|
[PATCH v3 00/15] SEV-ES security mitigations
Thanks, Laszlo! Tom
By
Lendacky, Thomas
· #69969
·
|
|
[PATCH v3 15/15] OvfmPkg/VmgExitLib: Validate #VC MMIO is to un-encrypted memory
#vc
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 When SEV-ES is active, and MMIO operation will trigger a #VC and the VmgExitLib exception handler w
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 When SEV-ES is active, and MMIO operation will trigger a #VC and the VmgExitLib exception handler w
|
By
Lendacky, Thomas
· #69964
·
|
|
[PATCH v3 14/15] OvmfPkg/PlatformPei: Reserve GHCB backup pages if S3 is supported
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 Protect the GHCB backup pages used by an SEV-ES guest when S3 is supported. Regarding the lifecycle
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 Protect the GHCB backup pages used by an SEV-ES guest when S3 is supported. Regarding the lifecycle
|
By
Lendacky, Thomas
· #69963
·
|
|
[PATCH v3 13/15] OvmfPkg/VmgExitLib: Support nested
#vcs
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 In order to be able to issue messages or make interface calls that cause another #VC (e.g. GetLocal
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 In order to be able to issue messages or make interface calls that cause another #VC (e.g. GetLocal
|
By
Lendacky, Thomas
· #69962
·
|
|
[PATCH v3 12/15] OvmfPkg/MemEncryptSevLib: Address range encryption state interface
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 Update the MemEncryptSevLib library to include an interface that can report the encryption state on
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 Update the MemEncryptSevLib library to include an interface that can report the encryption state on
|
By
Lendacky, Thomas
· #69961
·
|
|
[PATCH v3 11/15] OvmfPkg/MemEncryptSevLib: Make the MemEncryptSevLib available for SEC
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 In preparation for a new interface to be added to the MemEncryptSevLib library that will be used in
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 In preparation for a new interface to be added to the MemEncryptSevLib library that will be used in
|
By
Lendacky, Thomas
· #69960
·
|
|
[PATCH v3 10/15] OvmfPkg/MemEncryptSevLib: Coding style fixes in prep for SEC library
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 Creating an SEC version of the library requires renaming an existing file which will result in the
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 Creating an SEC version of the library requires renaming an existing file which will result in the
|
By
Lendacky, Thomas
· #69959
·
|
|
[PATCH v3 09/15] OvmfPkg/VmgExitLib: Check for an explicit DR7 cached value
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 Check the DR7 cached indicator against a specific value. This makes it harder for a hypervisor to j
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 Check the DR7 cached indicator against a specific value. This makes it harder for a hypervisor to j
|
By
Lendacky, Thomas
· #69958
·
|
|
[PATCH v3 08/15] OvmfPkg/AmdSevDxe: Clear encryption bit on PCIe MMCONFIG range
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 The PCIe MMCONFIG range should be treated as an MMIO range. However, there is a comment in the code
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 The PCIe MMCONFIG range should be treated as an MMIO range. However, there is a comment in the code
|
By
Lendacky, Thomas
· #69957
·
|
|
[PATCH v3 07/15] OvmfPkg: Obtain SEV encryption mask with the new MemEncryptSevLib API
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 The early assembler code performs validation for some of the SEV-related information, specifically
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 The early assembler code performs validation for some of the SEV-related information, specifically
|
By
Lendacky, Thomas
· #69956
·
|
|
[PATCH v3 06/15] OvmfPkg/MemEncryptSevLib: Add an interface to retrieve the encryption mask
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 To ensure that we always use a validated encryption mask for an SEV-ES guest, create a new interfac
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 To ensure that we always use a validated encryption mask for an SEV-ES guest, create a new interfac
|
By
Lendacky, Thomas
· #69955
·
|
|
[PATCH v3 05/15] OvmfPkg/ResetVector: Save the encryption mask at boot time
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 The early assembler code performs validation for some of the SEV-related information, specifically
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 The early assembler code performs validation for some of the SEV-related information, specifically
|
By
Lendacky, Thomas
· #69954
·
|
|
[PATCH v3 04/15] OvmfPkg/ResetVector: Perform a simple SEV-ES sanity check
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 If a hypervisor incorrectly reports through CPUID that SEV-ES is not active, ensure that a #VC exce
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 If a hypervisor incorrectly reports through CPUID that SEV-ES is not active, ensure that a #VC exce
|
By
Lendacky, Thomas
· #69953
·
|
|
[PATCH v3 03/15] OvmfPkg/ResetVector: Validate the encryption bit position for SEV/SEV-ES
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 To help mitigate against ROP attacks, add some checks to validate the encryption bit position that
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 To help mitigate against ROP attacks, add some checks to validate the encryption bit position that
|
By
Lendacky, Thomas
· #69952
·
|
|
[PATCH v3 02/15] OvmfPkg/Sec: Move SEV-ES SEC workarea definition to common header file
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 In order to allow for the SEV-ES workarea to be used for other purposes and by other files, move th
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 In order to allow for the SEV-ES workarea to be used for other purposes and by other files, move th
|
By
Lendacky, Thomas
· #69951
·
|
|
[PATCH v3 01/15] Ovmf/ResetVector: Simplify and consolidate the SEV features checks
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 Simplify and consolidate the SEV and SEV-ES checks into a single routine. This new routine will use
From: Tom Lendacky <thomas.lendacky@...> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 Simplify and consolidate the SEV and SEV-ES checks into a single routine. This new routine will use
|
By
Lendacky, Thomas
· #69950
·
|
|
[PATCH v3 00/15] SEV-ES security mitigations
From: Tom Lendacky <thomas.lendacky@...> This patch series provides security mitigations for SEV-ES to protect against some attacks identified in the paper titled "Exploiting Interfaces of Secure
From: Tom Lendacky <thomas.lendacky@...> This patch series provides security mitigations for SEV-ES to protect against some attacks identified in the paper titled "Exploiting Interfaces of Secure
|
By
Lendacky, Thomas
· #69949
·
|
|
[PATCH v2 15/15] OvfmPkg/VmgExitLib: Validate #VC MMIO is to un-encrypted memory
#vc
Will do, I'll send it out very soon. Thanks, Tom
Will do, I'll send it out very soon. Thanks, Tom
|
By
Lendacky, Thomas
· #69948
·
|
|
[PATCH v2 15/15] OvfmPkg/VmgExitLib: Validate #VC MMIO is to un-encrypted memory
#vc
Thanks for the review, Laszlo! I've applied all of your comments for this series should a v3 need to be submitted. Thanks, Tom
Thanks for the review, Laszlo! I've applied all of your comments for this series should a v3 need to be submitted. Thanks, Tom
|
By
Lendacky, Thomas
· #69942
·
|
|
[PATCH V2] UefiCpuPkg/CpuDxe: Fix boot error
With one little comment below, I verified this method allows my system to boot. Tested-by: Tom Lendacky <thomas.lendacky@...> Extraneous comma after rcx. Thanks, Tom
With one little comment below, I verified this method allows my system to boot. Tested-by: Tom Lendacky <thomas.lendacky@...> Extraneous comma after rcx. Thanks, Tom
|
By
Lendacky, Thomas
· #69927
·
|