN_STATUS DecryptStatus
;
41 DEBUG ((DEBUG_INFO
, "%a\n", __FUNCTION__
));
44 // If SEV is active, MMIO succeeds against an encrypted physical address
45 // because the nested page fault (NPF) that occurs on access does not
46 // include the encryption bit in the guest physical address provided to the
49 // If SEV-ES is active, MMIO would succeed against an encrypted physical
50 // address because the #VC handler uses the virtual address (which is an
51 // identity mapped physical address without the encryption bit) as the guest
52 // physical address of the MMIO target in the VMGEXIT.
54 // However, if SEV-ES is active, before performing the actual MMIO, an
55 // additional MMIO mitigation check is performed in the #VC handler to ensure
56 // that MMIO is being done to/from an unencrypted address. To prevent guest
57 // termination in this scenario, mark the range unencrypted ahead of access.
59 if (MemEncryptSevEsIsEnabled ()) {
62 "%a: mapping TPM MMIO address range unencrypted\n",
66 DecryptStatus
= MemEncryptSevClearMmioPageEncMask (
68 FixedPcdGet64 (PcdTpmBaseAddress
),
69 EFI_SIZE_TO_PAGES ((UINTN
)0x5000)
72 if (RETURN_ERROR (DecryptStatus
)) {
75 "%a: failed to map TPM MMIO address range unencrypted\n",
78 ASSERT_RETURN_ERROR (DecryptStatus
);
83 // MMIO range available
85 Status
= PeiServicesInstallPpi (&mTpmMmioRangeAccessible
);
86 ASSERT_EFI_ERROR (Status
);