On Wed, Oct 13, 2021 at 11:56:55AM -0500, Brijesh Singh wrote: > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 > > Many of the integrity guarantees of SEV-SNP are enforced through the > Reverse Map Table (RMP). Each RMP entry contains the GPA at which a > particular page of DRAM should be mapped. The guest can request the > hypervisor to add pages in the RMP table via the Page State Change VMGEXIT > defined in the GHCB specification section 2.5.1 and 4.1.6. Inside each RMP > entry is a Validated flag; this flag is automatically cleared to 0 by the > CPU hardware when a new RMP entry is created for a guest. Each VM page > can be either validated or invalidated, as indicated by the Validated > flag in the RMP entry. Memory access to a private page that is not > validated generates a #VC. A VM can use the PVALIDATE instruction to > validate the private page before using it. > > During the guest creation, the boot ROM memory is pre-validated by the > AMD-SEV firmware. The MemEncryptSevSnpValidateSystemRam() can be called > during the SEC and PEI phase to validate the detected system RAM. > > One of the fields in the Page State Change NAE is the RMP page size. The > page size input parameter indicates that either a 4KB or 2MB page should > be used while adding the RMP entry. During the validation, when possible, > the MemEncryptSevSnpValidateSystemRam() will use the 2MB entry. A > hypervisor backing the memory may choose to use the different page size > in the RMP entry. In those cases, the PVALIDATE instruction should return > SIZEMISMATCH. If a SIZEMISMATCH is detected, then validate all 512-pages > constituting a 2MB region. > > Upon completion, the PVALIDATE instruction sets the rFLAGS.CF to 0 if > instruction changed the RMP entry and to 1 if the instruction did not > change the RMP entry. The rFlags.CF will be 1 only when a memory region > is already validated. We should not double validate a memory > as it could lead to a security compromise. If double validation is > detected, terminate the boot.
Acked-by: Gerd Hoffmann <kra...@redhat.com> -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#81984): https://edk2.groups.io/g/devel/message/81984 Mute This Topic: https://groups.io/mt/86292901/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
