OvmfPkg/PlatformPei: set PcdConfidentialComputingAttr when SEV is active

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275

The MpInitLib uses the ConfidentialComputingAttr PCD to determine whether
AMD SEV is active so that it can use the VMGEXITs defined in the GHCB
specification to create APs.

Cc: Michael Roth <michael.roth@amd.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Suggested-by: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>

diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 2997929faa0587f7e84622cab3e6f431deead0ef..8f5876341e26dc47beeb18a016109bceaea22f7d 100644 (file)
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -575,6 +575,9 @@
 \r
   gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00\r
 \r
+  # Set ConfidentialComputing defaults\r
+  gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0\r
+\r
 !if $(TPM_ENABLE) == TRUE\r
   gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}\r
 !endif\r

diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 1dc069e424200a14fadb1a694352622b6fe213a1..dbcfa5ab52ce017cb31d6e537a9c5149870abe87 100644 (file)
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -651,6 +651,9 @@
   gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01\r
   gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01\r
 \r
+  # Set ConfidentialComputing defaults\r
+  gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0\r
+\r
 [PcdsDynamicHii]\r
 !if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE\r
   gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS\r

diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index a766457e6bc622dcfb3655dfd82693d50bcc285a..e4597e7f03da10178e92e03113ca255f8bf28eb3 100644 (file)
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -659,6 +659,9 @@
   gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}\r
 !endif\r
 \r
+  # Set ConfidentialComputing defaults\r
+  gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0\r
+\r
 [PcdsDynamicDefault.X64]\r
   # IPv4 and IPv6 PXE Boot support.\r
   gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01\r

diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 97b7cb40ff88ea5fd59a1af8f746f4d8c4f7153a..08837bf8ec973580adee49becb5e9d637271d734 100644 (file)
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -662,6 +662,9 @@
   gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01\r
   gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01\r
 \r
+  # Set ConfidentialComputing defaults\r
+  gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0\r
+\r
 [PcdsDynamicHii]\r
 !if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE\r
   gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS\r

diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
index a0f9178ed6e9366caac5e05cdf74a1d6f0f81eb9..c60a153a059e044acd64cf822777d8461939330f 100644 (file)
--- a/OvmfPkg/PlatformPei/AmdSev.c
+++ b/OvmfPkg/PlatformPei/AmdSev.c
@@ -20,6 +20,7 @@
 #include <Register/Amd/Msr.h>\r
 #include <Register/Intel/SmramSaveStateMap.h>\r
 #include <Library/VmgExitLib.h>\r
+#include <ConfidentialComputingGuestAttr.h>\r
 \r
 #include "Platform.h"\r
 \r
@@ -345,4 +346,18 @@ AmdSevInitialize (
   // Check and perform SEV-ES initialization if required.\r
   //\r
   AmdSevEsInitialize ();\r
+\r
+  //\r
+  // Set the Confidential computing attr PCD to communicate which SEV\r
+  // technology is active.\r
+  //\r
+  if (MemEncryptSevSnpIsEnabled ()) {\r
+    PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSevSnp);\r
+  } else if (MemEncryptSevEsIsEnabled ()) {\r
+    PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSevEs);\r
+  } else {\r
+    PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSev);\r
+  }\r
+\r
+  ASSERT_RETURN_ERROR (PcdStatus);\r
 }\r

diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
index 67eb7aa7166b5abfb590ef79802b472c399d8a64..bada5ea14439534fce51c82104febc530fdf5884 100644 (file)
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -106,6 +106,7 @@
   gUefiCpuPkgTokenSpaceGuid.PcdCpuBootLogicalProcessorNumber\r
   gUefiCpuPkgTokenSpaceGuid.PcdCpuApStackSize\r
   gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled\r
+  gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr\r
 \r
 [FixedPcd]\r
   gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress\r