From nobody Mon Dec 23 10:16:43 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1519949105733928.9633599930041; Thu, 1 Mar 2018 16:05:05 -0800 (PST) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 8FE292255D6E9; Thu, 1 Mar 2018 15:58:29 -0800 (PST) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 48A102255D6E5 for ; Thu, 1 Mar 2018 15:58:27 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 9F9247D852; Fri, 2 Mar 2018 00:04:35 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-4.rdu2.redhat.com [10.10.120.4]) by smtp.corp.redhat.com (Postfix) with ESMTP id B9FFC10B0F24; Fri, 2 Mar 2018 00:04:34 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Fri, 2 Mar 2018 01:04:06 +0100 Message-Id: <20180302000408.14201-19-lersek@redhat.com> In-Reply-To: <20180302000408.14201-1-lersek@redhat.com> References: <20180302000408.14201-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Fri, 02 Mar 2018 00:04:35 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Fri, 02 Mar 2018 00:04:35 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 18/20] OvmfPkg/PlatformPei: SEV: allocate pages of initial SMRAM save state map X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jordan Justen , Brijesh Singh , Ard Biesheuvel MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" In the next two patches, we'll temporarily decrypt the pages containing the initial SMRAM save state map, for SMBASE relocation. (Unlike the separate, relocated SMRAM save state map of each VCPU, the original, shared map behaves similarly to a "common buffer" between guest and host.) The decryption will occur near the beginning of the DXE phase, in AmdSevDxe, and the re-encryption will occur in PiSmmCpuDxeSmm, via OVMF's SmmCpuFeaturesLib instance. There is a non-trivial time gap between these two points, and the DXE phase might use the pages overlapping the initial SMRAM save state map for arbitrary purposes meanwhile. In order to prevent any information leak towards the hypervisor, make sure the DXE phase puts nothing in those pages until re-encryption is done. Creating a memalloc HOB for the area in question is safe: - the temporary SEC/PEI RAM (stack and heap) is based at PcdOvmfSecPeiTempRamBase, which is above 8MB, - the permanent PEI RAM (installed in PlatformPei's PublishPeiMemory() function) never starts below PcdOvmfDxeMemFvBase, which is also above 8MB. The allocated pages can be released to the DXE phase after SMBASE relocation and re-encryption are complete. Cc: Ard Biesheuvel Cc: Brijesh Singh Cc: Jordan Justen Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek --- OvmfPkg/PlatformPei/AmdSev.c | 29 ++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index 1509f260fb0b..2e14eaf8c3cc 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -1,38 +1,39 @@ /**@file Initialize Secure Encrypted Virtualization (SEV) support =20 Copyright (c) 2017, Advanced Micro Devices. All rights reserved.
=20 This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the licen= se may be found at http://opensource.org/licenses/bsd-license.php =20 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMP= LIED. =20 **/ // // The package level header files this module uses // #include +#include #include #include #include #include #include =20 #include "Platform.h" =20 /** =20 Function checks if SEV support is available, if present then it sets the dynamic PcdPteMemoryEncryptionAddressOrMask with memory encryption m= ask. =20 **/ VOID AmdSevInitialize ( VOID ) { CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx; @@ -49,21 +50,49 @@ AmdSevInitialize ( // // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position) // AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL); EncryptionMask =3D LShiftU64 (1, Ebx.Bits.PtePosBits); =20 // // Set Memory Encryption Mask PCD // PcdStatus =3D PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, Encryption= Mask); ASSERT_RETURN_ERROR (PcdStatus); =20 DEBUG ((DEBUG_INFO, "SEV is enabled (mask 0x%lx)\n", EncryptionMask)); =20 // // Set Pcd to Deny the execution of option ROM when security // violation. // PcdStatus =3D PcdSet32S (PcdOptionRomImageVerificationPolicy, 0x4); ASSERT_RETURN_ERROR (PcdStatus); + + // + // When SMM is required, cover the pages containing the initial SMRAM Sa= ve + // State Map with a memory allocation HOB: + // + // There's going to be a time interval between our decrypting those page= s for + // SMBASE relocation and re-encrypting the same pages after SMBASE + // relocation. We shall ensure that the DXE phase stay away from those p= ages + // until after re-encryption, in order to prevent an information leak to= the + // hypervisor. + // + if (FeaturePcdGet (PcdSmmSmramRequire) && (mBootMode !=3D BOOT_ON_S3_RES= UME)) { + RETURN_STATUS LocateMapStatus; + UINTN MapPagesBase; + UINTN MapPagesCount; + + LocateMapStatus =3D MemEncryptSevLocateInitialSmramSaveStateMapPages ( + &MapPagesBase, + &MapPagesCount + ); + ASSERT_RETURN_ERROR (LocateMapStatus); + + BuildMemoryAllocationHob ( + MapPagesBase, // BaseAddress + EFI_PAGES_TO_SIZE (MapPagesCount), // Length + EfiBootServicesData // MemoryType + ); + } } --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel