toggle quoted messageShow quoted text
When I go thru the code I find a potential bug in MemEncryptSevEsIsEnabled().
In the current code both SEV and TDX leverage the OvmfWorkArea to record the SEV/TDX information.
Byte  record the guest type, 0 for legacy guest. 1 for sev, 2 for tdx.
Byte [3:1] are reserved.
From Byte on its meaning depends on the guest type (byte).
For SEV it is SEC_SEV_ES_WORK_AREA.
In the InternalMemEncryptSevStatus(), it check the SEC_SEV_ES_WORK_AREA directly without checking if it is SEV guest. (byte)
SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase);
I am afraid it is not correct. Would you please double check it?
From: Brijesh Singh <firstname.lastname@example.org>
Sent: Tuesday, September 7, 2021 9:27 PM
To: email@example.com; Xu, Min M <firstname.lastname@example.org>
Cc: email@example.com; firstname.lastname@example.org; James Bottomley
<email@example.com>; Yao, Jiewen <firstname.lastname@example.org>; Tom Lendacky
<email@example.com>; Justen, Jordan L <firstname.lastname@example.org>;
Ard Biesheuvel <email@example.com>; Erdem Aktas
<firstname.lastname@example.org>; Michael Roth <Michael.Roth@amd.com>
Subject: Re: [edk2-devel] [PATCH v6 06/29] OvmfPkg/ResetVector: pre-validate
the data pages used in SEC phase
On 9/7/21 2:07 AM, email@example.com wrote:
[ Looking at
So, there isn't much tdx-specific in tdx-metadata. Most ranges are
TDX_METADATA_SECTION_TYPE_TEMP_MEM which I think basically means
these ranges should be accepted by the hypervisor, which is pretty
much the same issue snp tries to solve with this pre-validation
range. Then there are the ranges for code (aka bfv), for vars (aka cfv) and
Mailbox is tdx-specific too. But
td_hob is the only tdx-specific item there, and even that concept
(pass memory ranges as hob list from hypervisor to guest) might be
useful outside tdx.
Stack/Heap/OvmfWorkarea/OvmfPageTable are common. BFV/CFV are
We should be able to make use of the metadata approach for the SEV-SNP.
Mailbox is tagged "TDX_METADATA_SECTION_TYPE_TEMP_MEM", so nothing
special to do when loading the firmware, right?
Yes. Both TDX and SNP have simliar requirements, they want store
I'd suggest we generalize the tdx-metadata idea and define bothTDX has similar section type.
generic and vmm-specific section types:
OVMF_SECTION_TYPE_UNDEFINED = 0;
/* generic */
OVMF_SECTION_TYPE_CODE = 0x100,
OVMF_SECTION_TYPE_SEC_MEM /* vmm should accept/validate this */
/* sev */
OVMF_SECTION_TYPE_SEV_SECRETS = 0x200,
OVMF_SECTION_TYPE_SEV_CPUID /* or move to generic? */
/* tdx */
OVMV_SECTION_TYPE_TDX_TD_HOB = 0x300, };
memory ranges in the firmware binary in a way that allows qemu finding
them and using them when initializing the guest.
SNP stores the ranges directly in the GUID-chained block in the reset
vector. The range types are implicit (first is pre-validate area,
second is cpuid page, ...).
TDX stores a pointer to tdx-metadata in the GUID-chained block, then
the tdx-metadata has a list of ranges. The ranges are explicitly
typed (section type field).
The indirection used by TDX keeps the reset vector small. Also the
explicit typing of the ranges makes it easier to extend later on if
IMHO SEV should at minimum add explicit types to the memory ranges in
the boot block, but I'd very much prefer it if SEV and TDX can agree
on a way to store the memory ranges.
But I am not sure if SEV can use this metadata mechanism.Brijesh?
Need SEV's comments.
I will update the SNP patches to use the metadata approach in next rev.