Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
OvmfPkg/ResetVector: Set C-bit when building initial page table
SEV guest VMs have the concept of private and shared memory. Private
memory is encrypted with the guest-specific key, while shared memory
may be encrypted with hypervisor key. Certain types of memory (namely
instruction pages and guest page tables) are always treated as private
memory by the hardware. The C-bit in PTE indicate whether the page is
private or shared. The C-bit position for the PTE can be obtained from
CPUID Fn8000_001F[EBX].

When SEV is active, the BIOS is encrypted by the Qemu launch sequence,
we must set the C-bit when building the page table.

Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Tom Lendacky <Thomas.Lendacky@amd.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
  • Loading branch information
codomania authored and jljusten2 committed Jul 11, 2017
1 parent 9750503 commit e60af8a
Showing 1 changed file with 61 additions and 1 deletion.
62 changes: 61 additions & 1 deletion OvmfPkg/ResetVector/Ia32/PageTables64.asm
Expand Up @@ -37,12 +37,66 @@ BITS 32
PAGE_READ_WRITE + \
PAGE_PRESENT)

; Check if Secure Encrypted Virtualization (SEV) feature is enabled
;
; If SEV is enabled then EAX will be at least 32
; If SEV is disabled then EAX will be zero.
;
CheckSevFeature:
; Check if we have a valid (0x8000_001F) CPUID leaf
mov eax, 0x80000000
cpuid

; This check should fail on Intel or Non SEV AMD CPUs. In future if
; Intel CPUs supports this CPUID leaf then we are guranteed to have exact
; same bit definition.
cmp eax, 0x8000001f
jl NoSev

; Check for memory encryption feature:
; CPUID Fn8000_001F[EAX] - Bit 1
;
mov eax, 0x8000001f
cpuid
bt eax, 1
jnc NoSev

; Check if memory encryption is enabled
; MSR_0xC0010131 - Bit 0 (SEV enabled)
mov ecx, 0xc0010131
rdmsr
bt eax, 0
jnc NoSev

; Get pte bit position to enable memory encryption
; CPUID Fn8000_001F[EBX] - Bits 5:0
;
mov eax, ebx
and eax, 0x3f
jmp SevExit

NoSev:
xor eax, eax

SevExit:
OneTimeCallRet CheckSevFeature

;
; Modified: EAX, ECX
; Modified: EAX, EBX, ECX, EDX
;
SetCr3ForPageTables64:

OneTimeCall CheckSevFeature
xor edx, edx
test eax, eax
jz SevNotActive

; If SEV is enabled, C-bit is always above 31
sub eax, 32
bts edx, eax

SevNotActive:

;
; For OVMF, build some initial page tables at
; PcdOvmfSecPageTablesBase - (PcdOvmfSecPageTablesBase + 0x6000).
Expand All @@ -64,14 +118,19 @@ clearPageTablesMemoryLoop:
; Top level Page Directory Pointers (1 * 512GB entry)
;
mov dword[PT_ADDR (0)], PT_ADDR (0x1000) + PAGE_PDP_ATTR
mov dword[PT_ADDR (4)], edx

;
; Next level Page Directory Pointers (4 * 1GB entries => 4GB)
;
mov dword[PT_ADDR (0x1000)], PT_ADDR (0x2000) + PAGE_PDP_ATTR
mov dword[PT_ADDR (0x1004)], edx
mov dword[PT_ADDR (0x1008)], PT_ADDR (0x3000) + PAGE_PDP_ATTR
mov dword[PT_ADDR (0x100C)], edx
mov dword[PT_ADDR (0x1010)], PT_ADDR (0x4000) + PAGE_PDP_ATTR
mov dword[PT_ADDR (0x1014)], edx
mov dword[PT_ADDR (0x1018)], PT_ADDR (0x5000) + PAGE_PDP_ATTR
mov dword[PT_ADDR (0x101C)], edx

;
; Page Table Entries (2048 * 2MB entries => 4GB)
Expand All @@ -83,6 +142,7 @@ pageTableEntriesLoop:
shl eax, 21
add eax, PAGE_2M_PDE_ATTR
mov [ecx * 8 + PT_ADDR (0x2000 - 8)], eax
mov [(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], edx
loop pageTableEntriesLoop

;
Expand Down

0 comments on commit e60af8a

Please sign in to comment.