From ea3a12d9706dd405d5eb96901be31de28c3134af Mon Sep 17 00:00:00 2001 From: "Brijesh Singh via groups.io" Date: Thu, 9 Dec 2021 11:27:58 +0800 Subject: OvmfPkg/PlatformPei: mark cpuid and secrets memory reserved in EFI map When SEV-SNP is active, the CPUID and Secrets memory range contains the information that is used during the VM boot. The content need to be persist across the kexec boot. Mark the memory range as Reserved in the EFI map so that guest OS or firmware does not use the range as a system RAM. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/PlatformPei/AmdSev.c | 31 +++++++++++++++++++++++++++++++ OvmfPkg/PlatformPei/MemDetect.c | 2 ++ OvmfPkg/PlatformPei/Platform.h | 5 +++++ OvmfPkg/PlatformPei/PlatformPei.inf | 4 ++++ 4 files changed, 42 insertions(+) diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index 9b71f7cf2f..fb7e21ec14 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -416,3 +416,34 @@ AmdSevInitialize ( ASSERT_RETURN_ERROR (PcdStatus); } + +/** + The function performs SEV specific region initialization. + + **/ +VOID +SevInitializeRam ( + VOID + ) +{ + if (MemEncryptSevSnpIsEnabled ()) { + // + // If SEV-SNP is enabled, reserve the Secrets and CPUID memory area. + // + // This memory range is given to the PSP by the hypervisor to populate + // the information used during the SNP VM boots, and it need to persist + // across the kexec boots. Mark it as EfiReservedMemoryType so that + // the guest firmware and OS does not use it as a system memory. + // + BuildMemoryAllocationHob ( + (EFI_PHYSICAL_ADDRESS)(UINTN)PcdGet32 (PcdOvmfSnpSecretsBase), + (UINT64)(UINTN)PcdGet32 (PcdOvmfSnpSecretsSize), + EfiReservedMemoryType + ); + BuildMemoryAllocationHob ( + (EFI_PHYSICAL_ADDRESS)(UINTN)PcdGet32 (PcdOvmfCpuidBase), + (UINT64)(UINTN)PcdGet32 (PcdOvmfCpuidSize), + EfiReservedMemoryType + ); + } +} diff --git a/OvmfPkg/PlatformPei/MemDetect.c b/OvmfPkg/PlatformPei/MemDetect.c index 3f59a1ac79..738ed0c208 100644 --- a/OvmfPkg/PlatformPei/MemDetect.c +++ b/OvmfPkg/PlatformPei/MemDetect.c @@ -871,6 +871,8 @@ InitializeRamRegions ( { QemuInitializeRam (); + SevInitializeRam (); + if (mS3Supported && (mBootMode != BOOT_ON_S3_RESUME)) { // // This is the memory range that will be used for PEI on S3 resume diff --git a/OvmfPkg/PlatformPei/Platform.h b/OvmfPkg/PlatformPei/Platform.h index 357b3d4095..24e4da4e1d 100644 --- a/OvmfPkg/PlatformPei/Platform.h +++ b/OvmfPkg/PlatformPei/Platform.h @@ -104,6 +104,11 @@ AmdSevInitialize ( extern EFI_BOOT_MODE mBootMode; +VOID +SevInitializeRam ( + VOID + ); + extern BOOLEAN mS3Supported; extern UINT8 mPhysMemAddressWidth; diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf index 3c05b550e4..1c56ba2758 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -111,6 +111,8 @@ gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures [FixedPcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIMemoryNVS gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIReclaimMemory @@ -121,6 +123,8 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize [FeaturePcd] gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable -- cgit v1.2.3