[PATCH v11 20/32] UefiCpuPkg: Define ConfidentialComputingGuestAttr


Brijesh Singh
 

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275

While initializing APs, the MpInitLib may need to know whether the
guest is running with active AMD SEV or Intel TDX memory encryption.

Add a new ConfidentialComputingGuestAttr PCD that can be used to query
the memory encryption attribute.

Cc: Michael Roth <michael.roth@amd.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Suggested-by: Jiewen Yao <jiewen.yao@intel.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
MdePkg/MdePkg.dec | 4 +++
.../Include/ConfidentialComputingGuestAttr.h | 25 +++++++++++++++++++
2 files changed, 29 insertions(+)
create mode 100644 MdePkg/Include/ConfidentialComputingGuestAttr.h

diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
index 8b18415b107a..cd903c35d2ff 100644
--- a/MdePkg/MdePkg.dec
+++ b/MdePkg/MdePkg.dec
@@ -2396,5 +2396,9 @@ [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
# @Prompt FSB Clock.
gEfiMdePkgTokenSpaceGuid.PcdFSBClock|200000000|UINT32|0x0000000c

+ ## This dynamic PCD indicates the memory encryption attribute of the guest.
+ # @Prompt Memory encryption attribute
+ gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0|UINT64|0x0000002e
+
[UserExtensions.TianoCore."ExtraFiles"]
MdePkgExtra.uni
diff --git a/MdePkg/Include/ConfidentialComputingGuestAttr.h b/MdePkg/Include/ConfidentialComputingGuestAttr.h
new file mode 100644
index 000000000000..495b0df0ac33
--- /dev/null
+++ b/MdePkg/Include/ConfidentialComputingGuestAttr.h
@@ -0,0 +1,25 @@
+/** @file
+Definitions for Confidential Computing Attribute
+
+Copyright (c) 2021 AMD Inc. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef CONFIDENTIAL_COMPUTING_GUEST_ATTR_H_
+#define CONFIDENTIAL_COMPUTING_GUEST_ATTR_H_
+
+typedef enum {
+ /* The guest is running with memory encryption disabled. */
+ CCAttrNotEncrypted = 0,
+
+ /* The guest is running with AMD SEV memory encryption enabled. */
+ CCAttrAmdSev = 0x100,
+ CCAttrAmdSevEs = 0x101,
+ CCAttrAmdSevSnp = 0x102,
+
+ /* The guest is running with Intel TDX memory encryption enabled. */
+ CCAttrIntelTdx = 0x200,
+} CONFIDENTIAL_COMPUTING_GUEST_ATTR;
+
+#endif
--
2.25.1


Brijesh Singh
 

Hi Ray and Rahul,

Any comment on this patch ? If you are okay with it then can I get Ack
or R-b ?

-Brijesh

On 10/22/21 11:13 PM, Brijesh Singh wrote:
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275

While initializing APs, the MpInitLib may need to know whether the
guest is running with active AMD SEV or Intel TDX memory encryption.

Add a new ConfidentialComputingGuestAttr PCD that can be used to query
the memory encryption attribute.

Cc: Michael Roth <michael.roth@amd.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Suggested-by: Jiewen Yao <jiewen.yao@intel.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
MdePkg/MdePkg.dec | 4 +++
.../Include/ConfidentialComputingGuestAttr.h | 25 +++++++++++++++++++
2 files changed, 29 insertions(+)
create mode 100644 MdePkg/Include/ConfidentialComputingGuestAttr.h

diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
index 8b18415b107a..cd903c35d2ff 100644
--- a/MdePkg/MdePkg.dec
+++ b/MdePkg/MdePkg.dec
@@ -2396,5 +2396,9 @@ [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
# @Prompt FSB Clock.
gEfiMdePkgTokenSpaceGuid.PcdFSBClock|200000000|UINT32|0x0000000c

+ ## This dynamic PCD indicates the memory encryption attribute of the guest.
+ # @Prompt Memory encryption attribute
+ gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0|UINT64|0x0000002e
+
[UserExtensions.TianoCore."ExtraFiles"]
MdePkgExtra.uni
diff --git a/MdePkg/Include/ConfidentialComputingGuestAttr.h b/MdePkg/Include/ConfidentialComputingGuestAttr.h
new file mode 100644
index 000000000000..495b0df0ac33
--- /dev/null
+++ b/MdePkg/Include/ConfidentialComputingGuestAttr.h
@@ -0,0 +1,25 @@
+/** @file
+Definitions for Confidential Computing Attribute
+
+Copyright (c) 2021 AMD Inc. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef CONFIDENTIAL_COMPUTING_GUEST_ATTR_H_
+#define CONFIDENTIAL_COMPUTING_GUEST_ATTR_H_
+
+typedef enum {
+ /* The guest is running with memory encryption disabled. */
+ CCAttrNotEncrypted = 0,
+
+ /* The guest is running with AMD SEV memory encryption enabled. */
+ CCAttrAmdSev = 0x100,
+ CCAttrAmdSevEs = 0x101,
+ CCAttrAmdSevSnp = 0x102,
+
+ /* The guest is running with Intel TDX memory encryption enabled. */
+ CCAttrIntelTdx = 0x200,
+} CONFIDENTIAL_COMPUTING_GUEST_ATTR;
+
+#endif


Min Xu
 

On October 23, 2021 12:14 PM, Brijesh Singh wrote:

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275

While initializing APs, the MpInitLib may need to know whether the guest is
running with active AMD SEV or Intel TDX memory encryption.

Add a new ConfidentialComputingGuestAttr PCD that can be used to query the
memory encryption attribute.

---
MdePkg/MdePkg.dec | 4 +++
.../Include/ConfidentialComputingGuestAttr.h | 25 +++++++++++++++++++
2 files changed, 29 insertions(+)
create mode 100644 MdePkg/Include/ConfidentialComputingGuestAttr.h

diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec index
8b18415b107a..cd903c35d2ff 100644
--- a/MdePkg/MdePkg.dec
+++ b/MdePkg/MdePkg.dec
@@ -2396,5 +2396,9 @@ [PcdsFixedAtBuild, PcdsPatchableInModule,
PcdsDynamic, PcdsDynamicEx]
# @Prompt FSB Clock.
gEfiMdePkgTokenSpaceGuid.PcdFSBClock|200000000|UINT32|0x0000000c

+ ## This dynamic PCD indicates the memory encryption attribute of the guest.
+ # @Prompt Memory encryption attribute
+
gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0|UINT64|0x
+ 0000002e
+
This PCD is defined in MdePkg, but the title is " UefiCpuPkg: Define ConfidentialComputingGuestAttr". A typo ?

BTW, can you add below macro in the ConfidentialComputingGuestAttr.h, such as:
#define CC_GUEST_IS_TDX(x) ((x) == CCAttrIntelTdx)
#define CC_GUEST_IS_SEV(x) ((x) == CCAttrAmdSev || (x) == CCAttrAmdSevEs || (x) == CCAttrAmdSevSnp)

Thanks.
Min


Brijesh Singh
 

On 10/25/21 2:22 AM, Xu, Min M wrote:
On October 23, 2021 12:14 PM, Brijesh Singh wrote:
BZ: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D3275&;data=04%7C01%7Cbrijesh.singh%40amd.com%7C96cac3cfbb5b4eec64a808d997883593%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637707433532691196%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=JuBNNapc9%2B9xbbiCXbWKy4rYSzO%2BnYeLZ6cmxF7FNwo%3D&amp;reserved=0

While initializing APs, the MpInitLib may need to know whether the guest is
running with active AMD SEV or Intel TDX memory encryption.

Add a new ConfidentialComputingGuestAttr PCD that can be used to query the
memory encryption attribute.

---
MdePkg/MdePkg.dec | 4 +++
.../Include/ConfidentialComputingGuestAttr.h | 25 +++++++++++++++++++
2 files changed, 29 insertions(+)
create mode 100644 MdePkg/Include/ConfidentialComputingGuestAttr.h

diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec index
8b18415b107a..cd903c35d2ff 100644
--- a/MdePkg/MdePkg.dec
+++ b/MdePkg/MdePkg.dec
@@ -2396,5 +2396,9 @@ [PcdsFixedAtBuild, PcdsPatchableInModule,
PcdsDynamic, PcdsDynamicEx]
# @Prompt FSB Clock.
gEfiMdePkgTokenSpaceGuid.PcdFSBClock|200000000|UINT32|0x0000000c

+ ## This dynamic PCD indicates the memory encryption attribute of the guest.
+ # @Prompt Memory encryption attribute
+
gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0|UINT64|0x
+ 0000002e
+
This PCD is defined in MdePkg, but the title is " UefiCpuPkg: Define ConfidentialComputingGuestAttr". A typo ?
Yes, initially I defined in UefiCpuPkg but later based on the feedback
moved to MdePkg but missed updating the header.

BTW, can you add below macro in the ConfidentialComputingGuestAttr.h, such as:
#define CC_GUEST_IS_TDX(x) ((x) == CCAttrIntelTdx)
#define CC_GUEST_IS_SEV(x) ((x) == CCAttrAmdSev || (x) == CCAttrAmdSevEs || (x) == CCAttrAmdSevSnp)
For SEV case, we need to distinguish between the ES and SNP, so above
macro does not help. Patch#22 adds a ConfidentialComputingGuesthas()
that does a comprehensive check for the SEV.   For TDX, if you find that
other modules or libraries need to use this PCD check then you can move
it to a common header or library.



Thanks.
Min