edk2/0076-OvmfPkg-BaseMemEncryptLib-Save-memory-encrypt-status.patch

From d9edefe3936aecbb9640a390cd990f1771e0dac2 Mon Sep 17 00:00:00 2001
From: Xin Jiang <jiangxin@hygon.cn>
Date: Wed, 10 Jan 2024 17:34:57 +0800
Subject: [PATCH 9/9] OvmfPkg/BaseMemEncryptLib: Save memory encrypt status in
 reserved memory

The MMIO routine of VC handler will get memory encrypt status to
validate MMIO address. MemEncryptSevGetEncryptionMask() will enable
interrupt while interrupt must be disabled during VC.

During DXE stage, VC routine as below:
CcExitHandleVc->MemEncryptSevGetAddressRangeState->
MemEncryptSevGetEncryptionMask->PcdGet64(PcdPteMemoryEncryptionAddressOrMask)

Unfortunately, PcdGet64() will enable interrupt in VC context.

Signed-off-by: Xin Jiang <jiangxin@hygon.cn>
---
 OvmfPkg/AmdSev/AmdSevX64.fdf                             | 5 ++++-
 .../Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf | 4 ++++
 .../BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c   | 9 ++-------
 OvmfPkg/OvmfPkg.dec                                      | 4 ++++
 OvmfPkg/OvmfPkgX64.fdf                                   | 5 ++++-
 OvmfPkg/PlatformPei/AmdSev.c                             | 2 ++
 OvmfPkg/PlatformPei/Csv.c                                | 6 ++++++
 OvmfPkg/PlatformPei/PlatformPei.inf                      | 2 ++
 8 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index 714ab004..b0d9033f 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -80,7 +80,10 @@ gUefiOvmfPkgTokenSpaceGuid.PcdCsvDefaultSecureCallBase|gUefiOvmfPkgTokenSpaceGui
 0x012000|0x001000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidSize
 
-0x013000|0x00D000
+0x013000|0x001000
+gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusBase|gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusSize
+
+0x014000|0x00C000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
 
 0x020000|0x0E0000
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf
index 4d32fae6..6f2f69d0 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf
@@ -61,3 +61,7 @@
 [Pcd]
   gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask
   gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr
+
+[FixedPcd]
+  gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusBase
+  gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusSize
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
index d80ebe2f..a9d43237 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
@@ -22,8 +22,6 @@
 
 STATIC UINT64   mCurrentAttr                   = 0;
 STATIC BOOLEAN  mCurrentAttrRead               = FALSE;
-STATIC UINT64   mSevEncryptionMask             = 0;
-STATIC BOOLEAN  mSevEncryptionMaskSaved        = FALSE;
 STATIC BOOLEAN  mSevLiveMigrationStatus        = FALSE;
 STATIC BOOLEAN  mSevLiveMigrationStatusChecked = FALSE;
 
@@ -193,10 +191,7 @@ MemEncryptSevGetEncryptionMask (
   VOID
   )
 {
-  if (!mSevEncryptionMaskSaved) {
-    mSevEncryptionMask      = PcdGet64 (PcdPteMemoryEncryptionAddressOrMask);
-    mSevEncryptionMaskSaved = TRUE;
-  }
+  UINT64 *MemEncryptStatus = (UINT64 *)(UINT64)FixedPcdGet32 (PcdMemEncrpytStatusBase);
 
-  return mSevEncryptionMask;
+  return *MemEncryptStatus;
 }
diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index d50b1ae3..a6016d58 100644
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -443,6 +443,10 @@
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidBase|0|UINT32|0x72
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidSize|0|UINT32|0x73
 
+  ## the base address of memory encryption status.
+  gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusBase|0|UINT32|0x74
+  gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusSize|0|UINT32|0x75
+
 [PcdsDynamic, PcdsDynamicEx]
   gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index b1cf0d99..a34b9f57 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -100,7 +100,10 @@ gUefiOvmfPkgTokenSpaceGuid.PcdCsvDefaultSecureCallBase|gUefiOvmfPkgTokenSpaceGui
 0x011000|0x001000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidSize
 
-0x012000|0x00E000
+0x012000|0x001000
+gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusBase|gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusSize
+
+0x013000|0x00D000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
 
 0x020000|0x0E0000
diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
index 553e841e..7c4ef899 100644
--- a/OvmfPkg/PlatformPei/AmdSev.c
+++ b/OvmfPkg/PlatformPei/AmdSev.c
@@ -379,6 +379,8 @@ AmdSevInitialize (
   PcdStatus      = PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, EncryptionMask);
   ASSERT_RETURN_ERROR (PcdStatus);
 
+  *(UINT64 *)(UINT64)FixedPcdGet32 (PcdMemEncrpytStatusBase) = EncryptionMask;
+
   DEBUG ((DEBUG_INFO, "SEV is enabled (mask 0x%lx)\n", EncryptionMask));
 
   //
diff --git a/OvmfPkg/PlatformPei/Csv.c b/OvmfPkg/PlatformPei/Csv.c
index a52112d5..fe8c059b 100644
--- a/OvmfPkg/PlatformPei/Csv.c
+++ b/OvmfPkg/PlatformPei/Csv.c
@@ -33,6 +33,12 @@ CsvInitializeMemInfo (
   UINT64                      LowerMemorySize;
   UINT64                      UpperMemorySize;
 
+  BuildMemoryAllocationHob (
+    (EFI_PHYSICAL_ADDRESS)(UINTN) FixedPcdGet32 (PcdMemEncrpytStatusBase),
+    (UINT64)(UINTN) FixedPcdGet32 (PcdMemEncrpytStatusSize),
+    EfiReservedMemoryType
+    );
+
   if (!CsvIsEnabled ()) {
     return ;
   }
diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
index 07de179f..c2d503fa 100644
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -137,6 +137,8 @@
   gUefiOvmfPkgTokenSpaceGuid.PcdCsvDefaultSecureCallSize
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidBase
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidSize
+  gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusBase
+  gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusSize
 
 [FeaturePcd]
   gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable
-- 
2.25.1
Support live migration for Hygon CSV1/2/3 guests, fix nesting #VC The live migration of Hygon CSV1/2/3 guest depends on the KVM hypercall KVM_HC_MAP_GPA_RANGE, add code to sync page enc/dec status to KVM. The MMIO routine of VC handler will get memory encrypt status to validate MMIO address. MemEncryptSevGetEncryptionMask() will enable interrupt while interrupt must be disabled during VC. During DXE stage, VC routine as below: CcExitHandleVc -> MemEncryptSevGetAddressRangeState -> MemEncryptSevGetEncryptionMask->PcdGet64(PcdPteMemoryEncryptionAddressOrMask) Signed-off-by: hanliyang <hanliyang@hygon.cn> 2024-10-23 18:02:30 +08:00			`From d9edefe3936aecbb9640a390cd990f1771e0dac2 Mon Sep 17 00:00:00 2001`
			`From: Xin Jiang <jiangxin@hygon.cn>`
			`Date: Wed, 10 Jan 2024 17:34:57 +0800`
			`Subject: [PATCH 9/9] OvmfPkg/BaseMemEncryptLib: Save memory encrypt status in`
			`reserved memory`

			`The MMIO routine of VC handler will get memory encrypt status to`
			`validate MMIO address. MemEncryptSevGetEncryptionMask() will enable`
			`interrupt while interrupt must be disabled during VC.`

			`During DXE stage, VC routine as below:`
			`CcExitHandleVc->MemEncryptSevGetAddressRangeState->`
			`MemEncryptSevGetEncryptionMask->PcdGet64(PcdPteMemoryEncryptionAddressOrMask)`

			`Unfortunately, PcdGet64() will enable interrupt in VC context.`

			`Signed-off-by: Xin Jiang <jiangxin@hygon.cn>`
			`---`
			`OvmfPkg/AmdSev/AmdSevX64.fdf \| 5 ++++-`
			`.../Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf \| 4 ++++`
			`.../BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c \| 9 ++-------`
			`OvmfPkg/OvmfPkg.dec \| 4 ++++`
			`OvmfPkg/OvmfPkgX64.fdf \| 5 ++++-`
			`OvmfPkg/PlatformPei/AmdSev.c \| 2 ++`
			`OvmfPkg/PlatformPei/Csv.c \| 6 ++++++`
			`OvmfPkg/PlatformPei/PlatformPei.inf \| 2 ++`
			`8 files changed, 28 insertions(+), 9 deletions(-)`

			`diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf`
			`index 714ab004..b0d9033f 100644`
			`--- a/OvmfPkg/AmdSev/AmdSevX64.fdf`
			`+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf`
			`@@ -80,7 +80,10 @@ gUefiOvmfPkgTokenSpaceGuid.PcdCsvDefaultSecureCallBase\|gUefiOvmfPkgTokenSpaceGui`
			`0x012000\|0x001000`
			`gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidBase\|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidSize`

			`-0x013000\|0x00D000`
			`+0x013000\|0x001000`
			`+gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusBase\|gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusSize`
			`+`
			`+0x014000\|0x00C000`
			`gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase\|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize`

			`0x020000\|0x0E0000`
			`diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf`
			`index 4d32fae6..6f2f69d0 100644`
			`--- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf`
			`+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf`
			`@@ -61,3 +61,7 @@`
			`[Pcd]`
			`gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask`
			`gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr`
			`+`
			`+[FixedPcd]`
			`+ gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusBase`
			`+ gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusSize`
			`diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c`
			`index d80ebe2f..a9d43237 100644`
			`--- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c`
			`+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c`
			`@@ -22,8 +22,6 @@`

			`STATIC UINT64 mCurrentAttr = 0;`
			`STATIC BOOLEAN mCurrentAttrRead = FALSE;`
			`-STATIC UINT64 mSevEncryptionMask = 0;`
			`-STATIC BOOLEAN mSevEncryptionMaskSaved = FALSE;`
			`STATIC BOOLEAN mSevLiveMigrationStatus = FALSE;`
			`STATIC BOOLEAN mSevLiveMigrationStatusChecked = FALSE;`

			`@@ -193,10 +191,7 @@ MemEncryptSevGetEncryptionMask (`
			`VOID`
			`)`
			`{`
			`- if (!mSevEncryptionMaskSaved) {`
			`- mSevEncryptionMask = PcdGet64 (PcdPteMemoryEncryptionAddressOrMask);`
			`- mSevEncryptionMaskSaved = TRUE;`
			`- }`
			`+ UINT64 MemEncryptStatus = (UINT64 )(UINT64)FixedPcdGet32 (PcdMemEncrpytStatusBase);`

			`- return mSevEncryptionMask;`
			`+ return *MemEncryptStatus;`
			`}`
			`diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec`
			`index d50b1ae3..a6016d58 100644`
			`--- a/OvmfPkg/OvmfPkg.dec`
			`+++ b/OvmfPkg/OvmfPkg.dec`
			`@@ -443,6 +443,10 @@`
			`gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidBase\|0\|UINT32\|0x72`
			`gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidSize\|0\|UINT32\|0x73`

			`+ ## the base address of memory encryption status.`
			`+ gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusBase\|0\|UINT32\|0x74`
			`+ gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusSize\|0\|UINT32\|0x75`
			`+`
			`[PcdsDynamic, PcdsDynamicEx]`
			`gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent\|0\|UINT64\|2`
			`gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable\|FALSE\|BOOLEAN\|0x10`
			`diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf`
			`index b1cf0d99..a34b9f57 100644`
			`--- a/OvmfPkg/OvmfPkgX64.fdf`
			`+++ b/OvmfPkg/OvmfPkgX64.fdf`
			`@@ -100,7 +100,10 @@ gUefiOvmfPkgTokenSpaceGuid.PcdCsvDefaultSecureCallBase\|gUefiOvmfPkgTokenSpaceGui`
			`0x011000\|0x001000`
			`gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidBase\|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidSize`

			`-0x012000\|0x00E000`
			`+0x012000\|0x001000`
			`+gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusBase\|gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusSize`
			`+`
			`+0x013000\|0x00D000`
			`gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase\|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize`

			`0x020000\|0x0E0000`
			`diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c`
			`index 553e841e..7c4ef899 100644`
			`--- a/OvmfPkg/PlatformPei/AmdSev.c`
			`+++ b/OvmfPkg/PlatformPei/AmdSev.c`
			`@@ -379,6 +379,8 @@ AmdSevInitialize (`
			`PcdStatus = PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, EncryptionMask);`
			`ASSERT_RETURN_ERROR (PcdStatus);`

			`+ (UINT64 )(UINT64)FixedPcdGet32 (PcdMemEncrpytStatusBase) = EncryptionMask;`
			`+`
			`DEBUG ((DEBUG_INFO, "SEV is enabled (mask 0x%lx)\n", EncryptionMask));`

			`//`
			`diff --git a/OvmfPkg/PlatformPei/Csv.c b/OvmfPkg/PlatformPei/Csv.c`
			`index a52112d5..fe8c059b 100644`
			`--- a/OvmfPkg/PlatformPei/Csv.c`
			`+++ b/OvmfPkg/PlatformPei/Csv.c`
			`@@ -33,6 +33,12 @@ CsvInitializeMemInfo (`
			`UINT64 LowerMemorySize;`
			`UINT64 UpperMemorySize;`

			`+ BuildMemoryAllocationHob (`
			`+ (EFI_PHYSICAL_ADDRESS)(UINTN) FixedPcdGet32 (PcdMemEncrpytStatusBase),`
			`+ (UINT64)(UINTN) FixedPcdGet32 (PcdMemEncrpytStatusSize),`
			`+ EfiReservedMemoryType`
			`+ );`
			`+`
			`if (!CsvIsEnabled ()) {`
			`return ;`
			`}`
			`diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf`
			`index 07de179f..c2d503fa 100644`
			`--- a/OvmfPkg/PlatformPei/PlatformPei.inf`
			`+++ b/OvmfPkg/PlatformPei/PlatformPei.inf`
			`@@ -137,6 +137,8 @@`
			`gUefiOvmfPkgTokenSpaceGuid.PcdCsvDefaultSecureCallSize`
			`gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidBase`
			`gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidSize`
			`+ gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusBase`
			`+ gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusSize`

			`[FeaturePcd]`
			`gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable`
			`--`
			`2.25.1`