OvmfPkg/IoMmuDxe: abort harder on memory encryption mask failures

Upon a MemEncryptSevClearPageEncMask() failure in Map(), it wouldn't be
difficult to release the bounce buffer that was implicitly allocated for
BusMasterRead[64] and BusMasterWrite[64] operations. However, undoing any
partial memory encryption mask changes -- partial page splitting and PTE
modifications -- is practically impossible. (For example, restoring the
encryption mask on the entire range has no reason to fare any better than
the MemEncryptSevClearPageEncMask() call itself.)

For this reason, keep ASSERT_EFI_ERROR(), but hang in RELEASE builds too,
if MemEncryptSevClearPageEncMask() or MemEncryptSevSetPageEncMask() fails.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Brijesh Singh <brijesh.singh@amd.com>

diff --git a/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c b/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c
index 1dafe0df1127259281427a031281d82789f59e6c..452d5c47753bb9b013d59ab6dcb752d43b6491c0 100644 (file)
--- a/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c
+++ b/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c
@@ -223,7 +223,10 @@ IoMmuMap (
              MapInfo->NumberOfPages,\r
              TRUE\r
              );\r
-  ASSERT_EFI_ERROR(Status);\r
+  ASSERT_EFI_ERROR (Status);\r
+  if (EFI_ERROR (Status)) {\r
+    CpuDeadLoop ();\r
+  }\r
 \r
   //\r
   // If this is a read operation from the Bus Master's point of view,\r
@@ -365,7 +368,10 @@ IoMmuUnmap (
              MapInfo->NumberOfPages,\r
              TRUE\r
              );\r
-  ASSERT_EFI_ERROR(Status);\r
+  ASSERT_EFI_ERROR (Status);\r
+  if (EFI_ERROR (Status)) {\r
+    CpuDeadLoop ();\r
+  }\r
 \r
   //\r
   // For BusMasterCommonBuffer[64] operations, copy the stashed data to the\r