Thanks Tom. Please give me some time to digest this patch set before I can give some feedback.
One quick question to you: With this patch, we need to support multiple SEV modes: 1. SEV guest firmware 2. SEV-ES guest firmware 3. SEV-SNP guest firmware 4. SEV-SNP SVSM guest firmware And all these mode requires runtime detection. Am I right? If so, where is the flag to set those mode? Please correct me if my understanding is wrong. Thank you Yao, Jiewen > -----Original Message----- > From: Tom Lendacky <thomas.lenda...@amd.com> > Sent: Saturday, January 27, 2024 6:13 AM > To: devel@edk2.groups.io > Cc: Ard Biesheuvel <ardb+tianoc...@kernel.org>; Aktas, Erdem > <erdemak...@google.com>; Gerd Hoffmann <kra...@redhat.com>; Yao, Jiewen > <jiewen....@intel.com>; Laszlo Ersek <ler...@redhat.com>; Liming Gao > <gaolim...@byosoft.com.cn>; Kinney, Michael D <michael.d.kin...@intel.com>; > Xu, Min M <min.m...@intel.com>; Liu, Zhiguang <zhiguang....@intel.com>; > Kumar, Rahul R <rahul.r.ku...@intel.com>; Ni, Ray <ray...@intel.com>; Michael > Roth <michael.r...@amd.com> > Subject: [PATCH 00/16] Provide SEV-SNP support for running under an SVSM > > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4654 > > This series adds SEV-SNP support for running OVMF under an Secure VM > Service Module (SVSM) at a less privileged VM Privilege Level (VMPL). > By running at a less priviledged VMPL, the SVSM can be used to provide > services, e.g. a virtual TPM, for the guest OS within the SEV-SNP > confidential VM (CVM) rather than trust such services from the hypervisor. > > Currently, OVMF expects to run at the highest VMPL, VMPL0, and there are > certain SNP related operations that require that VMPL level. Specifically, > the PVALIDATE instruction and the RMPADJUST instruction when setting the > the VMSA attribute of a page (used when starting APs). > > If OVMF is to run at a less privileged VMPL, e.g. VMPL2, then it must > use an SVSM (which is running at VMPL0) to perform the operations that > it is no longer able to perform. > > How OVMF interacts with and uses the SVSM is documented in the SVSM > specification [1] and the GHCB specification [2]. > > This series introduces support to run OVMF under an SVSM. It consists > of: > - Reorganize the page state change support to not directly use the > GHCB buffer since an SVSM will use the calling area buffer, instead > - Detecting the presence of an SVSM > - When not running at VMPL0, invoking the SVSM for page validation and > VMSA page creation/deletion > - Retrieving the list of vCPU APIC IDs and starting up all APs without > performing a broadcast SIPI > - Detecting and allowing OVMF to run in a VMPL other than 0 when an > SVSM is present > > The series is based off of commit: > > 7d7decfa3dc8 ("UefiPayloadPkg/Crypto: Support external Crypto drivers.") > > [1] https://www.amd.com/content/dam/amd/en/documents/epyc-technical- > docs/specifications/58019.pdf > [2] https://www.amd.com/content/dam/amd/en/documents/epyc-technical- > docs/specifications/56421.pdf > > --- > > Tom Lendacky (16): > OvmfPkg/BaseMemEncryptSevLib: Re-organize page state change support > MdePkg/Register/Amd: Define the SVSM related information > MdePkg/BaseLib: Add a new VMGEXIT instruction invocation for SVSM > UefiCpuPkg/CcExitLib: Extend the CcExitLib library to support an SVSM > Ovmfpkg/CcExitLib: Extend CcExitLib to handle SVSM related services > OvmfPkg: Create a calling area used to communicate with the SVSM > OvmfPkg/CcExitLib: Add support for the SVSM_CORE_PVALIDATE call > OvmfPkg/CcExitLib: Add support for the SVSM create/delete vCPU calls > UefiCpuPkg/MpInitLib: Use CcExitSnpVmsaRmpAdjust() to set/clear VMSA > MdePkg: GHCB APIC ID retrieval support definitions > UefiCpuPkg: Create APIC ID list PCD > OvmfPkg/PlatformPei: Retrieve APIC IDs from the hypervisor > UefiCpuPkg/MpInitLib: Always use AP Create if PcdSevSnpApicIds is set > UefiCpuPkg/MpInitLib: AP creation support under an SVSM > Ovmfpkg/CcExitLib: Provide SVSM discovery support > OvmfPkg/BaseMemEncryptLib: Check for presence of an SVSM when not at > VMPL0 > > OvmfPkg/OvmfPkg.dec | 4 + > UefiCpuPkg/UefiCpuPkg.dec | 7 > +- > OvmfPkg/AmdSev/AmdSevX64.fdf | 9 > +- > OvmfPkg/OvmfPkgX64.fdf | 3 + > MdePkg/Library/BaseLib/BaseLib.inf | 2 + > OvmfPkg/Library/CcExitLib/CcExitLib.inf | 5 > +- > OvmfPkg/Library/CcExitLib/SecCcExitLib.inf | 5 > +- > OvmfPkg/PlatformPei/PlatformPei.inf | 3 + > OvmfPkg/ResetVector/ResetVector.inf | 2 + > UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 1 + > UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 3 > +- > MdePkg/Include/Library/BaseLib.h | 39 > ++ > MdePkg/Include/Register/Amd/Fam17Msr.h | 19 > +- > MdePkg/Include/Register/Amd/Ghcb.h | 19 > +- > MdePkg/Include/Register/Amd/Msr.h | 3 > +- > MdePkg/Include/Register/Amd/Svsm.h | 101 > ++++ > MdePkg/Include/Register/Amd/SvsmMsr.h | 35 > ++ > OvmfPkg/Include/WorkArea.h | 7 + > OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h | 4 > +- > OvmfPkg/Library/CcExitLib/CcExitSvsm.h | 29 > ++ > UefiCpuPkg/Include/Library/CcExitLib.h | 71 > ++- > UefiCpuPkg/Library/MpInitLib/MpLib.h | 27 > +- > OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRamValidate.c | > 16 +- > OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c | 25 > +- > OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c | > 20 +- > OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c | > 25 +- > OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c | > 203 ++++---- > OvmfPkg/Library/CcExitLib/CcExitSvsm.c | 532 > ++++++++++++++++++++ > OvmfPkg/Library/CcExitLib/CcExitVcHandler.c | 29 > +- > OvmfPkg/PlatformPei/AmdSev.c | 100 > +++- > UefiCpuPkg/Library/CcExitLibNull/CcExitLibNull.c | 82 > ++- > UefiCpuPkg/Library/MpInitLib/Ia32/AmdSev.c | 19 > +- > UefiCpuPkg/Library/MpInitLib/MpLib.c | 7 > +- > UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c | 127 > +++-- > MdePkg/Library/BaseLib/Ia32/VmgExitSvsm.nasm | 39 > ++ > MdePkg/Library/BaseLib/X64/VmgExitSvsm.nasm | 94 > ++++ > OvmfPkg/ResetVector/ResetVector.nasmb | 6 > +- > OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm | 9 + > UefiCpuPkg/UefiCpuPkg.uni | 3 + > 39 files changed, 1524 insertions(+), 210 deletions(-) > create mode 100644 MdePkg/Include/Register/Amd/Svsm.h > create mode 100644 MdePkg/Include/Register/Amd/SvsmMsr.h > create mode 100644 OvmfPkg/Library/CcExitLib/CcExitSvsm.h > create mode 100644 OvmfPkg/Library/CcExitLib/CcExitSvsm.c > create mode 100644 MdePkg/Library/BaseLib/Ia32/VmgExitSvsm.nasm > create mode 100644 MdePkg/Library/BaseLib/X64/VmgExitSvsm.nasm > > -- > 2.42.0 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114647): https://edk2.groups.io/g/devel/message/114647 Mute This Topic: https://groups.io/mt/103986434/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
