OvmfPkg/BaseMemEncryptLib: Check for presence of an SVSM when not at VMPL0

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4654

Currently, an SEV-SNP guest will terminate if it is not running at VMPL0.
The requirement for running at VMPL0 is removed if an SVSM is present.

Update the current VMPL0 check to additionally check for the presence of
an SVSM is the guest is not running at VMPL0.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Michael Roth <michael.roth@amd.com>
Cc: Min Xu <min.m.xu@intel.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>

1 files changed, 6 insertions, 3 deletions

diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c
index ca279d7727..227e333399 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c
@@ -12,6 +12,7 @@
 #include <Library/BaseLib.h>

 #include <Library/DebugLib.h>

 #include <Library/MemEncryptSevLib.h>

+#include <Library/AmdSvsmLib.h>

 

 #include "SnpPageStateChange.h"

 

@@ -74,10 +75,12 @@ MemEncryptSevSnpPreValidateSystemRam (
 

   //

   // The page state change uses the PVALIDATE instruction. The instruction

-  // can be run on VMPL-0 only. If its not VMPL-0 guest then terminate

-  // the boot.

+  // can be run at VMPL-0 only. If its not a VMPL-0 guest, then an SVSM must

+  // be present to perform the operation on behalf of the guest. If the guest

+  // is not running at VMPL-0 and an SVSM is not present, then terminate the

+  // boot.

   //

-  if (!SevSnpIsVmpl0 ()) {

+  if (!SevSnpIsVmpl0 () && !AmdSvsmIsSvsmPresent ()) {

     SnpPageStateFailureTerminate ();

   }