From d9edefe3936aecbb9640a390cd990f1771e0dac2 Mon Sep 17 00:00:00 2001 From: Xin Jiang Date: Wed, 10 Jan 2024 17:34:57 +0800 Subject: [PATCH 9/9] OvmfPkg/BaseMemEncryptLib: Save memory encrypt status in reserved memory The MMIO routine of VC handler will get memory encrypt status to validate MMIO address. MemEncryptSevGetEncryptionMask() will enable interrupt while interrupt must be disabled during VC. During DXE stage, VC routine as below: CcExitHandleVc->MemEncryptSevGetAddressRangeState-> MemEncryptSevGetEncryptionMask->PcdGet64(PcdPteMemoryEncryptionAddressOrMask) Unfortunately, PcdGet64() will enable interrupt in VC context. Signed-off-by: Xin Jiang --- OvmfPkg/AmdSev/AmdSevX64.fdf | 5 ++++- .../Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf | 4 ++++ .../BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c | 9 ++------- OvmfPkg/OvmfPkg.dec | 4 ++++ OvmfPkg/OvmfPkgX64.fdf | 5 ++++- OvmfPkg/PlatformPei/AmdSev.c | 2 ++ OvmfPkg/PlatformPei/Csv.c | 6 ++++++ OvmfPkg/PlatformPei/PlatformPei.inf | 2 ++ 8 files changed, 28 insertions(+), 9 deletions(-) diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf index 714ab004..b0d9033f 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.fdf +++ b/OvmfPkg/AmdSev/AmdSevX64.fdf @@ -80,7 +80,10 @@ gUefiOvmfPkgTokenSpaceGuid.PcdCsvDefaultSecureCallBase|gUefiOvmfPkgTokenSpaceGui 0x012000|0x001000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidSize -0x013000|0x00D000 +0x013000|0x001000 +gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusBase|gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusSize + +0x014000|0x00C000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize 0x020000|0x0E0000 diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf index 4d32fae6..6f2f69d0 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf @@ -61,3 +61,7 @@ [Pcd] gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr + +[FixedPcd] + gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusBase + gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusSize diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c index d80ebe2f..a9d43237 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c @@ -22,8 +22,6 @@ STATIC UINT64 mCurrentAttr = 0; STATIC BOOLEAN mCurrentAttrRead = FALSE; -STATIC UINT64 mSevEncryptionMask = 0; -STATIC BOOLEAN mSevEncryptionMaskSaved = FALSE; STATIC BOOLEAN mSevLiveMigrationStatus = FALSE; STATIC BOOLEAN mSevLiveMigrationStatusChecked = FALSE; @@ -193,10 +191,7 @@ MemEncryptSevGetEncryptionMask ( VOID ) { - if (!mSevEncryptionMaskSaved) { - mSevEncryptionMask = PcdGet64 (PcdPteMemoryEncryptionAddressOrMask); - mSevEncryptionMaskSaved = TRUE; - } + UINT64 *MemEncryptStatus = (UINT64 *)(UINT64)FixedPcdGet32 (PcdMemEncrpytStatusBase); - return mSevEncryptionMask; + return *MemEncryptStatus; } diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index d50b1ae3..a6016d58 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -443,6 +443,10 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidBase|0|UINT32|0x72 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidSize|0|UINT32|0x73 + ## the base address of memory encryption status. + gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusBase|0|UINT32|0x74 + gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusSize|0|UINT32|0x75 + [PcdsDynamic, PcdsDynamicEx] gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10 diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index b1cf0d99..a34b9f57 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -100,7 +100,10 @@ gUefiOvmfPkgTokenSpaceGuid.PcdCsvDefaultSecureCallBase|gUefiOvmfPkgTokenSpaceGui 0x011000|0x001000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidSize -0x012000|0x00E000 +0x012000|0x001000 +gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusBase|gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusSize + +0x013000|0x00D000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize 0x020000|0x0E0000 diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index 553e841e..7c4ef899 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -379,6 +379,8 @@ AmdSevInitialize ( PcdStatus = PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, EncryptionMask); ASSERT_RETURN_ERROR (PcdStatus); + *(UINT64 *)(UINT64)FixedPcdGet32 (PcdMemEncrpytStatusBase) = EncryptionMask; + DEBUG ((DEBUG_INFO, "SEV is enabled (mask 0x%lx)\n", EncryptionMask)); // diff --git a/OvmfPkg/PlatformPei/Csv.c b/OvmfPkg/PlatformPei/Csv.c index a52112d5..fe8c059b 100644 --- a/OvmfPkg/PlatformPei/Csv.c +++ b/OvmfPkg/PlatformPei/Csv.c @@ -33,6 +33,12 @@ CsvInitializeMemInfo ( UINT64 LowerMemorySize; UINT64 UpperMemorySize; + BuildMemoryAllocationHob ( + (EFI_PHYSICAL_ADDRESS)(UINTN) FixedPcdGet32 (PcdMemEncrpytStatusBase), + (UINT64)(UINTN) FixedPcdGet32 (PcdMemEncrpytStatusSize), + EfiReservedMemoryType + ); + if (!CsvIsEnabled ()) { return ; } diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf index 07de179f..c2d503fa 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -137,6 +137,8 @@ gUefiOvmfPkgTokenSpaceGuid.PcdCsvDefaultSecureCallSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCsvCpuidSize + gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusBase + gUefiOvmfPkgTokenSpaceGuid.PcdMemEncrpytStatusSize [FeaturePcd] gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable -- 2.25.1