Re: [PATCH V3 23/29] UefiCpuPkg: Update AddressEncMask in CpuPageTable

Gerd Hoffmann


Looks like two PCDs for basically the same thing.
Should we create a common CC PCD here?
1. The current situation of PcdPteMemoryEncryptionAddressOrMask is:
1.1 PcdPteMemoryEncryptionAddressOrMask is now set by AmdSev.
1.2 In CreateIdentityMappingPageTables(), this value (AddressEncMask) is set to the page tables in SEV guest.
1.3 This PCD is also used as an indicator in InternalMemEncryptSevStatus() if ReadSevMsr is TRUE or FALSE.
1.4 This PCD is also used in BootScriptExecutorEntryPoint()
Yes. Creating a common CC PCD may require some changes on the SEV side
too. The code (1.3 for example) assumes sev is active when
PcdPteMemoryEncryptionAddressOrMask is set, which will obviously not be
the case any more when tdx uses it too. But there are other ways to
check for sev which can be used instead ...

2. The meaning and usage scenario of PcdTdxSharedBitMask are somehow different from PcdPteMemoryEncryptionAddressOrMask.
2.1 Guest physical address (GPA) space of Td guest is divided into private and shared sub-spaces, determined by the shared bit of GPA.[1]
Well, there are some differences in detail but the underlying concept is
the same. The page table bit says whenever the page is private to the vm
or not. With SEV the bit enables/disables encryption. With TDX the bit
switches between private and shared encryption key.

2.2 PcdTdxSharedBitMask indicates the above shared bit of GPA. And
only the shared GPA has the shared bit set. This breaks 1.2.
Hmm, ok. So the logic is different. SEV enables the bit for private
pages whereas TDX enables the bit for shared pages.

Too bad. That indeed makes it impossible to share a single PCD.

We could still define something generic, like a
"set-this-bit-for-shared-pages" pcd and a
"set-this-bit-for-private-pages" pcd. But at the end of the day that
probably wouldn't be very different from having
PcdPteMemoryEncryptionAddressOrMask + PcdTdxSharedBitMask ...

take care,

Join to automatically receive all group messages.