|
Gerd Hoffmann |
93714f |
From 418ad50beaffaeb4b7b25d86b935f122f1740ebd Mon Sep 17 00:00:00 2001
|
|
Gerd Hoffmann |
93714f |
From: Brijesh Singh <brijesh.singh@amd.com>
|
|
Gerd Hoffmann |
93714f |
Date: Wed, 1 Dec 2021 10:24:07 -0600
|
|
Gerd Hoffmann |
93714f |
Subject: [PATCH 1/1] OvmfPkg/MemEncryptSevLib: Check the guest type before
|
|
Gerd Hoffmann |
93714f |
EsWorkarea access
|
|
Gerd Hoffmann |
93714f |
|
|
Gerd Hoffmann |
93714f |
The commit 80e67af9afca added support for a generic workarea concept.
|
|
Gerd Hoffmann |
93714f |
The workarea header contains the information of the guest type. The
|
|
Gerd Hoffmann |
93714f |
header is populated by ResetVector code during the guest detection.
|
|
Gerd Hoffmann |
93714f |
|
|
Gerd Hoffmann |
93714f |
Currently, the InternalMemEncryptSevStatus() reads the EsWorkArea to
|
|
Gerd Hoffmann |
93714f |
determine the C-bit position. The EsWorkArea PCD is valid only for the
|
|
Gerd Hoffmann |
93714f |
SEV guest type. Add a check of the guest type before accessing the
|
|
Gerd Hoffmann |
93714f |
EsWorkArea PCD.
|
|
Gerd Hoffmann |
93714f |
|
|
Gerd Hoffmann |
93714f |
Fixes: 80e67af9afca ("OvmfPkg: introduce a common work area")
|
|
Gerd Hoffmann |
93714f |
Cc: James Bottomley <jejb@linux.ibm.com>
|
|
Gerd Hoffmann |
93714f |
Cc: Min Xu <min.m.xu@intel.com>
|
|
Gerd Hoffmann |
93714f |
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
|
Gerd Hoffmann |
93714f |
Cc: Tom Lendacky <thomas.lendacky@amd.com>
|
|
Gerd Hoffmann |
93714f |
Cc: Jordan Justen <jordan.l.justen@intel.com>
|
|
Gerd Hoffmann |
93714f |
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
|
|
Gerd Hoffmann |
93714f |
Cc: Erdem Aktas <erdemaktas@google.com>
|
|
Gerd Hoffmann |
93714f |
Cc: Gerd Hoffmann <kraxel@redhat.com>
|
|
Gerd Hoffmann |
93714f |
Cc: Qi Zhou <atmgnd@outlook.com>
|
|
Gerd Hoffmann |
93714f |
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
|
|
Gerd Hoffmann |
93714f |
Message-Id: <20211201162407.3323063-1-brijesh.singh@amd.com>
|
|
Gerd Hoffmann |
93714f |
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Gerd Hoffmann |
93714f |
---
|
|
Gerd Hoffmann |
93714f |
.../DxeMemEncryptSevLib.inf | 2 +
|
|
Gerd Hoffmann |
93714f |
.../PeiMemEncryptSevLib.inf | 2 +
|
|
Gerd Hoffmann |
93714f |
.../SecMemEncryptSevLib.inf | 2 +
|
|
Gerd Hoffmann |
93714f |
.../PeiMemEncryptSevLibInternal.c | 50 +++++++++++++++-
|
|
Gerd Hoffmann |
93714f |
.../SecMemEncryptSevLibInternal.c | 58 ++++++++++++++++++-
|
|
Gerd Hoffmann |
93714f |
5 files changed, 110 insertions(+), 4 deletions(-)
|
|
Gerd Hoffmann |
93714f |
|
|
Gerd Hoffmann |
93714f |
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf
|
|
Gerd Hoffmann |
93714f |
index f2e162d68076..ca3d82ef93bf 100644
|
|
Gerd Hoffmann |
93714f |
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf
|
|
Gerd Hoffmann |
93714f |
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf
|
|
Gerd Hoffmann |
93714f |
@@ -54,4 +54,6 @@ [FeaturePcd]
|
|
Gerd Hoffmann |
93714f |
gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire
|
|
Gerd Hoffmann |
93714f |
|
|
Gerd Hoffmann |
93714f |
[Pcd]
|
|
Gerd Hoffmann |
93714f |
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase
|
|
Gerd Hoffmann |
93714f |
gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask
|
|
Gerd Hoffmann |
93714f |
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader
|
|
Gerd Hoffmann |
93714f |
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
|
|
Gerd Hoffmann |
93714f |
index 03a78c32df28..2f27b5569d7a 100644
|
|
Gerd Hoffmann |
93714f |
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
|
|
Gerd Hoffmann |
93714f |
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
|
|
Gerd Hoffmann |
93714f |
@@ -54,4 +54,6 @@ [FeaturePcd]
|
|
Gerd Hoffmann |
93714f |
gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire
|
|
Gerd Hoffmann |
93714f |
|
|
Gerd Hoffmann |
93714f |
[FixedPcd]
|
|
Gerd Hoffmann |
93714f |
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase
|
|
Gerd Hoffmann |
93714f |
gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase
|
|
Gerd Hoffmann |
93714f |
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader
|
|
Gerd Hoffmann |
93714f |
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf
|
|
Gerd Hoffmann |
93714f |
index 279c38bfbc2c..36c4f906d554 100644
|
|
Gerd Hoffmann |
93714f |
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf
|
|
Gerd Hoffmann |
93714f |
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf
|
|
Gerd Hoffmann |
93714f |
@@ -48,4 +48,6 @@ [LibraryClasses]
|
|
Gerd Hoffmann |
93714f |
PcdLib
|
|
Gerd Hoffmann |
93714f |
|
|
Gerd Hoffmann |
93714f |
[FixedPcd]
|
|
Gerd Hoffmann |
93714f |
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase
|
|
Gerd Hoffmann |
93714f |
gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase
|
|
Gerd Hoffmann |
93714f |
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader
|
|
Gerd Hoffmann |
93714f |
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
|
|
Gerd Hoffmann |
93714f |
index e2fd109d120f..c61bee4c4779 100644
|
|
Gerd Hoffmann |
93714f |
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
|
|
Gerd Hoffmann |
93714f |
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
|
|
Gerd Hoffmann |
93714f |
@@ -24,6 +24,52 @@ STATIC BOOLEAN mSevStatusChecked = FALSE;
|
|
Gerd Hoffmann |
93714f |
STATIC UINT64 mSevEncryptionMask = 0;
|
|
Gerd Hoffmann |
93714f |
STATIC BOOLEAN mSevEncryptionMaskSaved = FALSE;
|
|
Gerd Hoffmann |
93714f |
|
|
Gerd Hoffmann |
93714f |
+/**
|
|
Gerd Hoffmann |
93714f |
+ Determine if the SEV is active.
|
|
Gerd Hoffmann |
93714f |
+
|
|
Gerd Hoffmann |
93714f |
+ During the early booting, GuestType is set in the work area. Verify that it
|
|
Gerd Hoffmann |
93714f |
+ is an SEV guest.
|
|
Gerd Hoffmann |
93714f |
+
|
|
Gerd Hoffmann |
93714f |
+ @retval TRUE SEV is enabled
|
|
Gerd Hoffmann |
93714f |
+ @retval FALSE SEV is not enabled
|
|
Gerd Hoffmann |
93714f |
+
|
|
Gerd Hoffmann |
93714f |
+ **/
|
|
Gerd Hoffmann |
93714f |
+STATIC
|
|
Gerd Hoffmann |
93714f |
+BOOLEAN
|
|
Gerd Hoffmann |
93714f |
+IsSevGuest (
|
|
Gerd Hoffmann |
93714f |
+ VOID
|
|
Gerd Hoffmann |
93714f |
+ )
|
|
Gerd Hoffmann |
93714f |
+{
|
|
Gerd Hoffmann |
93714f |
+ OVMF_WORK_AREA *WorkArea;
|
|
Gerd Hoffmann |
93714f |
+
|
|
Gerd Hoffmann |
93714f |
+ //
|
|
Gerd Hoffmann |
93714f |
+ // Ensure that the size of the Confidential Computing work area header
|
|
Gerd Hoffmann |
93714f |
+ // is same as what is provided through a fixed PCD.
|
|
Gerd Hoffmann |
93714f |
+ //
|
|
Gerd Hoffmann |
93714f |
+ ASSERT ((UINTN) FixedPcdGet32 (PcdOvmfConfidentialComputingWorkAreaHeader) ==
|
|
Gerd Hoffmann |
93714f |
+ sizeof(CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER));
|
|
Gerd Hoffmann |
93714f |
+
|
|
Gerd Hoffmann |
93714f |
+ WorkArea = (OVMF_WORK_AREA *) FixedPcdGet32 (PcdOvmfWorkAreaBase);
|
|
Gerd Hoffmann |
93714f |
+
|
|
Gerd Hoffmann |
93714f |
+ return ((WorkArea != NULL) && (WorkArea->Header.GuestType == GUEST_TYPE_AMD_SEV));
|
|
Gerd Hoffmann |
93714f |
+}
|
|
Gerd Hoffmann |
93714f |
+
|
|
Gerd Hoffmann |
93714f |
+STATIC
|
|
Gerd Hoffmann |
93714f |
+SEC_SEV_ES_WORK_AREA *
|
|
Gerd Hoffmann |
93714f |
+GetSevEsWorkArea (
|
|
Gerd Hoffmann |
93714f |
+ VOID
|
|
Gerd Hoffmann |
93714f |
+ )
|
|
Gerd Hoffmann |
93714f |
+{
|
|
Gerd Hoffmann |
93714f |
+ //
|
|
Gerd Hoffmann |
93714f |
+ // Before accessing the Es workarea lets verify that its SEV guest
|
|
Gerd Hoffmann |
93714f |
+ //
|
|
Gerd Hoffmann |
93714f |
+ if (!IsSevGuest()) {
|
|
Gerd Hoffmann |
93714f |
+ return NULL;
|
|
Gerd Hoffmann |
93714f |
+ }
|
|
Gerd Hoffmann |
93714f |
+
|
|
Gerd Hoffmann |
93714f |
+ return (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase);
|
|
Gerd Hoffmann |
93714f |
+}
|
|
Gerd Hoffmann |
93714f |
+
|
|
Gerd Hoffmann |
93714f |
/**
|
|
Gerd Hoffmann |
93714f |
Reads and sets the status of SEV features.
|
|
Gerd Hoffmann |
93714f |
|
|
Gerd Hoffmann |
93714f |
@@ -43,7 +89,7 @@ InternalMemEncryptSevStatus (
|
|
Gerd Hoffmann |
93714f |
|
|
Gerd Hoffmann |
93714f |
ReadSevMsr = FALSE;
|
|
Gerd Hoffmann |
93714f |
|
|
Gerd Hoffmann |
93714f |
- SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase);
|
|
Gerd Hoffmann |
93714f |
+ SevEsWorkArea = GetSevEsWorkArea ();
|
|
Gerd Hoffmann |
93714f |
if (SevEsWorkArea != NULL && SevEsWorkArea->EncryptionMask != 0) {
|
|
Gerd Hoffmann |
93714f |
//
|
|
Gerd Hoffmann |
93714f |
// The MSR has been read before, so it is safe to read it again and avoid
|
|
Gerd Hoffmann |
93714f |
@@ -139,7 +185,7 @@ MemEncryptSevGetEncryptionMask (
|
|
Gerd Hoffmann |
93714f |
if (!mSevEncryptionMaskSaved) {
|
|
Gerd Hoffmann |
93714f |
SEC_SEV_ES_WORK_AREA *SevEsWorkArea;
|
|
Gerd Hoffmann |
93714f |
|
|
Gerd Hoffmann |
93714f |
- SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase);
|
|
Gerd Hoffmann |
93714f |
+ SevEsWorkArea = GetSevEsWorkArea ();
|
|
Gerd Hoffmann |
93714f |
if (SevEsWorkArea != NULL) {
|
|
Gerd Hoffmann |
93714f |
mSevEncryptionMask = SevEsWorkArea->EncryptionMask;
|
|
Gerd Hoffmann |
93714f |
} else {
|
|
Gerd Hoffmann |
93714f |
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
|
|
Gerd Hoffmann |
93714f |
index 56d8f3f3183f..f906f0de1b6c 100644
|
|
Gerd Hoffmann |
93714f |
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
|
|
Gerd Hoffmann |
93714f |
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
|
|
Gerd Hoffmann |
93714f |
@@ -17,6 +17,52 @@
|
|
Gerd Hoffmann |
93714f |
#include <Register/Cpuid.h>
|
|
Gerd Hoffmann |
93714f |
#include <Uefi/UefiBaseType.h>
|
|
Gerd Hoffmann |
93714f |
|
|
Gerd Hoffmann |
93714f |
+/**
|
|
Gerd Hoffmann |
93714f |
+ Determine if the SEV is active.
|
|
Gerd Hoffmann |
93714f |
+
|
|
Gerd Hoffmann |
93714f |
+ During the early booting, GuestType is set in the work area. Verify that it
|
|
Gerd Hoffmann |
93714f |
+ is an SEV guest.
|
|
Gerd Hoffmann |
93714f |
+
|
|
Gerd Hoffmann |
93714f |
+ @retval TRUE SEV is enabled
|
|
Gerd Hoffmann |
93714f |
+ @retval FALSE SEV is not enabled
|
|
Gerd Hoffmann |
93714f |
+
|
|
Gerd Hoffmann |
93714f |
+ **/
|
|
Gerd Hoffmann |
93714f |
+STATIC
|
|
Gerd Hoffmann |
93714f |
+BOOLEAN
|
|
Gerd Hoffmann |
93714f |
+IsSevGuest (
|
|
Gerd Hoffmann |
93714f |
+ VOID
|
|
Gerd Hoffmann |
93714f |
+ )
|
|
Gerd Hoffmann |
93714f |
+{
|
|
Gerd Hoffmann |
93714f |
+ OVMF_WORK_AREA *WorkArea;
|
|
Gerd Hoffmann |
93714f |
+
|
|
Gerd Hoffmann |
93714f |
+ //
|
|
Gerd Hoffmann |
93714f |
+ // Ensure that the size of the Confidential Computing work area header
|
|
Gerd Hoffmann |
93714f |
+ // is same as what is provided through a fixed PCD.
|
|
Gerd Hoffmann |
93714f |
+ //
|
|
Gerd Hoffmann |
93714f |
+ ASSERT ((UINTN) FixedPcdGet32 (PcdOvmfConfidentialComputingWorkAreaHeader) ==
|
|
Gerd Hoffmann |
93714f |
+ sizeof(CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER));
|
|
Gerd Hoffmann |
93714f |
+
|
|
Gerd Hoffmann |
93714f |
+ WorkArea = (OVMF_WORK_AREA *) FixedPcdGet32 (PcdOvmfWorkAreaBase);
|
|
Gerd Hoffmann |
93714f |
+
|
|
Gerd Hoffmann |
93714f |
+ return ((WorkArea != NULL) && (WorkArea->Header.GuestType == GUEST_TYPE_AMD_SEV));
|
|
Gerd Hoffmann |
93714f |
+}
|
|
Gerd Hoffmann |
93714f |
+
|
|
Gerd Hoffmann |
93714f |
+STATIC
|
|
Gerd Hoffmann |
93714f |
+SEC_SEV_ES_WORK_AREA *
|
|
Gerd Hoffmann |
93714f |
+GetSevEsWorkArea (
|
|
Gerd Hoffmann |
93714f |
+ VOID
|
|
Gerd Hoffmann |
93714f |
+ )
|
|
Gerd Hoffmann |
93714f |
+{
|
|
Gerd Hoffmann |
93714f |
+ //
|
|
Gerd Hoffmann |
93714f |
+ // Before accessing the Es workarea lets verify that its SEV guest
|
|
Gerd Hoffmann |
93714f |
+ //
|
|
Gerd Hoffmann |
93714f |
+ if (!IsSevGuest()) {
|
|
Gerd Hoffmann |
93714f |
+ return NULL;
|
|
Gerd Hoffmann |
93714f |
+ }
|
|
Gerd Hoffmann |
93714f |
+
|
|
Gerd Hoffmann |
93714f |
+ return (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase);
|
|
Gerd Hoffmann |
93714f |
+}
|
|
Gerd Hoffmann |
93714f |
+
|
|
Gerd Hoffmann |
93714f |
/**
|
|
Gerd Hoffmann |
93714f |
Reads and sets the status of SEV features.
|
|
Gerd Hoffmann |
93714f |
|
|
Gerd Hoffmann |
93714f |
@@ -35,7 +81,8 @@ InternalMemEncryptSevStatus (
|
|
Gerd Hoffmann |
93714f |
|
|
Gerd Hoffmann |
93714f |
ReadSevMsr = FALSE;
|
|
Gerd Hoffmann |
93714f |
|
|
Gerd Hoffmann |
93714f |
- SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase);
|
|
Gerd Hoffmann |
93714f |
+
|
|
Gerd Hoffmann |
93714f |
+ SevEsWorkArea = GetSevEsWorkArea ();
|
|
Gerd Hoffmann |
93714f |
if (SevEsWorkArea != NULL && SevEsWorkArea->EncryptionMask != 0) {
|
|
Gerd Hoffmann |
93714f |
//
|
|
Gerd Hoffmann |
93714f |
// The MSR has been read before, so it is safe to read it again and avoid
|
|
Gerd Hoffmann |
93714f |
@@ -115,7 +162,14 @@ MemEncryptSevGetEncryptionMask (
|
|
Gerd Hoffmann |
93714f |
SEC_SEV_ES_WORK_AREA *SevEsWorkArea;
|
|
Gerd Hoffmann |
93714f |
UINT64 EncryptionMask;
|
|
Gerd Hoffmann |
93714f |
|
|
Gerd Hoffmann |
93714f |
- SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase);
|
|
Gerd Hoffmann |
93714f |
+ //
|
|
Gerd Hoffmann |
93714f |
+ // Before accessing the Es workarea lets verify that its SEV guest
|
|
Gerd Hoffmann |
93714f |
+ //
|
|
Gerd Hoffmann |
93714f |
+ if (!IsSevGuest()) {
|
|
Gerd Hoffmann |
93714f |
+ return 0;
|
|
Gerd Hoffmann |
93714f |
+ }
|
|
Gerd Hoffmann |
93714f |
+
|
|
Gerd Hoffmann |
93714f |
+ SevEsWorkArea = GetSevEsWorkArea ();
|
|
Gerd Hoffmann |
93714f |
if (SevEsWorkArea != NULL) {
|
|
Gerd Hoffmann |
93714f |
EncryptionMask = SevEsWorkArea->EncryptionMask;
|
|
Gerd Hoffmann |
93714f |
} else {
|
|
Gerd Hoffmann |
93714f |
--
|
|
Gerd Hoffmann |
93714f |
2.33.1
|
|
Gerd Hoffmann |
93714f |
|