OvmfPkg/PlatformPei: Set memory encryption PCD when SEV is enabled

Secure Encrypted Virtualization (SEV) guest VMs have the concept of
private and shared memory. Private memory is encrypted with the
guest-specific key, while shared memory may be encrypted with hypervisor
key.  Certain types of memory (namely instruction pages and guest page
tables) are always treated as private memory by the hardware.
For data memory, SEV guest VMs can choose which pages they would like
to be private. The choice is done using the standard CPU page tables
using the C-bit. When building the initial page table we mark all the
memory as private.

The patch sets the memory encryption PCD. The PCD is consumed by the
following edk2 modules, which manipulate page tables:

- PEI phase modules: CapsulePei, DxeIplPeim, S3Resume2Pei.

CapsulePei is not used by OVMF. DxeIplPeim consumes the PCD at the
end of the PEI phase, when it builds the initial page tables for the
DXE core / DXE phase. S3Resume2Pei does not consume the PCD in its
entry point function, only when DxeIplPeim branches to the S3 resume
path at the end of the PEI phase, and calls S3Resume2Pei's
EFI_PEI_S3_RESUME2_PPI.S3RestoreConfig2() member function.

Therefore it is safe to set the PCD for these modules in PlatformPei.

- DXE phase modules: BootScriptExecutorDxe, CpuDxe, PiSmmCpuDxeSmm.

They are all dispatched after the PEI phase, so setting the PCD for
them in PlatformPei is safe. (BootScriptExecutorDxe is launched "for
real" in the PEI phase during S3 resume, but it caches the PCD into a
static variable when its entry point is originally invoked in DXE.)

Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>

diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 29884b77859c79f85d019f057ed352b10f7149e6..9355a37ae95aad23f30be2df4992369e8ba2c965 100644 (file)
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -534,6 +534,9 @@
   gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64\r
   gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds|50000\r
 \r
   gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64\r
   gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds|50000\r
 \r

+  # Set memory encryption mask\r
+  gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0\r
+\r

 !if $(SMM_REQUIRE) == TRUE\r
   gUefiOvmfPkgTokenSpaceGuid.PcdQ35TsegMbytes|8\r
   gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmSyncMode|0x01\r
 !if $(SMM_REQUIRE) == TRUE\r
   gUefiOvmfPkgTokenSpaceGuid.PcdQ35TsegMbytes|8\r
   gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmSyncMode|0x01\r

diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 2b646e4a4969819faa32bfd74a8257d2068e67e8..edacd655d147a9850c0c4b57189b1ba829e5c147 100644 (file)
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -542,6 +542,9 @@
   gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64\r
   gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds|50000\r
 \r
   gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64\r
   gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds|50000\r
 \r

+  # Set memory encryption mask\r
+  gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0\r
+\r

 !if $(SMM_REQUIRE) == TRUE\r
   gUefiOvmfPkgTokenSpaceGuid.PcdQ35TsegMbytes|8\r
   gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmSyncMode|0x01\r
 !if $(SMM_REQUIRE) == TRUE\r
   gUefiOvmfPkgTokenSpaceGuid.PcdQ35TsegMbytes|8\r
   gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmSyncMode|0x01\r

diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 32386de9b4287838a9afb530de4792e692dc3009..93933612a3c75afbfaf19b32afbffa1dc06365ac 100644 (file)
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -541,6 +541,9 @@
   gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64\r
   gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds|50000\r
 \r
   gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64\r
   gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds|50000\r
 \r

+  # Set memory encryption mask\r
+  gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0\r
+\r

 !if $(SMM_REQUIRE) == TRUE\r
   gUefiOvmfPkgTokenSpaceGuid.PcdQ35TsegMbytes|8\r
   gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmSyncMode|0x01\r
 !if $(SMM_REQUIRE) == TRUE\r
   gUefiOvmfPkgTokenSpaceGuid.PcdQ35TsegMbytes|8\r
   gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmSyncMode|0x01\r

diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
new file mode 100644 (file)
index 0000000..26f7c3f
--- /dev/null
+++ b/OvmfPkg/PlatformPei/AmdSev.c
@@ -0,0 +1,62 @@
+/**@file\r
+  Initialize Secure Encrypted Virtualization (SEV) support\r
+\r
+  Copyright (c) 2017, Advanced Micro Devices. All rights reserved.<BR>\r
+\r
+  This program and the accompanying materials\r
+  are licensed and made available under the terms and conditions of the BSD\r
+  License which accompanies this distribution.  The full text of the license\r
+  may be found at http://opensource.org/licenses/bsd-license.php\r
+\r
+  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
+  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
+\r
+**/\r
+//\r
+// The package level header files this module uses\r
+//\r
+#include <PiPei.h>\r
+\r
+#include <Library/DebugLib.h>\r
+#include <Library/PcdLib.h>\r
+#include <Register/Cpuid.h>\r
+#include <Register/Amd/Cpuid.h>\r
+#include <Library/MemEncryptSevLib.h>\r
+\r
+/**\r
+\r
+  Function checks if SEV support is available, if present then it sets\r
+  the dynamic PcdPteMemoryEncryptionAddressOrMask with memory encryption mask.\r
+\r
+  **/\r
+VOID\r
+EFIAPI\r
+AmdSevInitialize (\r
+  VOID\r
+  )\r
+{\r
+  CPUID_MEMORY_ENCRYPTION_INFO_EBX  Ebx;\r
+  UINT64                            EncryptionMask;\r
+  RETURN_STATUS                     PcdStatus;\r
+\r
+  //\r
+  // Check if SEV is enabled\r
+  //\r
+  if (!MemEncryptSevIsEnabled ()) {\r
+    return;\r
+  }\r
+\r
+  //\r
+  // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position)\r
+  //\r
+  AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL);\r
+  EncryptionMask = LShiftU64 (1, Ebx.Bits.PtePosBits);\r
+\r
+  //\r
+  // Set Memory Encryption Mask PCD\r
+  //\r
+  PcdStatus = PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, EncryptionMask);\r
+  ASSERT_RETURN_ERROR (PcdStatus);\r
+\r
+  DEBUG ((DEBUG_INFO, "SEV is enabled (mask 0x%lx)\n", EncryptionMask));\r
+}\r

diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c
index 98cfaaa28ed149086a57d7e144a790c059e55e6b..3ccb7d0fbfaa3dc94f098b7355c5e1b54bf58fb0 100644 (file)
--- a/OvmfPkg/PlatformPei/Platform.c
+++ b/OvmfPkg/PlatformPei/Platform.c
@@ -672,6 +672,7 @@ InitializePlatform (
     NoexecDxeInitialization ();\r
   }\r
 \r
     NoexecDxeInitialization ();\r
   }\r
 \r

+  AmdSevInitialize ();\r

   MiscInitialization ();\r
   InstallFeatureControlCallback ();\r
 \r
   MiscInitialization ();\r
   InstallFeatureControlCallback ();\r
 \r

diff --git a/OvmfPkg/PlatformPei/Platform.h b/OvmfPkg/PlatformPei/Platform.h
index ae855531c1b7adfa69b9851e187d010c6e1db41e..f942e61bb4f90ab16bbc18420ca97f582e1b5fea 100644 (file)
--- a/OvmfPkg/PlatformPei/Platform.h
+++ b/OvmfPkg/PlatformPei/Platform.h
@@ -93,6 +93,11 @@ XenDetect (
   VOID\r
   );\r
 \r
   VOID\r
   );\r
 \r

+VOID\r
+AmdSevInitialize (\r
+  VOID\r
+  );\r
+\r

 extern BOOLEAN mXen;\r
 \r
 VOID\r
 extern BOOLEAN mXen;\r
 \r
 VOID\r

diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
index a1e12c1fc7e2b9f3848bdeb53f74cc554c39bf5e..16a8db7b0bd2ed0cf31be80d2cc483f99553ce17 100644 (file)
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -29,6 +29,7 @@
 #\r
 \r
 [Sources]\r
 #\r
 \r
 [Sources]\r

+  AmdSev.c\r

   Cmos.c\r
   FeatureControl.c\r
   Fv.c\r
   Cmos.c\r
   FeatureControl.c\r
   Fv.c\r


@@ -60,6 +61,7 @@
   QemuFwCfgLib\r
   QemuFwCfgS3Lib\r
   MtrrLib\r
   QemuFwCfgLib\r
   QemuFwCfgS3Lib\r
   MtrrLib\r

+  MemEncryptSevLib\r

   PcdLib\r
 \r
 [Pcd]\r
   PcdLib\r
 \r
 [Pcd]\r


@@ -93,6 +95,7 @@
   gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack\r
   gEfiMdeModulePkgTokenSpaceGuid.PcdPropertiesTableEnable\r
   gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable\r
   gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack\r
   gEfiMdeModulePkgTokenSpaceGuid.PcdPropertiesTableEnable\r
   gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable\r

+  gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask\r

   gUefiCpuPkgTokenSpaceGuid.PcdCpuLocalApicBaseAddress\r
   gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber\r
   gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds\r
   gUefiCpuPkgTokenSpaceGuid.PcdCpuLocalApicBaseAddress\r
   gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber\r
   gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds\r