On 05/19/20 23:51, Lendacky, Thomas wrote: > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198 > > Protect the SEV-ES work area memory used by an SEV-ES guest. > > Regarding the lifecycle of the SEV-ES memory area: > PcdSevEsWorkArea > > (a) when and how it is initialized after first boot of the VM > > If SEV-ES is enabled, the SEV-ES area is initialized during > the SEC phase [OvmfPkg/ResetVector/Ia32/PageTables64.asm]. > > (b) how it is protected from memory allocations during DXE > > If SEV-ES is enabled, then InitializeRamRegions() > [OvmfPkg/PlatformPei/MemDetect.c] protects the ranges with either > an AcpiNVS (S3 enabled) or BootServicesData (S3 disabled) memory > allocation HOB, in PEI. > > (c) how it is protected from the OS > > If S3 is enabled, then (b) reserves it from the OS too. > > If S3 is disabled, then the range needs no protection. > > (d) how it is accessed on the S3 resume path > > It is rewritten same as in (a), which is fine because (b) reserved it. > > (e) how it is accessed on the warm reset path > > It is rewritten same as in (a). > > Cc: Jordan Justen <jordan.l.jus...@intel.com> > Cc: Laszlo Ersek <ler...@redhat.com> > Cc: Ard Biesheuvel <ard.biesheu...@arm.com> > Cc: Anthony Perard <anthony.per...@citrix.com> > Cc: Julien Grall <jul...@xen.org> > Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com> > --- > OvmfPkg/PlatformPei/PlatformPei.inf | 2 ++ > OvmfPkg/PlatformPei/MemDetect.c | 20 ++++++++++++++++++++ > 2 files changed, 22 insertions(+) > > diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf > b/OvmfPkg/PlatformPei/PlatformPei.inf > index 4742e1bdf42b..c53be2f4925c 100644 > --- a/OvmfPkg/PlatformPei/PlatformPei.inf > +++ b/OvmfPkg/PlatformPei/PlatformPei.inf > @@ -118,6 +118,8 @@ [FixedPcd] > gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiReservedMemoryType > gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiRuntimeServicesCode > gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiRuntimeServicesData > + gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase > + gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize > > [FeaturePcd] > gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable > diff --git a/OvmfPkg/PlatformPei/MemDetect.c b/OvmfPkg/PlatformPei/MemDetect.c > index 6b5fee166b5d..ffbbef891a11 100644 > --- a/OvmfPkg/PlatformPei/MemDetect.c > +++ b/OvmfPkg/PlatformPei/MemDetect.c > @@ -940,5 +940,25 @@ InitializeRamRegions ( > ); > } > } > + > +#ifdef MDE_CPU_X64 > + if (MemEncryptSevEsIsEnabled ()) { > + // > + // If SEV-ES is enabled, reserve the SEV-ES work area. > + // > + // Since this memory range will be used by the Reset Vector on S3 > + // resume, it must be reserved as ACPI NVS. > + // > + // If S3 is unsupported, then various drivers might still write to the > + // work area. We ought to prevent DXE from serving allocation requests > + // such that they would overlap the work area. > + // > + BuildMemoryAllocationHob ( > + (EFI_PHYSICAL_ADDRESS)(UINTN) FixedPcdGet32 (PcdSevEsWorkAreaBase), > + (UINT64)(UINTN) FixedPcdGet32 (PcdSevEsWorkAreaSize), > + mS3Supported ? EfiACPIMemoryNVS : EfiBootServicesData > + ); > + } > +#endif > } > } >
Reviewed-by: Laszlo Ersek <ler...@redhat.com> -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#60244): https://edk2.groups.io/g/devel/message/60244 Mute This Topic: https://groups.io/mt/74336597/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-