Hi Ray, One comment below.
Mike > -----Original Message----- > From: Ni, Ray <ray...@intel.com> > Sent: Tuesday, March 21, 2023 4:57 PM > To: devel@edk2.groups.io > Cc: Kinney, Michael D <michael.d.kin...@intel.com>; Gao, Liming > <gaolim...@byosoft.com.cn>; Liu, Zhiguang > <zhiguang....@intel.com> > Subject: [PATCH 1/6] MdePkg: Add TME-MK related CPUID and MSR definitions > > TME (Total Memory Encryption) is the capability to encrypt > the entirety of physical memory of a system. > TME-MK (Total Memory Encryption-Multi-Key) builds on TME and adds > support for multiple encryption keys. > > The patch adds some necessary CPUID/MSR definitions for TME-MK. > > Signed-off-by: Ray Ni <ray...@intel.com> > Cc: Michael D Kinney <michael.d.kin...@intel.com> > Cc: Liming Gao <gaolim...@byosoft.com.cn> > Cc: Zhiguang Liu <zhiguang....@intel.com> > --- > .../Include/Register/Intel/ArchitecturalMsr.h | 106 +++++++++++++++++- > MdePkg/Include/Register/Intel/Cpuid.h | 9 +- > 2 files changed, 112 insertions(+), 3 deletions(-) > > diff --git a/MdePkg/Include/Register/Intel/ArchitecturalMsr.h > b/MdePkg/Include/Register/Intel/ArchitecturalMsr.h > index 071a8c689c..76d80660da 100644 > --- a/MdePkg/Include/Register/Intel/ArchitecturalMsr.h > +++ b/MdePkg/Include/Register/Intel/ArchitecturalMsr.h > @@ -6,7 +6,7 @@ > returned is a single 32-bit or 64-bit value, then a data structure is not > > provided for that MSR. > > > > - Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.<BR> > > + Copyright (c) 2016 - 2023, Intel Corporation. All rights reserved.<BR> > > SPDX-License-Identifier: BSD-2-Clause-Patent > > > > @par Specification Reference: > > @@ -5679,6 +5679,110 @@ typedef union { > **/ > > #define MSR_IA32_X2APIC_SELF_IPI 0x0000083F > > > > +/** > > + Memory Encryption Activation MSR. If CPUID.07H:ECX.[13] = 1. > > + > > + @param ECX MSR_IA32_TME_ACTIVATE (0x00000982) > > + @param EAX Lower 32-bits of MSR value. > > + Described by the type MSR_IA32_TME_ACTIVATE_REGISTER. > > + @param EDX Upper 32-bits of MSR value. > > + Described by the type MSR_IA32_TME_ACTIVATE_REGISTER. > > + > > + <b>Example usage</b> > > + @code > > + MSR_IA32_TME_ACTIVATE_REGISTER Msr; > > + > > + Msr.Uint64 = AsmReadMsr64 (MSR_IA32_TME_ACTIVATE); > > + AsmWriteMsr64 (MSR_IA32_TME_ACTIVATE, Msr.Uint64); > > + @endcode > > + @note MSR_IA32_TME_ACTIVATE is defined as IA32_TME_ACTIVATE in SDM. > > +**/ > > +#define MSR_IA32_TME_ACTIVATE 0x00000982 > > + > > +/** > > + MSR information returned for MSR index #MSR_IA32_TME_ACTIVATE > > +**/ > > +typedef union { > > + /// > > + /// Individual bit fields > > + /// > > + struct { > > + /// > > + /// [Bit 0] Lock R/O: Will be set upon successful WRMSR (or first SMI); > > + /// written value ignored.. > > + /// > > + UINT32 Lock : 1; > > + /// > > + /// [Bit 1] Hardware Encryption Enable: This bit also enables MKTME; > MKTME > > + /// cannot be enabled without enabling encryption hardware. > > + /// > > + UINT32 TmeEnable : 1; > > + /// > > + /// [Bit 2] Key Select: > > + /// 0: Create a new TME key (expected cold/warm boot). > > + /// 1: Restore the TME key from storage (Expected when resume from > standby). > > + /// > > + UINT32 KeySelect : 1; > > + /// > > + /// [Bit 3] Save TME Key for Standby: Save key into storage to be used > when > > + /// resume from standby. > > + /// Note: This may not be supported in all processors. > > + /// > > + UINT32 SaveKeyForStandby : 1; > > + /// > > + /// [Bit 7:4] TME Policy/Encryption Algorithm: Only algorithms > enumerated in > > + /// IA32_TME_CAPABILITY are allowed. > > + /// For example: > > + /// 0000 – AES-XTS-128. > > + /// 0001 – AES-XTS-128 with integrity. > > + /// 0010 – AES-XTS-256. > > + /// Other values are invalid. > > + /// > > + UINT32 TmePolicy : 4; > > + UINT32 Reserved : 23; > > + /// > > + /// [Bit 31] TME Encryption Bypass Enable: When encryption hardware is > enabled: > > + /// * Total Memory Encryption is enabled using a CPU generated ephemeral > key > > + /// based on a hardware random number generator when this bit is set > to 0. > > + /// * Total Memory Encryption is bypassed (no encryption/decryption for > KeyID0) > > + /// when this bit is set to 1. > > + /// Software must inspect Hardware Encryption Enable (bit 1) and TME > encryption > > + /// bypass Enable (bit 31) to determine if TME encryption is enabled. > > + /// > > + UINT32 TmeBypassMode : 1; > > + /// > > + /// [Bit 35:32] MK_TME_KEYID_BITS: Reserved if MKTME is not enumerated, > otherwise: > > + /// The number of key identifier bits to allocate to MKTME usage. > > + /// Similar to enumeration, this is an encoded value. > > + /// Writing a value greater than MK_TME_MAX_KEYID_BITS will result in > #GP. > > + /// Writing a non-zero value to this field will #GP if bit 1 of EAX > (Hardware > > + /// Encryption Enable) is not also set to ‘1, as encryption hardware > must be > > + /// enabled to use MKTME. > > + /// Example: To support 255 keys, this field would be set to a value of > 8. > > + /// > > + UINT32 MkTmeKeyidBits : 4; > > + UINT32 Reserved2 : 12; > > + /// > > + /// [Bit 63:48] MK_TME_CRYPTO_ALGS: Reserved if MKTME is not enumerated, > otherwise: > > + /// Bit 48: AES-XTS 128. > > + /// Bit 49: AES-XTS 128 with integrity. > > + /// Bit 50: AES-XTS 256. > > + /// Bit 63:51: Reserved (#GP) > > + /// Bitmask for BIOS to set which encryption algorithms are allowed for > MKTME, would > > + /// be later enforced by the key loading ISA ('1= allowed) > > + /// > > + UINT32 MkTmeCryptoAlgs : 16; > > + } Bits; > > + /// > > + /// All bit fields as a 32-bit value > > + /// > > + UINT32 Uint32; This is the first MSR in these include files that has defined bits in the range 32..63. This Uint32 union member can only access the lower 32-bits of the MSR. Should this be changed to Uint32[2]? > > + /// > > + /// All bit fields as a 64-bit value > > + /// > > + UINT64 Uint64; > > +} MSR_IA32_TME_ACTIVATE_REGISTER; > > + > > /** > > Silicon Debug Feature Control (R/W). If CPUID.01H:ECX.[11] = 1. > > > > diff --git a/MdePkg/Include/Register/Intel/Cpuid.h > b/MdePkg/Include/Register/Intel/Cpuid.h > index 350bf60252..1fb880c85c 100644 > --- a/MdePkg/Include/Register/Intel/Cpuid.h > +++ b/MdePkg/Include/Register/Intel/Cpuid.h > @@ -6,7 +6,7 @@ > If a register returned is a single 32-bit value, then a data structure is > > not provided for that register. > > > > - Copyright (c) 2015 - 2021, Intel Corporation. All rights reserved.<BR> > > + Copyright (c) 2015 - 2023, Intel Corporation. All rights reserved.<BR> > > SPDX-License-Identifier: BSD-2-Clause-Patent > > > > @par Specification Reference: > > @@ -1490,7 +1490,12 @@ typedef union { > /// RDPKRU/WRPKRU instructions). > > /// > > UINT32 OSPKE : 1; > > - UINT32 Reserved5 : 9; > > + UINT32 Reserved8 : 8; > > + /// > > + /// [Bit 13] If 1, the following MSRs are supported: > IA32_TME_CAPABILITY, IA32_TME_ACTIVATE, > > + /// IA32_TME_EXCLUDE_MASK, and IA32_TME_EXCLUDE_BASE. > > + /// > > + UINT32 TME_EN : 1; > > /// > > /// [Bits 14] AVX512_VPOPCNTDQ. (Intel Xeon Phi only.). > > /// > > -- > 2.39.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#102135): https://edk2.groups.io/g/devel/message/102135 Mute This Topic: https://groups.io/mt/97767966/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/leave/9847357/21656/1706620634/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-