OvmfPkg/PlatformPei: Move early GDT into ram when SEV-ES is enabled

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198

The SEV support will clear the C-bit from non-RAM areas.  The early GDT
lives in a non-RAM area, so when an exception occurs (like a #VC) the GDT
will be read as un-encrypted even though it is encrypted. This will result
in a failure to be able to handle the exception.

Move the GDT into RAM so it can be accessed without error when running as
an SEV-ES guest.

Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>

1 files changed, 18 insertions, 0 deletions

diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
index 4fd4534cab..a2b38c5912 100644
--- a/OvmfPkg/PlatformPei/AmdSev.c
+++ b/OvmfPkg/PlatformPei/AmdSev.c
@@ -39,6 +39,8 @@ AmdSevEsInitialize (
   PHYSICAL_ADDRESS  GhcbBasePa;

   UINTN             GhcbPageCount, PageCount;

   RETURN_STATUS     PcdStatus, DecryptStatus;

+  IA32_DESCRIPTOR   Gdtr;

+  VOID              *Gdt;

 

   if (!MemEncryptSevEsIsEnabled ()) {

     return;

@@ -83,6 +85,22 @@ AmdSevEsInitialize (
     (UINT64)GhcbPageCount, GhcbBase));

 

   AsmWriteMsr64 (MSR_SEV_ES_GHCB, GhcbBasePa);

+

+  //

+  // The SEV support will clear the C-bit from non-RAM areas.  The early GDT

+  // lives in a non-RAM area, so when an exception occurs (like a #VC) the GDT

+  // will be read as un-encrypted even though it was created before the C-bit

+  // was cleared (encrypted). This will result in a failure to be able to

+  // handle the exception.

+  //

+  AsmReadGdtr (&Gdtr);

+

+  Gdt = AllocatePages (EFI_SIZE_TO_PAGES ((UINTN) Gdtr.Limit + 1));

+  ASSERT (Gdt != NULL);

+

+  CopyMem (Gdt, (VOID *) Gdtr.Base, Gdtr.Limit + 1);

+  Gdtr.Base = (UINTN) Gdt;

+  AsmWriteGdtr (&Gdtr);

 }

 

 /**