BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4654
Currently, an SEV-SNP guest will terminate if it is not running at VMPL0.
The requirement for running at VMPL0 is removed if an SVSM is present.
Update the current VMPL0 check to additionally check for the presence of
an SVSM is the guest is not running at VMPL0.
Acked-by: Gerd Hoffmann <kra...@redhat.com>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c | 9
++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c
b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c
index ca279d77274b..f2d9f7cf2fea 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c
@@ -12,6 +12,7 @@
#include <Library/BaseLib.h>
#include <Library/DebugLib.h>
#include <Library/MemEncryptSevLib.h>
+#include <Library/CcSvsmLib.h>
#include "SnpPageStateChange.h"
@@ -74,10 +75,12 @@ MemEncryptSevSnpPreValidateSystemRam (
//
// The page state change uses the PVALIDATE instruction. The instruction
- // can be run on VMPL-0 only. If its not VMPL-0 guest then terminate
- // the boot.
+ // can be run at VMPL-0 only. If its not a VMPL-0 guest, then an SVSM must
+ // be present to perform the operation on behalf of the guest. If the guest
+ // is not running at VMPL-0 and an SVSM is not present, then terminate the
+ // boot.
//
- if (!SevSnpIsVmpl0 ()) {
+ if (!SevSnpIsVmpl0 () && !CcSvsmIsSvsmPresent ()) {
SnpPageStateFailureTerminate ();
}
--
2.42.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#115858): https://edk2.groups.io/g/devel/message/115858
Mute This Topic: https://groups.io/mt/104512987/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
