edk2/0072-OvmfPkg-PlatformPei-Mark-SEC-GHCB-page-as-unencrypte.patch

From 16e7adce62f7c28cc1823229b40a27493737cae6 Mon Sep 17 00:00:00 2001
From: Ashish Kalra <ashish.kalra@amd.com>
Date: Tue, 5 Apr 2022 16:30:54 +0000
Subject: [PATCH 5/9] OvmfPkg/PlatformPei: Mark SEC GHCB page as unencrypted
 via hypercall

cherry-picked from https://patchew.org/EDK2/cover.1629380011.git.ashish.kalra@amd.com .

Mark the SEC GHCB page (that is mapped as unencrypted in
ResetVector code) in the hypervisor's guest page encryption
state tracking.

Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Signed-off-by: Ashish Kalra <ashish.kalra@amd.com>
---
 OvmfPkg/PlatformPei/AmdSev.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
index e6b602d7..553e841e 100644
--- a/OvmfPkg/PlatformPei/AmdSev.c
+++ b/OvmfPkg/PlatformPei/AmdSev.c
@@ -229,6 +229,17 @@ AmdSevEsInitialize (
   Status = PcdSetBoolS (PcdSevEsIsEnabled, TRUE);
   ASSERT_RETURN_ERROR (Status);
 
+  //
+  // The SEC Ghcb setup during reset-vector needs to be marked as
+  // decrypted in the hypervisor's guest page encryption state
+  // tracking.
+  //
+  SetMemoryEncDecHypercall3 (
+    FixedPcdGet32 (PcdOvmfSecGhcbBase),
+    EFI_SIZE_TO_PAGES (FixedPcdGet32 (PcdOvmfSecGhcbSize)),
+    FALSE
+    );
+
   //
   // Allocate GHCB and per-CPU variable pages.
   //   Since the pages must survive across the UEFI to OS transition
-- 
2.25.1
Support live migration for Hygon CSV1/2/3 guests, fix nesting #VC The live migration of Hygon CSV1/2/3 guest depends on the KVM hypercall KVM_HC_MAP_GPA_RANGE, add code to sync page enc/dec status to KVM. The MMIO routine of VC handler will get memory encrypt status to validate MMIO address. MemEncryptSevGetEncryptionMask() will enable interrupt while interrupt must be disabled during VC. During DXE stage, VC routine as below: CcExitHandleVc -> MemEncryptSevGetAddressRangeState -> MemEncryptSevGetEncryptionMask->PcdGet64(PcdPteMemoryEncryptionAddressOrMask) Signed-off-by: hanliyang <hanliyang@hygon.cn> 2024-10-23 18:02:30 +08:00			`From 16e7adce62f7c28cc1823229b40a27493737cae6 Mon Sep 17 00:00:00 2001`
			`From: Ashish Kalra <ashish.kalra@amd.com>`
			`Date: Tue, 5 Apr 2022 16:30:54 +0000`
			`Subject: [PATCH 5/9] OvmfPkg/PlatformPei: Mark SEC GHCB page as unencrypted`
			`via hypercall`

			`cherry-picked from https://patchew.org/EDK2/cover.1629380011.git.ashish.kalra@amd.com .`

			`Mark the SEC GHCB page (that is mapped as unencrypted in`
			`ResetVector code) in the hypervisor's guest page encryption`
			`state tracking.`

			`Cc: Jordan Justen <jordan.l.justen@intel.com>`
			`Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>`
			`Signed-off-by: Ashish Kalra <ashish.kalra@amd.com>`
			`---`
			`OvmfPkg/PlatformPei/AmdSev.c \| 11 +++++++++++`
			`1 file changed, 11 insertions(+)`

			`diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c`
			`index e6b602d7..553e841e 100644`
			`--- a/OvmfPkg/PlatformPei/AmdSev.c`
			`+++ b/OvmfPkg/PlatformPei/AmdSev.c`
			`@@ -229,6 +229,17 @@ AmdSevEsInitialize (`
			`Status = PcdSetBoolS (PcdSevEsIsEnabled, TRUE);`
			`ASSERT_RETURN_ERROR (Status);`

			`+ //`
			`+ // The SEC Ghcb setup during reset-vector needs to be marked as`
			`+ // decrypted in the hypervisor's guest page encryption state`
			`+ // tracking.`
			`+ //`
			`+ SetMemoryEncDecHypercall3 (`
			`+ FixedPcdGet32 (PcdOvmfSecGhcbBase),`
			`+ EFI_SIZE_TO_PAGES (FixedPcdGet32 (PcdOvmfSecGhcbSize)),`
			`+ FALSE`
			`+ );`
			`+`
			`//`
			`// Allocate GHCB and per-CPU variable pages.`
			`// Since the pages must survive across the UEFI to OS transition`
			`--`
			`2.25.1`