OvmfPkg/PlatformPei: Reserve GHCB backup pages if S3 is supported

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108

Protect the GHCB backup pages used by an SEV-ES guest when S3 is
supported.

Regarding the lifecycle of the GHCB backup pages:
  PcdOvmfSecGhcbBackupBase

(a) when and how it is initialized after first boot of the VM

  If SEV-ES is enabled, the GHCB backup pages are initialized when a
  nested #VC is received during the SEC phase
  [OvmfPkg/Library/VmgExitLib/SecVmgExitVcHandler.c].

(b) how it is protected from memory allocations during DXE

  If S3 and SEV-ES are enabled, then InitializeRamRegions()
  [OvmfPkg/PlatformPei/MemDetect.c] protects the ranges with an AcpiNVS
  memory allocation HOB, in PEI.

  If S3 is disabled, then these ranges are not protected. PEI switches to
  the GHCB backup pages in permanent PEI memory and DXE will use these
  PEI GHCB backup pages, so we don't have to preserve
  PcdOvmfSecGhcbBackupBase.

(c) how it is protected from the OS

  If S3 is enabled, then (b) reserves it from the OS too.

  If S3 is disabled, then the range needs no protection.

(d) how it is accessed on the S3 resume path

  It is rewritten same as in (a), which is fine because (b) reserved it.

(e) how it is accessed on the warm reset path

  It is rewritten same as in (a).

Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Julien Grall <julien@xen.org>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Message-Id: <119102a3d14caa70d81aee334a2e0f3f925e1a60.1610045305.git.thomas.lendacky@amd.com>

diff --git a/OvmfPkg/PlatformPei/MemDetect.c b/OvmfPkg/PlatformPei/MemDetect.c
index ffbbef891a1178cc000d77a232f0fa9ddda36f7f..c08aa2e45a53e4a2ff9b06e79361daec815c0d4d 100644 (file)
--- a/OvmfPkg/PlatformPei/MemDetect.c
+++ b/OvmfPkg/PlatformPei/MemDetect.c
@@ -888,6 +888,11 @@ InitializeRamRegions (
         (UINT64)(UINTN) PcdGet32 (PcdOvmfSecGhcbSize),\r
         EfiACPIMemoryNVS\r
         );\r
+      BuildMemoryAllocationHob (\r
+        (EFI_PHYSICAL_ADDRESS)(UINTN) PcdGet32 (PcdOvmfSecGhcbBackupBase),\r
+        (UINT64)(UINTN) PcdGet32 (PcdOvmfSecGhcbBackupSize),\r
+        EfiACPIMemoryNVS\r
+        );\r
     }\r
 #endif\r
   }\r

diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
index c53be2f4925c56ba828f73953ff08b716d7feba3..6ef77ba7bb21532d244c8d075a768dee81f64252 100644 (file)
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -118,6 +118,8 @@
   gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiReservedMemoryType\r
   gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiRuntimeServicesCode\r
   gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiRuntimeServicesData\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize\r
   gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase\r
   gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize\r
 \r