]> git.proxmox.com Git - mirror_edk2.git/commitdiff
projects / mirror_edk2.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 707c71a)
OvmfPkg: reserve CPUID page
authorBrijesh Singh via groups.io <brijesh.singh=amd.com@groups.io>
Thu, 9 Dec 2021 03:27:34 +0000 (11:27 +0800)
committermergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Thu, 9 Dec 2021 06:28:10 +0000 (06:28 +0000)
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275

Platform features and capabilities are traditionally discovered via the
CPUID instruction. Hypervisors typically trap and emulate the CPUID
instruction for a variety of reasons. There are some cases where incorrect
CPUID information can potentially lead to a security issue. The SEV-SNP
firmware provides a feature to filter the CPUID results through the PSP.
The filtered CPUID values are saved on a special page for the guest to
consume. Reserve a page in MEMFD that will contain the results of
filtered CPUID values.

Cc: Michael Roth <michael.roth@amd.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
OvmfPkg/OvmfPkg.dec patch | blob | blame | history
OvmfPkg/OvmfPkgX64.fdf patch | blob | blame | history
OvmfPkg/ResetVector/ResetVector.inf patch | blob | blame | history
OvmfPkg/ResetVector/ResetVector.nasmb patch | blob | blame | history
OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm patch | blob | blame | history

diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index deb285fd62c502284127b87f1d7ffce003ea3427..bc14cf2ed4030ddb45d30cd9a3b917845aafcf60 100644 (file)
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -357,6 +357,13 @@
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|0|UINT32|0x58\r
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize|0|UINT32|0x59\r
 \r
+  ## The base address and size of a CPUID Area that contains the hypervisor\r
+  #  provided CPUID results. In the case of SEV-SNP, the CPUID results are\r
+  #  filtered by the SEV-SNP firmware. If this is set in the .fdf, the\r
+  #  platform is responsible to reserve this area from DXE phase overwrites.\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|0|UINT32|0x60\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize|0|UINT32|0x61\r
+\r
 [PcdsDynamic, PcdsDynamicEx]\r
   gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2\r
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10\r
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 1313c7f016bf6e36a137426811bfe1208b86db80..e94b433e7b28c147a64f2b8fbab63b1ebd38fb91 100644 (file)
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -91,6 +91,9 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTokenSpaceGuid.P
 0x00D000|0x001000\r
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize\r
 \r
+0x00E000|0x001000\r
+gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize\r
+\r
 0x010000|0x010000\r
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize\r
 \r
diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/ResetVector.inf
index fcbc25d0ce3dbb36deb5da49cbe25de599930687..1c5d84184ed715a0a510c28908bec72549413c64 100644 (file)
--- a/OvmfPkg/ResetVector/ResetVector.inf
+++ b/OvmfPkg/ResetVector/ResetVector.inf
@@ -55,6 +55,8 @@
   gUefiOvmfPkgTokenSpaceGuid.PcdBfvRawDataSize\r
 \r
 [FixedPcd]\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize\r
   gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase\r
   gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize\r
   gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase\r
diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb
index 4e685ef236843ef566910b162b53f32cc5a82e34..fbaeab5f5168c848333471cb4e640455c08d6600 100644 (file)
--- a/OvmfPkg/ResetVector/ResetVector.nasmb
+++ b/OvmfPkg/ResetVector/ResetVector.nasmb
@@ -105,6 +105,8 @@
   %define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase) + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize))\r
   %define SEV_SNP_SECRETS_BASE  (FixedPcdGet32 (PcdOvmfSnpSecretsBase))\r
   %define SEV_SNP_SECRETS_SIZE  (FixedPcdGet32 (PcdOvmfSnpSecretsSize))\r
+  %define CPUID_BASE  (FixedPcdGet32 (PcdOvmfCpuidBase))\r
+  %define CPUID_SIZE  (FixedPcdGet32 (PcdOvmfCpuidSize))\r
 \r
 %include "X64/IntelTdxMetadata.asm"\r
 %include "Ia32/Flat32ToFlat64.asm"\r
diff --git a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm
index 2bc7790bd8085bfd4a1844f8ce9d56fcf63a5483..0cc12ad3473f183ef6ff4e8d2e721023a8cd149f 100644 (file)
--- a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm
+++ b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm
@@ -17,6 +17,16 @@ BITS  64
 ; AMD SEV-SNP specific sections\r
 %define OVMF_SECTION_TYPE_SNP_SECRETS     0x2\r
 \r
+;\r
+; The section contains the hypervisor pre-populated CPUID values.\r
+; In the case of SEV-SNP, the CPUID values are filtered and measured by\r
+; the SEV-SNP firmware.\r
+; The CPUID format is documented in SEV-SNP firmware spec 0.9 section 7.1\r
+; (CPUID function structure).\r
+;\r
+%define OVMF_SECTION_TYPE_CPUID           0x3\r
+\r
+\r
 ALIGN 16\r
 \r
 TIMES (15 - ((OvmfSevGuidedStructureEnd - OvmfSevGuidedStructureStart + 15) % 16)) DB 0\r
@@ -39,5 +49,11 @@ SevSnpSecrets:
   DD  SEV_SNP_SECRETS_SIZE\r
   DD  OVMF_SECTION_TYPE_SNP_SECRETS\r
 \r
+; CPUID values\r
+CpuidSec:\r
+  DD  CPUID_BASE\r
+  DD  CPUID_SIZE\r
+  DD  OVMF_SECTION_TYPE_CPUID\r
+\r
 OvmfSevGuidedStructureEnd:\r
   ALIGN   16\r
EFI Development Kit II mirror for PVE