Re: [edk2-devel] [PATCH 3/3] OvmfPkg/PlatformPei: Mark TPM MMIO range as unencrypted for SEV

Tue, 20 Apr 2021 23:34:50 -0700 



On 4/20/21 5:54 PM, Tom Lendacky wrote:

From: Tom Lendacky <[email protected]>

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3345

The TPM support in OVMF performs MMIO accesses during the PEI phase. At


where are the phases defined and how many other are there?


this point, MMIO ranges have not been marked un-encyrpted, so an SEV-ES
guest will fail attempting to perform MMIO to an encrypted address.

Read the PcdTpmBaseAddress and mark the specification defined range
(0x5000 in length) as un-encrypted, to allow an SEV-ES guest to process
the MMIO requests.

Cc: Laszlo Ersek <[email protected]>
Cc: Ard Biesheuvel <[email protected]>
Cc: Jordan Justen <[email protected]>
Cc: Brijesh Singh <[email protected]>
Cc: James Bottomley <[email protected]>
Cc: Jiewen Yao <[email protected]>
Cc: Min Xu <[email protected]>
Signed-off-by: Tom Lendacky <[email protected]>
---
  OvmfPkg/PlatformPei/PlatformPei.inf |  1 +
  OvmfPkg/PlatformPei/AmdSev.c        | 19 +++++++++++++++++++
  2 files changed, 20 insertions(+)

diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf 
b/OvmfPkg/PlatformPei/PlatformPei.inf
index 6ef77ba7bb21..de60332e9390 100644
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -113,6 +113,7 @@ [Pcd]

  
  [FixedPcd]

    gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress
    gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIMemoryNVS
    gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIReclaimMemory
    gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiReservedMemoryType
diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
index dddffdebda4b..d524929f9e10 100644
--- a/OvmfPkg/PlatformPei/AmdSev.c
+++ b/OvmfPkg/PlatformPei/AmdSev.c
@@ -141,6 +141,7 @@ AmdSevInitialize (
    )
  {
    UINT64                            EncryptionMask;
+  UINT64                            TpmBaseAddress;
    RETURN_STATUS                     PcdStatus;

  
    //

@@ -206,6 +207,24 @@ AmdSevInitialize (
      }
    }

  
+  //

+  // PEI TPM support will perform MMIO accesses, be sure this range is not
+  // marked encrypted.
+  //
+  TpmBaseAddress = PcdGet64 (PcdTpmBaseAddress);
+  if (TpmBaseAddress != 0) {
+    RETURN_STATUS  DecryptStatus;
+
+    DecryptStatus = MemEncryptSevClearPageEncMask (
+                      0,
+                      TpmBaseAddress,
+                      EFI_SIZE_TO_PAGES (0x5000),
+                      FALSE
+                      );
+
+    ASSERT_RETURN_ERROR (DecryptStatus);
+  }
+
    //
    // Check and perform SEV-ES initialization if required.
    //




-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#74316): https://edk2.groups.io/g/devel/message/74316
Mute This Topic: https://groups.io/mt/82247968/21656
Group Owner: [email protected]
Unsubscribe: https://edk2.groups.io/g/devel/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
























					Reply via email to