On 07/27/20 19:41, Laszlo Ersek wrote: > Hi Tom, > > On 07/27/20 17:25, Lendacky, Thomas wrote: >> From: Tom Lendacky <thomas.lenda...@amd.com> >> >> This patch series provides support for running EDK2/OVMF under SEV-ES. >> >> Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the >> SEV support to protect the guest register state from the hypervisor. See >> "AMD64 Architecture Programmer's Manual Volume 2: System Programming", >> section "15.35 Encrypted State (SEV-ES)" [1]. >> >> In order to allow a hypervisor to perform functions on behalf of a guest, >> there is architectural support for notifying a guest's operating system >> when certain types of VMEXITs are about to occur. This allows the guest to >> selectively share information with the hypervisor to satisfy the requested >> function. The notification is performed using a new exception, the VMM >> Communication exception (#VC). The information is shared through the >> Guest-Hypervisor Communication Block (GHCB) using the VMGEXIT instruction. >> The GHCB format and the protocol for using it is documented in "SEV-ES >> Guest-Hypervisor Communication Block Standardization" [2]. >> >> The main areas of the EDK2 code that are updated to support SEV-ES are >> around the exception handling support and the AP boot support. >> >> Exception support is required starting in Sec, continuing through Pei >> and into Dxe in order to handle #VC exceptions that are generated. Each >> AP requires it's own GHCB page as well as a page to hold values specific >> to that AP. >> >> AP booting poses some interesting challenges. The INIT-SIPI-SIPI sequence >> is typically used to boot the APs. However, the hypervisor is not allowed >> to update the guest registers. The GHCB document [2] talks about how SMP >> booting under SEV-ES is performed. >> >> Since the GHCB page must be a shared (unencrypted) page, the processor >> must be running in long mode in order for the guest and hypervisor to >> communicate with each other. As a result, SEV-ES is only supported under >> the X64 architecture. >> >> [1] https://www.amd.com/system/files/TechDocs/24593.pdf >> [2] https://developer.amd.com/wp-content/resources/56421.pdf >> >> --- >> >> These patches are based on commit: >> 6074f57e5b19 ("MdePkg/Include/IndustryStandard: Main CXL header") >> >> A version of the tree can be found at: >> https://github.com/AMDESE/ovmf/tree/sev-es-v20 >> >> Cc: Andrew Fish <af...@apple.com> >> Cc: Anthony Perard <anthony.per...@citrix.com> >> Cc: Ard Biesheuvel <ard.biesheu...@arm.com> >> Cc: Benjamin You <benjamin....@intel.com> >> Cc: Dandan Bi <dandan...@intel.com> >> Cc: Eric Dong <eric.d...@intel.com> >> Cc: Guo Dong <guo.d...@intel.com> >> Cc: Hao A Wu <hao.a...@intel.com> >> Cc: Jian J Wang <jian.j.w...@intel.com> >> Cc: Jordan Justen <jordan.l.jus...@intel.com> >> Cc: Julien Grall <jul...@xen.org> >> Cc: Laszlo Ersek <ler...@redhat.com> >> Cc: Leif Lindholm <l...@nuviainc.com> >> Cc: Liming Gao <liming....@intel.com> >> Cc: Maurice Ma <maurice...@intel.com> >> Cc: Michael D Kinney <michael.d.kin...@intel.com> >> Cc: Ray Ni <ray...@intel.com> >> >> Changes since v11: >> - Make the XGETBV and VMGEXIT .nasm files buildable for all environments >> and remove the updates that add these instructions to GccInline.c > > Patches 40-46 (inclusive) seem to be missing from my mailbox (and the > list archive on groups.io lacks them too, apparently). > > Did you get rate-limited by some component when sending the series, perhaps?
On a second / closer look, that seems quite likely, because my INBOX does have all the (directly delivered) patches; only my list folder is missing the tail. Thanks Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#63352): https://edk2.groups.io/g/devel/message/63352 Mute This Topic: https://groups.io/mt/75824926/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
