The SEV-ES DebugVirtualization feature enables type B swapping of debug registers on #VMEXIT and makes #DB and DR7 intercepts unnecessary and unwanted.
When DebugVirtualization is enabled, this stops booting if #VC for #DB or DB7 read/write occurs as this signals unwanted interaction from the HV. Add new API to PEI, SEC, DXE. This does not change the existing behaviour yet. Cc: Ard Biesheuvel <[email protected]> Cc: Erdem Aktas <[email protected]> Cc: Gerd Hoffmann <[email protected]> Cc: Jiewen Yao <[email protected]> Cc: Michael Roth <[email protected]> Cc: Min Xu <[email protected]> Cc: Tom Lendacky <[email protected]> Signed-off-by: Alexey Kardashevskiy <[email protected]> --- Changes: v4: * s/DebugSwap/DebugVirtualization/ --- OvmfPkg/Include/Library/MemEncryptSevLib.h | 12 +++++++++ OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c | 27 +++++++++++++++++--- OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c | 15 +++++++++++ OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c | 15 +++++++++++ OvmfPkg/Library/CcExitLib/CcExitVcHandler.c | 8 ++++++ 5 files changed, 74 insertions(+), 3 deletions(-) diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/Library/MemEncryptSevLib.h index 4fa9c0d70083..c5653539d8d8 100644 --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h @@ -166,6 +166,18 @@ MemEncryptSevGetEncryptionMask ( VOID ); +/** + Returns a boolean to indicate whether DebugVirtualization is enabled. + + @retval TRUE DebugVirtualization is enabled + @retval FALSE DebugVirtualization is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevEsDebugVirtualizationIsEnabled ( + VOID + ); + /** Returns the encryption state of the specified virtual address range. diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c index 4aba0075b9e2..9947d663deae 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c @@ -40,19 +40,25 @@ AmdMemEncryptionAttrCheck ( IN CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr ) { + UINT64 CurrentLevel; + + CurrentLevel = CurrentAttr & CCAttrTypeMask; + switch (Attr) { case CCAttrAmdSev: // // SEV is automatically enabled if SEV-ES or SEV-SNP is active. // - return CurrentAttr >= CCAttrAmdSev; + return CurrentLevel >= CCAttrAmdSev; case CCAttrAmdSevEs: // // SEV-ES is automatically enabled if SEV-SNP is active. // - return CurrentAttr >= CCAttrAmdSevEs; + return CurrentLevel >= CCAttrAmdSevEs; case CCAttrAmdSevSnp: - return CurrentAttr == CCAttrAmdSevSnp; + return CurrentLevel == CCAttrAmdSevSnp; + case CCAttrFeatureAmdSevEsDebugVirtualization: + return !!(CurrentAttr & CCAttrFeatureAmdSevEsDebugVirtualization); default: return FALSE; } @@ -159,3 +165,18 @@ MemEncryptSevGetEncryptionMask ( return mSevEncryptionMask; } + +/** + Returns a boolean to indicate whether DebugVirtualization is enabled. + + @retval TRUE DebugVirtualization is enabled + @retval FALSE DebugVirtualization is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevEsDebugVirtualizationIsEnabled ( + VOID + ) +{ + return ConfidentialComputingGuestHas (CCAttrFeatureAmdSevEsDebugVirtualization); +} diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c index 41d1246a5b31..7d823ad639f4 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c @@ -141,3 +141,18 @@ MemEncryptSevGetEncryptionMask ( return SevEsWorkArea->EncryptionMask; } + +/** + Returns a boolean to indicate whether DebugVirtualization is enabled. + + @retval TRUE DebugVirtualization is enabled + @retval FALSE DebugVirtualization is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevEsDebugVirtualizationIsEnabled ( + VOID + ) +{ + return FALSE; +} diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c index 27148c7e337a..33a326ac1571 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c @@ -142,6 +142,21 @@ MemEncryptSevGetEncryptionMask ( return SevEsWorkArea->EncryptionMask; } +/** + Returns a boolean to indicate whether DebugVirtualization is enabled. + + @retval TRUE DebugVirtualization is enabled + @retval FALSE DebugVirtualization is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevEsDebugVirtualizationIsEnabled ( + VOID + ) +{ + return FALSE; +} + /** Locate the page range that covers the initial (pre-SMBASE-relocation) SMRAM Save State Map. diff --git a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c b/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c index da8f1e5db9fa..2031fa9e22e6 100644 --- a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c +++ b/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c @@ -1609,6 +1609,10 @@ Dr7WriteExit ( UINT64 *Register; UINT64 Status; + if (MemEncryptSevEsDebugVirtualizationIsEnabled ()) { + return UnsupportedExit (Ghcb, Regs, InstructionData); + } + Ext = &InstructionData->Ext; SevEsData = (SEV_ES_PER_CPU_DATA *)(Ghcb + 1); @@ -1659,6 +1663,10 @@ Dr7ReadExit ( SEV_ES_PER_CPU_DATA *SevEsData; UINT64 *Register; + if (MemEncryptSevEsDebugVirtualizationIsEnabled ()) { + return UnsupportedExit (Ghcb, Regs, InstructionData); + } + Ext = &InstructionData->Ext; SevEsData = (SEV_ES_PER_CPU_DATA *)(Ghcb + 1); -- 2.44.0 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#119461): https://edk2.groups.io/g/devel/message/119461 Mute This Topic: https://groups.io/mt/106496085/21656 Group Owner: [email protected] Unsubscribe: https://edk2.groups.io/g/devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
