subject:"\[edk2\-devel\] \[PATCH v8 35\/46\] OvmfPkg\/PlatformPei\: Reserve SEV\-ES work area if S3 is supported"

Re: [edk2-devel] [PATCH v8 35/46] OvmfPkg/PlatformPei: Reserve SEV-ES work area if S3 is supported

2020-05-26 Thread Laszlo Ersek

On 05/19/20 23:51, Lendacky, Thomas wrote:
> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
> 
> Protect the SEV-ES work area memory used by an SEV-ES guest.
> 
> Regarding the lifecycle of the SEV-ES memory area:
>   PcdSevEsWorkArea
> 
> (a) when and how it is initialized after first boot of the VM
> 
>   If SEV-ES is enabled, the SEV-ES area is initialized during
>   the SEC phase [OvmfPkg/ResetVector/Ia32/PageTables64.asm].
> 
> (b) how it is protected from memory allocations during DXE
> 
>   If SEV-ES is enabled, then InitializeRamRegions()
>   [OvmfPkg/PlatformPei/MemDetect.c] protects the ranges with either
>   an AcpiNVS (S3 enabled) or BootServicesData (S3 disabled) memory
>   allocation HOB, in PEI.
> 
> (c) how it is protected from the OS
> 
>   If S3 is enabled, then (b) reserves it from the OS too.
> 
>   If S3 is disabled, then the range needs no protection.
> 
> (d) how it is accessed on the S3 resume path
> 
>   It is rewritten same as in (a), which is fine because (b) reserved it.
> 
> (e) how it is accessed on the warm reset path
> 
>   It is rewritten same as in (a).
> 
> Cc: Jordan Justen 
> Cc: Laszlo Ersek 
> Cc: Ard Biesheuvel 
> Cc: Anthony Perard 
> Cc: Julien Grall 
> Signed-off-by: Tom Lendacky 
> ---
>  OvmfPkg/PlatformPei/PlatformPei.inf |  2 ++
>  OvmfPkg/PlatformPei/MemDetect.c | 20 
>  2 files changed, 22 insertions(+)
> 
> diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf 
> b/OvmfPkg/PlatformPei/PlatformPei.inf
> index 4742e1bdf42b..c53be2f4925c 100644
> --- a/OvmfPkg/PlatformPei/PlatformPei.inf
> +++ b/OvmfPkg/PlatformPei/PlatformPei.inf
> @@ -118,6 +118,8 @@ [FixedPcd]
>gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiReservedMemoryType
>gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiRuntimeServicesCode
>gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiRuntimeServicesData
> +  gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase
> +  gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize
>  
>  [FeaturePcd]
>gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable
> diff --git a/OvmfPkg/PlatformPei/MemDetect.c b/OvmfPkg/PlatformPei/MemDetect.c
> index 6b5fee166b5d..ffbbef891a11 100644
> --- a/OvmfPkg/PlatformPei/MemDetect.c
> +++ b/OvmfPkg/PlatformPei/MemDetect.c
> @@ -940,5 +940,25 @@ InitializeRamRegions (
>);
>}
>  }
> +
> +#ifdef MDE_CPU_X64
> +if (MemEncryptSevEsIsEnabled ()) {
> +  //
> +  // If SEV-ES is enabled, reserve the SEV-ES work area.
> +  //
> +  // Since this memory range will be used by the Reset Vector on S3
> +  // resume, it must be reserved as ACPI NVS.
> +  //
> +  // If S3 is unsupported, then various drivers might still write to the
> +  // work area. We ought to prevent DXE from serving allocation requests
> +  // such that they would overlap the work area.
> +  //
> +  BuildMemoryAllocationHob (
> +(EFI_PHYSICAL_ADDRESS)(UINTN) FixedPcdGet32 (PcdSevEsWorkAreaBase),
> +(UINT64)(UINTN) FixedPcdGet32 (PcdSevEsWorkAreaSize),
> +mS3Supported ? EfiACPIMemoryNVS : EfiBootServicesData
> +);
> +}
> +#endif
>}
>  }
> 

Reviewed-by: Laszlo Ersek 


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#60244): https://edk2.groups.io/g/devel/message/60244
Mute This Topic: https://groups.io/mt/74336597/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH v8 35/46] OvmfPkg/PlatformPei: Reserve SEV-ES work area if S3 is supported

2020-05-19 Thread Lendacky, Thomas

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198

Protect the SEV-ES work area memory used by an SEV-ES guest.

Regarding the lifecycle of the SEV-ES memory area:
  PcdSevEsWorkArea

(a) when and how it is initialized after first boot of the VM

  If SEV-ES is enabled, the SEV-ES area is initialized during
  the SEC phase [OvmfPkg/ResetVector/Ia32/PageTables64.asm].

(b) how it is protected from memory allocations during DXE

  If SEV-ES is enabled, then InitializeRamRegions()
  [OvmfPkg/PlatformPei/MemDetect.c] protects the ranges with either
  an AcpiNVS (S3 enabled) or BootServicesData (S3 disabled) memory
  allocation HOB, in PEI.

(c) how it is protected from the OS

  If S3 is enabled, then (b) reserves it from the OS too.

  If S3 is disabled, then the range needs no protection.

(d) how it is accessed on the S3 resume path

  It is rewritten same as in (a), which is fine because (b) reserved it.

(e) how it is accessed on the warm reset path

  It is rewritten same as in (a).

Cc: Jordan Justen 
Cc: Laszlo Ersek 
Cc: Ard Biesheuvel 
Cc: Anthony Perard 
Cc: Julien Grall 
Signed-off-by: Tom Lendacky 
---
 OvmfPkg/PlatformPei/PlatformPei.inf |  2 ++
 OvmfPkg/PlatformPei/MemDetect.c | 20 
 2 files changed, 22 insertions(+)

diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf 
b/OvmfPkg/PlatformPei/PlatformPei.inf
index 4742e1bdf42b..c53be2f4925c 100644
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -118,6 +118,8 @@ [FixedPcd]
   gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiReservedMemoryType
   gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiRuntimeServicesCode
   gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiRuntimeServicesData
+  gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase
+  gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize
 
 [FeaturePcd]
   gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable
diff --git a/OvmfPkg/PlatformPei/MemDetect.c b/OvmfPkg/PlatformPei/MemDetect.c
index 6b5fee166b5d..ffbbef891a11 100644
--- a/OvmfPkg/PlatformPei/MemDetect.c
+++ b/OvmfPkg/PlatformPei/MemDetect.c
@@ -940,5 +940,25 @@ InitializeRamRegions (
   );
   }
 }
+
+#ifdef MDE_CPU_X64
+if (MemEncryptSevEsIsEnabled ()) {
+  //
+  // If SEV-ES is enabled, reserve the SEV-ES work area.
+  //
+  // Since this memory range will be used by the Reset Vector on S3
+  // resume, it must be reserved as ACPI NVS.
+  //
+  // If S3 is unsupported, then various drivers might still write to the
+  // work area. We ought to prevent DXE from serving allocation requests
+  // such that they would overlap the work area.
+  //
+  BuildMemoryAllocationHob (
+(EFI_PHYSICAL_ADDRESS)(UINTN) FixedPcdGet32 (PcdSevEsWorkAreaBase),
+(UINT64)(UINTN) FixedPcdGet32 (PcdSevEsWorkAreaSize),
+mS3Supported ? EfiACPIMemoryNVS : EfiBootServicesData
+);
+}
+#endif
   }
 }
-- 
2.17.1


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#59891): https://edk2.groups.io/g/devel/message/59891
Mute This Topic: https://groups.io/mt/74336597/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v8 35/46] OvmfPkg/PlatformPei: Reserve SEV-ES work area if S3 is supported

[edk2-devel] [PATCH v8 35/46] OvmfPkg/PlatformPei: Reserve SEV-ES work area if S3 is supported

2 matches

Site Navigation

Mail list logo

Footer information