PlatformPei: Mark TPM MMIO range as unencrypted for SEV

Eric van Tassell Tue, 20 Apr 2021 23:34:50 -0700



On 4/20/21 5:54 PM, Tom Lendacky wrote:

From: Tom Lendacky <thomas.lenda...@amd.com>

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3345

The TPM support in OVMF performs MMIO accesses during the PEI phase. At


where are the phases defined and how many other are there?

this point, MMIO ranges have not been marked un-encyrpted, so an SEV-ES
guest will fail attempting to perform MMIO to an encrypted address.

Read the PcdTpmBaseAddress and mark the specification defined range
(0x5000 in length) as un-encrypted, to allow an SEV-ES guest to process
the MMIO requests.

Cc: Laszlo Ersek <ler...@redhat.com>
Cc: Ard Biesheuvel <ardb+tianoc...@kernel.org>
Cc: Jordan Justen <jordan.l.jus...@intel.com>
Cc: Brijesh Singh <brijesh.si...@amd.com>
Cc: James Bottomley <j...@linux.ibm.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Min Xu <min.m...@intel.com>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
  OvmfPkg/PlatformPei/PlatformPei.inf |  1 +
  OvmfPkg/PlatformPei/AmdSev.c        | 19 +++++++++++++++++++
  2 files changed, 20 insertions(+)

diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf 
b/OvmfPkg/PlatformPei/PlatformPei.inf
index 6ef77ba7bb21..de60332e9390 100644
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -113,6 +113,7 @@ [Pcd]

[FixedPcd]

    gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress
    gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIMemoryNVS
    gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIReclaimMemory
    gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiReservedMemoryType
diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
index dddffdebda4b..d524929f9e10 100644
--- a/OvmfPkg/PlatformPei/AmdSev.c
+++ b/OvmfPkg/PlatformPei/AmdSev.c
@@ -141,6 +141,7 @@ AmdSevInitialize (
    )
  {
    UINT64                            EncryptionMask;
+  UINT64                            TpmBaseAddress;
    RETURN_STATUS                     PcdStatus;

//

@@ -206,6 +207,24 @@ AmdSevInitialize (
      }
    }

+ //

+  // PEI TPM support will perform MMIO accesses, be sure this range is not
+  // marked encrypted.
+  //
+  TpmBaseAddress = PcdGet64 (PcdTpmBaseAddress);
+  if (TpmBaseAddress != 0) {
+    RETURN_STATUS  DecryptStatus;
+
+    DecryptStatus = MemEncryptSevClearPageEncMask (
+                      0,
+                      TpmBaseAddress,
+                      EFI_SIZE_TO_PAGES (0x5000),
+                      FALSE
+                      );
+
+    ASSERT_RETURN_ERROR (DecryptStatus);
+  }
+
    //
    // Check and perform SEV-ES initialization if required.
    //



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#74316): https://edk2.groups.io/g/devel/message/74316
Mute This Topic: https://groups.io/mt/82247968/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH 3/3] OvmfPkg/PlatformPei: Mark TPM MMIO range as unencrypted for SEV

Reply via email to