diff options
author | Ray Ni <ray.ni@intel.com> | 2023-02-27 13:26:27 +0800 |
---|---|---|
committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2023-04-01 01:08:34 +0000 |
commit | 24f57f96487da290a9725b0200e0fd520898b655 (patch) | |
tree | 090881a6a8447cfa0aaf4a147e1a602aad17ba4d /MdePkg/Include | |
parent | 2f499c36db51980ad43fc6b578c7678a1720bd9c (diff) | |
download | edk2-24f57f96487da290a9725b0200e0fd520898b655.tar.gz edk2-24f57f96487da290a9725b0200e0fd520898b655.tar.bz2 edk2-24f57f96487da290a9725b0200e0fd520898b655.zip |
MdePkg: Add TME-MK related CPUID and MSR definitions
TME (Total Memory Encryption) is the capability to encrypt
the entirety of physical memory of a system.
TME-MK (Total Memory Encryption-Multi-Key) builds on TME and adds
support for multiple encryption keys.
The patch adds some necessary CPUID/MSR definitions for TME-MK.
Signed-off-by: Ray Ni <ray.ni@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
Diffstat (limited to 'MdePkg/Include')
-rw-r--r-- | MdePkg/Include/Register/Intel/ArchitecturalMsr.h | 106 | ||||
-rw-r--r-- | MdePkg/Include/Register/Intel/Cpuid.h | 9 |
2 files changed, 112 insertions, 3 deletions
diff --git a/MdePkg/Include/Register/Intel/ArchitecturalMsr.h b/MdePkg/Include/Register/Intel/ArchitecturalMsr.h index 071a8c689c..756e7c86ec 100644 --- a/MdePkg/Include/Register/Intel/ArchitecturalMsr.h +++ b/MdePkg/Include/Register/Intel/ArchitecturalMsr.h @@ -6,7 +6,7 @@ returned is a single 32-bit or 64-bit value, then a data structure is not
provided for that MSR.
- Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2016 - 2023, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
@par Specification Reference:
@@ -5680,6 +5680,110 @@ typedef union { #define MSR_IA32_X2APIC_SELF_IPI 0x0000083F
/**
+ Memory Encryption Activation MSR. If CPUID.07H:ECX.[13] = 1.
+
+ @param ECX MSR_IA32_TME_ACTIVATE (0x00000982)
+ @param EAX Lower 32-bits of MSR value.
+ Described by the type MSR_IA32_TME_ACTIVATE_REGISTER.
+ @param EDX Upper 32-bits of MSR value.
+ Described by the type MSR_IA32_TME_ACTIVATE_REGISTER.
+
+ <b>Example usage</b>
+ @code
+ MSR_IA32_TME_ACTIVATE_REGISTER Msr;
+
+ Msr.Uint64 = AsmReadMsr64 (MSR_IA32_TME_ACTIVATE);
+ AsmWriteMsr64 (MSR_IA32_TME_ACTIVATE, Msr.Uint64);
+ @endcode
+ @note MSR_IA32_TME_ACTIVATE is defined as IA32_TME_ACTIVATE in SDM.
+**/
+#define MSR_IA32_TME_ACTIVATE 0x00000982
+
+/**
+ MSR information returned for MSR index #MSR_IA32_TME_ACTIVATE
+**/
+typedef union {
+ ///
+ /// Individual bit fields
+ ///
+ struct {
+ ///
+ /// [Bit 0] Lock R/O: Will be set upon successful WRMSR (or first SMI);
+ /// written value ignored..
+ ///
+ UINT32 Lock : 1;
+ ///
+ /// [Bit 1] Hardware Encryption Enable: This bit also enables MKTME; MKTME
+ /// cannot be enabled without enabling encryption hardware.
+ ///
+ UINT32 TmeEnable : 1;
+ ///
+ /// [Bit 2] Key Select:
+ /// 0: Create a new TME key (expected cold/warm boot).
+ /// 1: Restore the TME key from storage (Expected when resume from standby).
+ ///
+ UINT32 KeySelect : 1;
+ ///
+ /// [Bit 3] Save TME Key for Standby: Save key into storage to be used when
+ /// resume from standby.
+ /// Note: This may not be supported in all processors.
+ ///
+ UINT32 SaveKeyForStandby : 1;
+ ///
+ /// [Bit 7:4] TME Policy/Encryption Algorithm: Only algorithms enumerated in
+ /// IA32_TME_CAPABILITY are allowed.
+ /// For example:
+ /// 0000 – AES-XTS-128.
+ /// 0001 – AES-XTS-128 with integrity.
+ /// 0010 – AES-XTS-256.
+ /// Other values are invalid.
+ ///
+ UINT32 TmePolicy : 4;
+ UINT32 Reserved : 23;
+ ///
+ /// [Bit 31] TME Encryption Bypass Enable: When encryption hardware is enabled:
+ /// * Total Memory Encryption is enabled using a CPU generated ephemeral key
+ /// based on a hardware random number generator when this bit is set to 0.
+ /// * Total Memory Encryption is bypassed (no encryption/decryption for KeyID0)
+ /// when this bit is set to 1.
+ /// Software must inspect Hardware Encryption Enable (bit 1) and TME encryption
+ /// bypass Enable (bit 31) to determine if TME encryption is enabled.
+ ///
+ UINT32 TmeBypassMode : 1;
+ ///
+ /// [Bit 35:32] MK_TME_KEYID_BITS: Reserved if MKTME is not enumerated, otherwise:
+ /// The number of key identifier bits to allocate to MKTME usage.
+ /// Similar to enumeration, this is an encoded value.
+ /// Writing a value greater than MK_TME_MAX_KEYID_BITS will result in #GP.
+ /// Writing a non-zero value to this field will #GP if bit 1 of EAX (Hardware
+ /// Encryption Enable) is not also set to ‘1, as encryption hardware must be
+ /// enabled to use MKTME.
+ /// Example: To support 255 keys, this field would be set to a value of 8.
+ ///
+ UINT32 MkTmeKeyidBits : 4;
+ UINT32 Reserved2 : 12;
+ ///
+ /// [Bit 63:48] MK_TME_CRYPTO_ALGS: Reserved if MKTME is not enumerated, otherwise:
+ /// Bit 48: AES-XTS 128.
+ /// Bit 49: AES-XTS 128 with integrity.
+ /// Bit 50: AES-XTS 256.
+ /// Bit 63:51: Reserved (#GP)
+ /// Bitmask for BIOS to set which encryption algorithms are allowed for MKTME, would
+ /// be later enforced by the key loading ISA ('1= allowed)
+ ///
+ UINT32 MkTmeCryptoAlgs : 16;
+ } Bits;
+ ///
+ /// All bit fields as a 32-bit value
+ ///
+ UINT32 Uint32[2];
+ ///
+ /// All bit fields as a 64-bit value
+ ///
+ UINT64 Uint64;
+} MSR_IA32_TME_ACTIVATE_REGISTER;
+
+/**
Silicon Debug Feature Control (R/W). If CPUID.01H:ECX.[11] = 1.
@param ECX MSR_IA32_DEBUG_INTERFACE (0x00000C80)
diff --git a/MdePkg/Include/Register/Intel/Cpuid.h b/MdePkg/Include/Register/Intel/Cpuid.h index 350bf60252..1fb880c85c 100644 --- a/MdePkg/Include/Register/Intel/Cpuid.h +++ b/MdePkg/Include/Register/Intel/Cpuid.h @@ -6,7 +6,7 @@ If a register returned is a single 32-bit value, then a data structure is
not provided for that register.
- Copyright (c) 2015 - 2021, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2015 - 2023, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
@par Specification Reference:
@@ -1490,7 +1490,12 @@ typedef union { /// RDPKRU/WRPKRU instructions).
///
UINT32 OSPKE : 1;
- UINT32 Reserved5 : 9;
+ UINT32 Reserved8 : 8;
+ ///
+ /// [Bit 13] If 1, the following MSRs are supported: IA32_TME_CAPABILITY, IA32_TME_ACTIVATE,
+ /// IA32_TME_EXCLUDE_MASK, and IA32_TME_EXCLUDE_BASE.
+ ///
+ UINT32 TME_EN : 1;
///
/// [Bits 14] AVX512_VPOPCNTDQ. (Intel Xeon Phi only.).
///
|