On Wed, Oct 13, 2021 at 11:56:48AM -0500, Brijesh Singh wrote: > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 > > An SEV-SNP guest requires that private memory (aka pages mapped encrypted) > must be validated before being accessed. > > The validation process consist of the following sequence: > > 1) Set the memory encryption attribute in the page table (aka C-bit). > Note: If the processor is in non-PAE mode, then all the memory accesses > are considered private. > 2) Add the memory range as private in the RMP table. This can be performed > using the Page State Change VMGEXIT defined in the GHCB specification. > 3) Use the PVALIDATE instruction to set the Validated Bit in the RMP table. > > During the guest creation time, the VMM encrypts the OVMF_CODE.fd using > the SEV-SNP firmware provided LAUNCH_UPDATE_DATA command. In addition to > encrypting the content, the command also validates the memory region. > This allows us to execute the code without going through the validation > sequence. > > During execution, the reset vector need to access some data pages > (such as page tables, SevESWorkarea, Sec stack). The data pages are > accessed as private memory. The data pages are not part of the > OVMF_CODE.fd, so they were not validated during the guest creation. > > There are two approaches we can take to validate the data pages before > the access: > > a) Enhance the OVMF reset vector code to validate the pages as described > above (go through step 2 - 3). > OR > b) Validate the pages during the guest creation time. The SEV firmware > provides a command which can be used by the VMM to validate the pages > without affecting the measurement of the launch. > > Approach #b seems much simpler; it does not require any changes to the > OVMF reset vector code. > > Update the OVMF metadata with the list of regions that must be > pre-validated by the VMM before the boot.
Acked-by: Gerd Hoffmann <kra...@redhat.com> take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#81974): https://edk2.groups.io/g/devel/message/81974 Mute This Topic: https://groups.io/mt/86292891/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
