OvmfPkg/PlatformPei: mark cpuid and secrets memory reserved in EFI map

When SEV-SNP is active, the CPUID and Secrets memory range contains the
information that is used during the VM boot. The content need to be persist
across the kexec boot. Mark the memory range as Reserved in the EFI map
so that guest OS or firmware does not use the range as a system RAM.

Cc: Michael Roth <michael.roth@amd.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>

diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
index 9b71f7cf2fabbbd03258313a0689affebd7d2105..fb7e21ec140f173dd66a9fd5689e5c685f89eeb6 100644 (file)
--- a/OvmfPkg/PlatformPei/AmdSev.c
+++ b/OvmfPkg/PlatformPei/AmdSev.c
@@ -416,3 +416,34 @@ AmdSevInitialize (
 \r
   ASSERT_RETURN_ERROR (PcdStatus);\r
 }\r
+\r
+/**\r
+ The function performs SEV specific region initialization.\r
+\r
+ **/\r
+VOID\r
+SevInitializeRam (\r
+  VOID\r
+  )\r
+{\r
+  if (MemEncryptSevSnpIsEnabled ()) {\r
+    //\r
+    // If SEV-SNP is enabled, reserve the Secrets and CPUID memory area.\r
+    //\r
+    // This memory range is given to the PSP by the hypervisor to populate\r
+    // the information used during the SNP VM boots, and it need to persist\r
+    // across the kexec boots. Mark it as EfiReservedMemoryType so that\r
+    // the guest firmware and OS does not use it as a system memory.\r
+    //\r
+    BuildMemoryAllocationHob (\r
+      (EFI_PHYSICAL_ADDRESS)(UINTN)PcdGet32 (PcdOvmfSnpSecretsBase),\r
+      (UINT64)(UINTN)PcdGet32 (PcdOvmfSnpSecretsSize),\r
+      EfiReservedMemoryType\r
+      );\r
+    BuildMemoryAllocationHob (\r
+      (EFI_PHYSICAL_ADDRESS)(UINTN)PcdGet32 (PcdOvmfCpuidBase),\r
+      (UINT64)(UINTN)PcdGet32 (PcdOvmfCpuidSize),\r
+      EfiReservedMemoryType\r
+      );\r
+  }\r
+}\r

diff --git a/OvmfPkg/PlatformPei/MemDetect.c b/OvmfPkg/PlatformPei/MemDetect.c
index 3f59a1ac79f6ff77c18a5582a87fd7c5087c3f86..738ed0c208ae53ffc6888de2f9bd49edf2b1947f 100644 (file)
--- a/OvmfPkg/PlatformPei/MemDetect.c
+++ b/OvmfPkg/PlatformPei/MemDetect.c
@@ -871,6 +871,8 @@ InitializeRamRegions (
 {\r
   QemuInitializeRam ();\r
 \r
+  SevInitializeRam ();\r
+\r
   if (mS3Supported && (mBootMode != BOOT_ON_S3_RESUME)) {\r
     //\r
     // This is the memory range that will be used for PEI on S3 resume\r

diff --git a/OvmfPkg/PlatformPei/Platform.h b/OvmfPkg/PlatformPei/Platform.h
index 357b3d4095c39c9e6aa771aef337f709a15268c9..24e4da4e1d93ebb481546165e39ebc0cacb952a4 100644 (file)
--- a/OvmfPkg/PlatformPei/Platform.h
+++ b/OvmfPkg/PlatformPei/Platform.h
@@ -104,6 +104,11 @@ AmdSevInitialize (
 \r
 extern EFI_BOOT_MODE  mBootMode;\r
 \r
+VOID\r
+SevInitializeRam (\r
+  VOID\r
+  );\r
+\r
 extern BOOLEAN  mS3Supported;\r
 \r
 extern UINT8  mPhysMemAddressWidth;\r

diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
index 3c05b550e4bdba5a4a2f51362538d06c7bbccd3d..1c56ba2758356f23026f87e26d559503c8abd8ad 100644 (file)
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -111,6 +111,8 @@
   gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures\r
 \r
 [FixedPcd]\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize\r
   gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress\r
   gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIMemoryNVS\r
   gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIReclaimMemory\r
@@ -121,6 +123,8 @@
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize\r
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase\r
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize\r
 \r
 [FeaturePcd]\r
   gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable\r