Re: [edk2-devel] [PATCH V3 23/29] UefiCpuPkg: Update AddressEncMask in CpuPageTable

Mon, 06 Dec 2021 19:50:38 -0800 

On November 22, 2021 11:09 AM, Ni Ray wrote:
> Gerd, thanks. I am about to raise the same comments...
> > +  gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask                    ##
> CONSUMES
> 
> >    AddressEncMask = PcdGet64 (PcdPteMemoryEncryptionAddressOrMask)
> &
> > PAGING_1G_ADDRESS_MASK_64;
> > +  if (AddressEncMask == 0) {
> > +    AddressEncMask = PcdGet64 (PcdTdxSharedBitMask) &
> > + PAGING_1G_ADDRESS_MASK_64;  }
> 
> Looks like two PCDs for basically the same thing.
> Should we create a common CC PCD here?
> 
1. The current situation of PcdPteMemoryEncryptionAddressOrMask is:
1.1 PcdPteMemoryEncryptionAddressOrMask is now set by AmdSev.
1.2 In CreateIdentityMappingPageTables(), this value (AddressEncMask) is set to 
the page tables in SEV guest.
1.3 This PCD is also used as an indicator in InternalMemEncryptSevStatus() if 
ReadSevMsr is TRUE or FALSE.
1.4 This PCD is also used in BootScriptExecutorEntryPoint()

2. The meaning and usage scenario of PcdTdxSharedBitMask are somehow different 
from PcdPteMemoryEncryptionAddressOrMask.
2.1 Guest physical address (GPA) space of Td guest is divided into private and 
shared sub-spaces, determined by the shared bit of GPA.[1]
2.2 PcdTdxSharedBitMask indicates the above shared bit of GPA. And only the 
shared GPA has the shared bit set. This breaks 1.2.
2.3 It also breaks above 1.3. Because not all the MSR can be read in Td guest 
(It will trigger #VE).
2.4 It breaks above 1.4 as well. Because the private GPA doesn't have the 
shared bit set (2.2). So BootScriptExecutorEntryPoint() has to check Td guest 
in run-time so that the correct AddressEncMask is used. 

Based on above investigation and consideration, I suggest use 
PcdTdxSharedBitMask for Td guest and PcdPteMemoryEncryptionAddressOrMask for 
SEV guest. We can re-visit it later.

[1] 
https://www.intel.com/content/dam/develop/external/us/en/documents/tdx-module-1.0-public-spec-v0.931.pdf
 Section 2.4.2

Thanks
Min


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#84441): https://edk2.groups.io/g/devel/message/84441
Mute This Topic: https://groups.io/mt/86739889/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to