On 3/8/24 09:30, Lendacky, Thomas via groups.io wrote:
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4654 This series adds SEV-SNP support for running OVMF under an Secure VM Service Module (SVSM) at a less privileged VM Privilege Level (VMPL). By running at a less priviledged VMPL, the SVSM can be used to provide services, e.g. a virtual TPM, for the guest OS within the SEV-SNP confidential VM (CVM) rather than trust such services from the hypervisor. Currently, OVMF expects to run at the highest VMPL, VMPL0, and there are certain SNP related operations that require that VMPL level. Specifically, the PVALIDATE instruction and the RMPADJUST instruction when setting the the VMSA attribute of a page (used when starting APs). If OVMF is to run at a less privileged VMPL, e.g. VMPL2, then it must use an SVSM (which is running at VMPL0) to perform the operations that it is no longer able to perform. When running under an SVSM, OVMF must know the APIC IDs of the vCPUs that it will be starting. As a result, the GHCB APIC ID retrieval action must be performed. Since this service can also work with SEV-SNP running at VMPL0, the patches to make use of this feature are near the beginning of the series. How OVMF interacts with and uses the SVSM is documented in the SVSM specification [1] and the GHCB specification [2]. This support creates a new AmdSvsmLib library that is used by MpInitLib. The edk2-platforms repo requires updates/patches to add the new library requirement. To accomodate that, this series could be split between: patch number 12: UefiCpuPkg/AmdSvsmLib: Create the AmdSvsmLib library to support an SVSM and patch number 13: UefiPayloadPkg: Prepare UefiPayloadPkg to use the AmdSvsmLib library The updates to edk2-platforms can be applied at the split.
I have the edk2-platforms patch series prepared but will hold off on sending until this series settles and is ready to merge.
Thanks, Tom
-=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#116551): https://edk2.groups.io/g/devel/message/116551 Mute This Topic: https://groups.io/mt/104810672/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-