Changeset 105670 in vbox for trunk/src/VBox/Devices/EFI/FirmwareNew/OvmfPkg/Sec

Timestamp:

Aug 14, 2024 1:16:30 PM (6 months ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

164367

Message:

Devices/EFI/FirmwareNew: Merge edk2-stable-202405 and make it build on aarch64, bugref:4643

Location:

trunk/src/VBox/Devices/EFI/FirmwareNew

Files:

• . (modified) (1 prop)
• OvmfPkg/Sec/AmdSev.c (modified) (2 diffs)
• OvmfPkg/Sec/AmdSev.h (modified) (1 diff)
• OvmfPkg/Sec/SecMain.c (modified) (3 diffs)
• OvmfPkg/Sec/SecMain.inf (modified) (3 diffs)

trunk/src/VBox/Devices/EFI/FirmwareNew/OvmfPkg/Sec/AmdSev.c

@@ -9 +9 @@
 
 #include <Library/BaseLib.h>
+#include <Library/CpuLib.h>
+#include <Library/CpuPageTableLib.h>
 #include <Library/DebugLib.h>
+#include <Library/LocalApicLib.h>
 #include <Library/MemEncryptSevLib.h>
 #include <Library/BaseMemoryLib.h>
@@ -302 +305 @@
   }
 }
+
+/**
+  Map known MMIO regions unencrypted if SEV-ES is active.
+
+  During early booting, page table entries default to having the encryption bit
+  set for SEV-ES/SEV-SNP guests. In cases where there is MMIO to an address, the
+  encryption bit should be cleared. Clear it here for any known MMIO accesses
+  during SEC, which is currently just the APIC base address.
+
+**/
+VOID
+SecMapApicBaseUnencrypted (
+  VOID
+  )
+{
+  PHYSICAL_ADDRESS    Cr3;
+  UINT64              ApicAddress;
+  VOID                *Buffer;
+  UINTN               BufferSize;
+  IA32_MAP_ATTRIBUTE  MapAttribute;
+  IA32_MAP_ATTRIBUTE  MapMask;
+  RETURN_STATUS       Status;
+
+  if (!SevEsIsEnabled ()) {
+    return;
+  }
+
+  ApicAddress = (UINT64)GetLocalApicBaseAddress ();
+  Buffer      = (VOID *)(UINTN)FixedPcdGet32 (PcdOvmfSecApicPageTableBase);
+  Cr3         = AsmReadCr3 ();
+
+  MapAttribute.Uint64         = ApicAddress;
+  MapAttribute.Bits.Present   = 1;
+  MapAttribute.Bits.ReadWrite = 1;
+  MapMask.Uint64              = MAX_UINT64;
+  BufferSize                  = SIZE_4KB;
+
+  Status = PageTableMap (
+             (UINTN *)&Cr3,
+             Paging4Level,
+             Buffer,
+             &BufferSize,
+             ApicAddress,
+             SIZE_4KB,
+             &MapAttribute,
+             &MapMask,
+             NULL
+             );
+  if (RETURN_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Failed to map APIC MMIO region as unencrypted: %d\n", Status));
+    ASSERT (FALSE);
+  }
+
+  CpuFlushTlb ();
+}

trunk/src/VBox/Devices/EFI/FirmwareNew/OvmfPkg/Sec/AmdSev.h

@@ -92 +92 @@
   );
 
+/**
+  Map MMIO regions unencrypted if SEV-ES is active.
+
+  During early booting, page table entries default to having the encryption bit
+  set for SEV-ES/SEV-SNP guests. In cases where there is MMIO to an address, the
+  encryption bit should be cleared. Clear it here for any known MMIO accesses
+  during SEC, which is currently just the APIC base address.
+
+**/
+VOID
+SecMapApicBaseUnencrypted (
+  VOID
+  );
+
 #endif

trunk/src/VBox/Devices/EFI/FirmwareNew/OvmfPkg/Sec/SecMain.c

@@ -12 +12 @@
 #include <PiPei.h>
 
-#include <Library/PeimEntryPoint.h>
 #include <Library/BaseLib.h>
 #include <Library/DebugLib.h>
@@ -845 +844 @@
   }
 
-  ProcessLibraryConstructorList (NULL, NULL);
+  ProcessLibraryConstructorList ();
 
   if (!SevEsIsEnabled ()) {
@@ -940 +939 @@
   // enabled.
   //
+  SecMapApicBaseUnencrypted ();
   InitializeApicTimer (0, MAX_UINT32, TRUE, 5);
   DisableApicTimerInterrupt ();

trunk/src/VBox/Devices/EFI/FirmwareNew/OvmfPkg/Sec/SecMain.inf

@@ -9 +9 @@
 
 [Defines]
-  INF_VERSION                    = 0x00010005
+  INF_VERSION                    = 1.30
   BASE_NAME                      = SecMain
   FILE_GUID                      = df1ccef6-f301-4a63-9661-fc6030dcc880
@@ -56 +56 @@
   CpuExceptionHandlerLib
   CcProbeLib
+  CpuPageTableLib
 
 [Ppis]
@@ -84 +85 @@
   gUefiOvmfPkgTokenSpaceGuid.PcdTdxAcceptPageSize
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecApicPageTableBase
+  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecApicPageTableSize
 
 [FeaturePcd]