Re-pinging the list/maintainers, again. I need reviews from the
maintainers on patches #2, #7, #10, #11 and #13.
Once I get final approval, I'll submit the change to edk2-platforms for
the new library as a reply to this series for a quick review.
Thanks,
Tom
On 4/2/24 13:16, Lendacky, Thomas via groups.io wrote:
Re-pinging the list/maintainers. Still awaiting feedback/reviews/acks on
the changes.
Thanks,
Tom
On 3/26/24 13:34, Tom Lendacky wrote:
Any issues with this version of the series? Still looking for
Reviewed-by's for the MdePkg, UefiCpuPkg and UefiPayloadPkg related
patches.
Once I get those, I'll submit the edk2-platform patches to support the
new library as a response to these patches for a quick review.
Thanks,
Tom
On 3/8/24 09:29, Tom Lendacky wrote:
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4654
This series adds SEV-SNP support for running OVMF under an Secure VM
Service Module (SVSM) at a less privileged VM Privilege Level (VMPL).
By running at a less priviledged VMPL, the SVSM can be used to provide
services, e.g. a virtual TPM, for the guest OS within the SEV-SNP
confidential VM (CVM) rather than trust such services from the hypervisor.
Currently, OVMF expects to run at the highest VMPL, VMPL0, and there are
certain SNP related operations that require that VMPL level. Specifically,
the PVALIDATE instruction and the RMPADJUST instruction when setting the
the VMSA attribute of a page (used when starting APs).
If OVMF is to run at a less privileged VMPL, e.g. VMPL2, then it must
use an SVSM (which is running at VMPL0) to perform the operations that
it is no longer able to perform.
When running under an SVSM, OVMF must know the APIC IDs of the vCPUs that
it will be starting. As a result, the GHCB APIC ID retrieval action must
be performed. Since this service can also work with SEV-SNP running at
VMPL0, the patches to make use of this feature are near the beginning of
the series.
How OVMF interacts with and uses the SVSM is documented in the SVSM
specification [1] and the GHCB specification [2].
This support creates a new AmdSvsmLib library that is used by MpInitLib.
The edk2-platforms repo requires updates/patches to add the new library
requirement. To accomodate that, this series could be split between:
patch number 12:
UefiCpuPkg/AmdSvsmLib: Create the AmdSvsmLib library to support an SVSM
and patch number 13:
UefiPayloadPkg: Prepare UefiPayloadPkg to use the AmdSvsmLib library
The updates to edk2-platforms can be applied at the split.
This series introduces support to run OVMF under an SVSM. It consists
of:
- Retrieving the list of vCPU APIC IDs and starting up all APs without
performing a broadcast SIPI
- Reorganizing the page state change support to not directly use the
GHCB buffer since an SVSM will use the calling area buffer, instead
- Detecting the presence of an SVSM
- When not running at VMPL0, invoking the SVSM for page validation and
VMSA page creation/deletion
- Detecting and allowing OVMF to run in a VMPL other than 0 when an
SVSM is present
The series is based off of commit:
e60529df58e4 ("UefiPayloadPkg: Make Dsc accomodative of other archs")
[1]
https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/58019.pdf
[2]
https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56421.pdf
Cc: Anatol Belski <anbel...@linux.microsoft.com>
Cc: Anthony Perard <anthony.per...@citrix.com>
Cc: Ard Biesheuvel <ardb+tianoc...@kernel.org>
Cc: Corvin Köhne <corv...@freebsd.org>
Cc: Erdem Aktas <erdemak...@google.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Cc: Gua Guo <gua....@intel.com>
Cc: Guo Dong <guo.d...@intel.com>
Cc: James Lu <james...@intel.com>
Cc: Jianyong Wu <jianyong...@arm.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Laszlo Ersek <ler...@redhat.com>
Cc: Liming Gao <gaolim...@byosoft.com.cn>
Cc: Michael D Kinney <michael.d.kin...@intel.com>
Cc: Michael Roth <michael.r...@amd.com>
Cc: Min Xu <min.m...@intel.com>
Cc: Rahul Kumar <rahul1.ku...@intel.com>
Cc: Ray Ni <ray...@intel.com>
Cc: Rebecca Cran <rebe...@bsdio.com>
Cc: Sean Rhodes <sean@starlabs.systems>
Cc: Zhiguang Liu <zhiguang....@intel.com>
---
Changes in v3:
- Renamed CcSvsmLib to a more AMD-specific AmdSvsmLib with corresponding
function name changes
- Moved the GHCB APIC ID list GUID definition from MdePkg to UefiCpuPkg
and change the name from gEfiApicIdsGuid to gGhcbApicIdsGuid
- Separated the OvmfPkg changes for the AmdSvsmLib into two patches:
- First patch adds usage of the AmdSvsmLib NULL library
- Second patch adds the OVMF AmdSvsmLib implementation
- Updated the commit message for the OVMF AmdSvsmLib implementation to
indicate that the base functionality for PVALIDATE and RMPADJUST was
copied from the original locations in prep for converting those sites
to using the library API.
Changes in v2:
- Move the APIC IDs retrieval support to the beginning of the patch series
- Use a GUIDed HOB to hold the APIC ID list instead of a PCD
- Split up Page State Change reorganization into multiple patches
- Created CcSvsmLib library instead of extending CcExitLib
- This will require a corresponding update to edk2-platform DSC files
- Removed Ray Ni's Acked-by since it is not a minor change
- Variable name changes and other misc changes
Tom Lendacky (24):
OvmfPkg/BaseMemEncryptLib: Fix error check from AsmRmpAdjust()
MdePkg: GHCB APIC ID retrieval support definitions
UefiCpuPkg/MpInitLib: Always use AP Create if GhcbApicIds HOB is
present
OvmfPkg/PlatformPei: Retrieve APIC IDs from the hypervisor
OvmfPkg/BaseMemEncryptSevLib: Fix uncrustify errors
OvmfPkg/BaseMemEncryptSevLib: Calculate memory size for Page State
Change
MdePkg: Avoid hardcoded value for number of Page State Change entries
OvmfPkg/BaseMemEncryptSevLib: Re-organize page state change support
OvmfPkg/BaseMemEncryptSevLib: Maximize Page State Change efficiency
MdePkg/Register/Amd: Define the SVSM related information
MdePkg/BaseLib: Add a new VMGEXIT instruction invocation for SVSM
UefiCpuPkg/AmdSvsmLib: Create the AmdSvsmLib library to support an
SVSM
UefiPayloadPkg: Prepare UefiPayloadPkg to use the AmdSvsmLib library
Ovmfpkg: Prepare OvmfPkg to use the AmdSvsmLib library
Ovmfpkg/AmdSvsmLib: Create AmdSvsmLib to handle SVSM related services
UefiCpuPkg/MpInitLib: Use AmdSvsmSnpVmsaRmpAdjust() to set/clear VMSA
OvmfPkg/BaseMemEncryptSevLib: Use AmdSvsmSnpPvalidate() to validate
pages
OvmfPkg: Create a calling area used to communicate with the SVSM
OvmfPkg/AmdSvsmLib: Add support for the SVSM_CORE_PVALIDATE call
OvmfPkg/BaseMemEncryptSevLib: Maximize Page State Change efficiency
OvmfPkg/AmdSvsmLib: Add support for the SVSM create/delete vCPU calls
UefiCpuPkg/MpInitLib: AP creation support under an SVSM
Ovmfpkg/CcExitLib: Provide SVSM discovery support
OvmfPkg/BaseMemEncryptLib: Check for presence of an SVSM when not at
VMPL0
OvmfPkg/OvmfPkg.dec | 4 +
UefiCpuPkg/UefiCpuPkg.dec | 8 +-
OvmfPkg/AmdSev/AmdSevX64.dsc | 1 +
OvmfPkg/Bhyve/BhyveX64.dsc | 1 +
OvmfPkg/CloudHv/CloudHvX64.dsc | 1 +
OvmfPkg/IntelTdx/IntelTdxX64.dsc | 1 +
OvmfPkg/Microvm/MicrovmX64.dsc | 1 +
OvmfPkg/OvmfPkgIa32.dsc | 1 +
OvmfPkg/OvmfPkgIa32X64.dsc | 3 +-
OvmfPkg/OvmfPkgX64.dsc | 1 +
OvmfPkg/OvmfXen.dsc | 1 +
UefiCpuPkg/UefiCpuPkg.dsc | 4 +-
UefiPayloadPkg/UefiPayloadPkg.dsc | 1 +
OvmfPkg/AmdSev/AmdSevX64.fdf | 9 +-
OvmfPkg/OvmfPkgX64.fdf | 3 +
MdePkg/Library/BaseLib/BaseLib.inf | 2 +
OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.inf | 38 ++
OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf | 3 +-
OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf | 3 +-
OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf | 3 +-
OvmfPkg/Library/CcExitLib/CcExitLib.inf | 3 +-
OvmfPkg/Library/CcExitLib/SecCcExitLib.inf | 3 +-
OvmfPkg/PlatformPei/PlatformPei.inf | 3 +
OvmfPkg/ResetVector/ResetVector.inf | 2 +
UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.inf | 27 ++
UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 2 +
UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 2 +
MdePkg/Include/Library/BaseLib.h | 39 ++
MdePkg/Include/Register/Amd/Fam17Msr.h | 19 +-
MdePkg/Include/Register/Amd/Ghcb.h | 19 +-
MdePkg/Include/Register/Amd/Msr.h | 3 +-
MdePkg/Include/Register/Amd/Svsm.h | 101 ++++
MdePkg/Include/Register/Amd/SvsmMsr.h | 35 ++
OvmfPkg/Include/WorkArea.h | 9 +-
OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h | 6 +-
UefiCpuPkg/Include/Guid/GhcbApicIds.h | 17 +
UefiCpuPkg/Include/Library/AmdSvsmLib.h | 101 ++++
UefiCpuPkg/Library/MpInitLib/MpLib.h | 29 +-
OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c | 500 ++++++++++++++++++++
OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRamValidate.c |
11 +-
OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c | 27 +-
OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c |
22 +-
OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c |
31 +-
OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c |
206 ++++----
OvmfPkg/Library/CcExitLib/CcExitVcHandler.c | 29 +-
OvmfPkg/PlatformPei/AmdSev.c | 103 +++-
UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.c | 108 +++++
UefiCpuPkg/Library/MpInitLib/Ia32/AmdSev.c | 21 +-
UefiCpuPkg/Library/MpInitLib/MpLib.c | 9 +-
UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c | 134 ++++--
MdePkg/Library/BaseLib/Ia32/VmgExitSvsm.nasm | 39 ++
MdePkg/Library/BaseLib/X64/VmgExitSvsm.nasm | 94 ++++
OvmfPkg/ResetVector/ResetVector.nasmb | 6 +-
OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm | 11 +-
UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.uni | 13 +
55 files changed, 1641 insertions(+), 232 deletions(-)
create mode 100644 OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.inf
create mode 100644 UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.inf
create mode 100644 MdePkg/Include/Register/Amd/Svsm.h
create mode 100644 MdePkg/Include/Register/Amd/SvsmMsr.h
create mode 100644 UefiCpuPkg/Include/Guid/GhcbApicIds.h
create mode 100644 UefiCpuPkg/Include/Library/AmdSvsmLib.h
create mode 100644 OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c
create mode 100644 UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.c
create mode 100644 MdePkg/Library/BaseLib/Ia32/VmgExitSvsm.nasm
create mode 100644 MdePkg/Library/BaseLib/X64/VmgExitSvsm.nasm
create mode 100644 UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.uni
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#117667): https://edk2.groups.io/g/devel/message/117667
Mute This Topic: https://groups.io/mt/104810672/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
