generated from deepin-community/template-repository
-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Support live migration for Hygon CSV1/2/3 guest, fix nesting #VC Exce…
…ption
The live migration for Hygon CSV1/2/3 guest depends on the KVM
hypercall KVM_HC_MAP_GPA_RANGE, add code to sync page enc/dec
status to KVM.
The MMIO routine of VC handler will get memory encrypt status to
validate MMIO address. MemEncryptSevGetEncryptionMask() will enable
interrupt while interrupt must be disabled during VC. During DXE
stage, VC routine as below:
CcExitHandleVc
-> MemEncryptSevGetAddressRangeState
-> MemEncryptSevGetEncryptionMask->PcdGet64(PcdPteMemoryEncryptionAddressOrMask)
[ hly: Fix the changelog of edk2 (2024.08-2deepin1). ]
Signed-off-by: hanliyang <[email protected]>- Loading branch information
Showing
11 changed files
with
1,270 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,17 +1,32 @@ | ||
| edk2 (2024.08-2deepin2) unstable; urgency=medium | ||
|
|
||
| * Support live migration for Hygon CSV/CSV2/CSV3 guest, fix nesting #VC: | ||
| - d/p/0015-OvmfPkg-BaseMemEncryptLib-Detect-SEV-live-migration-.patch | ||
| - d/p/0016-OvmfPkg-BaseMemEncryptLib-Hypercall-API-for-page-enc.patch | ||
| - d/p/0017-OvmfPkg-BaseMemEncryptLib-Invoke-page-encryption-sta.patch | ||
| - d/p/0018-OvmfPkg-VmgExitLib-Encryption-state-change-hypercall.patch | ||
| - d/p/0019-OvmfPkg-PlatformPei-Mark-SEC-GHCB-page-as-unencrypte.patch | ||
| - d/p/0020-OvmfPkg-AmdSevDxe-Add-support-for-SEV-live-migration.patch | ||
| - d/p/0021-OvmfPkg-BaseMemcryptSevLib-Correct-the-calculation-o.patch | ||
| - d/p/0022-OvmfPkg-BaseMemEncryptLib-Return-SUCCESS-if-not-supp.patch | ||
| - d/p/0023-OvmfPkg-BaseMemEncryptLib-Save-memory-encrypt-status.patch | ||
|
|
||
| -- hanliyang <[email protected]> Mon, 14 Oct 2024 15:34:28 +0000 | ||
|
|
||
| edk2 (2024.08-2deepin1) unstable; urgency=medium | ||
|
|
||
| * Add support for Hygon CSV3 feature: | ||
| - d/p/0004-MdePkg-Add-StandardSignatureIsHygonGenuine-in-BaseCp.patch | ||
| - d/p/0005-UefiCpuPkg-LocalApicLib-Exclude-second-SendIpi-seque.patch | ||
| - d/p/0006-OvmfPkg-Add-CSV-secure-call-library-on-Hygon-CPU.patch | ||
| - d/p/0007-OvmfPkg-ResetVector-Support-CSV-in-ResetVector-phase.patch | ||
| - d/p/0008-OvmfPkg-PlatformPei-Initialize-CSV-VM-s-memory.patch | ||
| - d/p/0009-OvmfPkg-BaseMemcryptSevLib-update-page-status-to-Sec.patch | ||
| - d/p/0010-OvmfPkg-Tcg-Add-CsvLib-for-TpmMmioSevDecryptPei.patch | ||
| - d/p/0011-OvmfPkg-Add-CsvDxe-driver.patch | ||
| - d/p/0012-OvmfPkg-IoMmuDxe-Add-CsvIoMmu-protocol.patch | ||
| - d/p/0013-OvmfPkg-Use-classic-mmio-window-for-CSV-guest.patch | ||
| - d/p/0014-OvmfPkg-IoMmuDxe-Implement-SetAttribute-of-CsvIoMmu.patch | ||
| * Add support for Hygon CSV3 feature: | ||
| - d/p/0004-MdePkg-Add-StandardSignatureIsHygonGenuine-in-BaseCp.patch | ||
| - d/p/0005-UefiCpuPkg-LocalApicLib-Exclude-second-SendIpi-seque.patch | ||
| - d/p/0006-OvmfPkg-Add-CSV-secure-call-library-on-Hygon-CPU.patch | ||
| - d/p/0007-OvmfPkg-ResetVector-Support-CSV-in-ResetVector-phase.patch | ||
| - d/p/0008-OvmfPkg-PlatformPei-Initialize-CSV-VM-s-memory.patch | ||
| - d/p/0009-OvmfPkg-BaseMemcryptSevLib-update-page-status-to-Sec.patch | ||
| - d/p/0010-OvmfPkg-Tcg-Add-CsvLib-for-TpmMmioSevDecryptPei.patch | ||
| - d/p/0011-OvmfPkg-Add-CsvDxe-driver.patch | ||
| - d/p/0012-OvmfPkg-IoMmuDxe-Add-CsvIoMmu-protocol.patch | ||
| - d/p/0013-OvmfPkg-Use-classic-mmio-window-for-CSV-guest.patch | ||
| - d/p/0014-OvmfPkg-IoMmuDxe-Implement-SetAttribute-of-CsvIoMmu.patch | ||
|
|
||
| -- hanliyang <[email protected]> Wed, 09 Oct 2024 21:26:28 +0000 | ||
|
|
||
|
|
||
330 changes: 330 additions & 0 deletions
330
debian/patches/0015-OvmfPkg-BaseMemEncryptLib-Detect-SEV-live-migration-.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,330 @@ | ||
| From bcc36056f955538e01e9c2a8940cecbbb877ad64 Mon Sep 17 00:00:00 2001 | ||
| From: Ashish Kalra <[email protected]> | ||
| Date: Tue, 5 Apr 2022 16:09:28 +0000 | ||
| Subject: [PATCH 1/9] OvmfPkg/BaseMemEncryptLib: Detect SEV live migration | ||
| feature. | ||
|
|
||
| cherry-picked from https://patchew.org/EDK2/[email protected] . | ||
|
|
||
| Add support to check if we are running inside KVM HVM and | ||
| KVM HVM supports SEV Live Migration feature. | ||
|
|
||
| Cc: Jordan Justen <[email protected]> | ||
| Cc: Ard Biesheuvel <[email protected]> | ||
| Signed-off-by: Ashish Kalra <[email protected]> | ||
| --- | ||
| OvmfPkg/Include/Library/MemEncryptSevLib.h | 12 ++++ | ||
| .../DxeMemEncryptSevLibInternal.c | 49 ++++++++++++++-- | ||
| .../PeiDxeMemEncryptSevLibInternal.c | 58 +++++++++++++++++++ | ||
| .../PeiDxeMemEncryptSevLibInternal.h | 31 ++++++++++ | ||
| .../PeiMemEncryptSevLibInternal.c | 42 ++++++++++++++ | ||
| .../SecMemEncryptSevLibInternal.c | 18 ++++++ | ||
| 6 files changed, 206 insertions(+), 4 deletions(-) | ||
| create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibInternal.h | ||
|
|
||
| diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/Library/MemEncryptSevLib.h | ||
| index c5653539..dac87256 100644 | ||
| --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h | ||
| +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h | ||
| @@ -83,6 +83,18 @@ MemEncryptSevIsEnabled ( | ||
| VOID | ||
| ); | ||
|
|
||
| +/** | ||
| + Returns a boolean to indicate whether SEV live migration is enabled. | ||
| + | ||
| + @retval TRUE SEV live migration is enabled | ||
| + @retval FALSE SEV live migration is not enabled | ||
| +**/ | ||
| +BOOLEAN | ||
| +EFIAPI | ||
| +MemEncryptSevLiveMigrationIsEnabled ( | ||
| + VOID | ||
| + ); | ||
| + | ||
| /** | ||
| This function clears memory encryption bit for the memory region specified by | ||
| BaseAddress and NumPages from the current page table context. | ||
| diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c | ||
| index 9947d663..b2a68bae 100644 | ||
| --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c | ||
| +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c | ||
| @@ -18,10 +18,14 @@ | ||
| #include <Uefi/UefiBaseType.h> | ||
| #include <ConfidentialComputingGuestAttr.h> | ||
|
|
||
| -STATIC UINT64 mCurrentAttr = 0; | ||
| -STATIC BOOLEAN mCurrentAttrRead = FALSE; | ||
| -STATIC UINT64 mSevEncryptionMask = 0; | ||
| -STATIC BOOLEAN mSevEncryptionMaskSaved = FALSE; | ||
| +#include "PeiDxeMemEncryptSevLibInternal.h" | ||
| + | ||
| +STATIC UINT64 mCurrentAttr = 0; | ||
| +STATIC BOOLEAN mCurrentAttrRead = FALSE; | ||
| +STATIC UINT64 mSevEncryptionMask = 0; | ||
| +STATIC BOOLEAN mSevEncryptionMaskSaved = FALSE; | ||
| +STATIC BOOLEAN mSevLiveMigrationStatus = FALSE; | ||
| +STATIC BOOLEAN mSevLiveMigrationStatusChecked = FALSE; | ||
|
|
||
| /** | ||
| The function check if the specified Attr is set. | ||
| @@ -117,6 +121,24 @@ MemEncryptSevSnpIsEnabled ( | ||
| return ConfidentialComputingGuestHas (CCAttrAmdSevSnp); | ||
| } | ||
|
|
||
| +/** | ||
| + Figures out if we are running inside KVM HVM and | ||
| + KVM HVM supports SEV Live Migration feature. | ||
| +**/ | ||
| +STATIC | ||
| +VOID | ||
| +EFIAPI | ||
| +InternalDetectSevLiveMigrationFeature ( | ||
| + VOID | ||
| + ) | ||
| +{ | ||
| + if (KvmDetectSevLiveMigrationFeature ()) { | ||
| + mSevLiveMigrationStatus = TRUE; | ||
| + } | ||
| + | ||
| + mSevLiveMigrationStatusChecked = TRUE; | ||
| +} | ||
| + | ||
| /** | ||
| Returns a boolean to indicate whether SEV-ES is enabled. | ||
|
|
||
| @@ -147,6 +169,25 @@ MemEncryptSevIsEnabled ( | ||
| return ConfidentialComputingGuestHas (CCAttrAmdSev); | ||
| } | ||
|
|
||
| +/** | ||
| + Returns a boolean to indicate whether SEV live migration is enabled. | ||
| + | ||
| + @retval TRUE SEV live migration is enabled | ||
| + @retval FALSE SEV live migration is not enabled | ||
| +**/ | ||
| +BOOLEAN | ||
| +EFIAPI | ||
| +MemEncryptSevLiveMigrationIsEnabled ( | ||
| + VOID | ||
| + ) | ||
| +{ | ||
| + if (!mSevLiveMigrationStatusChecked) { | ||
| + InternalDetectSevLiveMigrationFeature (); | ||
| + } | ||
| + | ||
| + return mSevLiveMigrationStatus; | ||
| +} | ||
| + | ||
| /** | ||
| Returns the SEV encryption mask. | ||
|
|
||
| diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibInternal.c | ||
| index 43a2a3e3..30e1d8d0 100644 | ||
| --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibInternal.c | ||
| +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibInternal.c | ||
| @@ -16,6 +16,8 @@ | ||
| #include <Register/SmramSaveStateMap.h> | ||
| #include <Uefi/UefiBaseType.h> | ||
|
|
||
| +#include "PeiDxeMemEncryptSevLibInternal.h" | ||
| + | ||
| /** | ||
| Locate the page range that covers the initial (pre-SMBASE-relocation) SMRAM | ||
| Save State Map. | ||
| @@ -61,3 +63,59 @@ MemEncryptSevLocateInitialSmramSaveStateMapPages ( | ||
|
|
||
| return RETURN_SUCCESS; | ||
| } | ||
| + | ||
| +/** | ||
| + Figures out if we are running inside KVM HVM and | ||
| + KVM HVM supports SEV Live Migration feature. | ||
| + | ||
| + @retval TRUE SEV live migration is supported. | ||
| + @retval FALSE SEV live migration is not supported. | ||
| +**/ | ||
| +BOOLEAN | ||
| +EFIAPI | ||
| +KvmDetectSevLiveMigrationFeature ( | ||
| + VOID | ||
| + ) | ||
| +{ | ||
| + CHAR8 Signature[13]; | ||
| + UINT32 mKvmLeaf; | ||
| + UINT32 RegEax; | ||
| + UINT32 RegEbx; | ||
| + UINT32 RegEcx; | ||
| + UINT32 RegEdx; | ||
| + | ||
| + Signature[12] = '\0'; | ||
| + for (mKvmLeaf = 0x40000000; mKvmLeaf < 0x40010000; mKvmLeaf += 0x100) { | ||
| + AsmCpuid ( | ||
| + mKvmLeaf, | ||
| + NULL, | ||
| + (UINT32 *)&Signature[0], | ||
| + (UINT32 *)&Signature[4], | ||
| + (UINT32 *)&Signature[8] | ||
| + ); | ||
| + | ||
| + if (AsciiStrCmp (Signature, "KVMKVMKVM") == 0) { | ||
| + DEBUG (( | ||
| + DEBUG_INFO, | ||
| + "%a: KVM Detected, signature = %a\n", | ||
| + __FUNCTION__, | ||
| + Signature | ||
| + )); | ||
| + | ||
| + RegEax = mKvmLeaf + 1; | ||
| + RegEcx = 0; | ||
| + AsmCpuid (mKvmLeaf + 1, &RegEax, &RegEbx, &RegEcx, &RegEdx); | ||
| + if ((RegEax & KVM_FEATURE_MIGRATION_CONTROL) != 0) { | ||
| + DEBUG (( | ||
| + DEBUG_INFO, | ||
| + "%a: SEV Live Migration feature supported\n", | ||
| + __FUNCTION__ | ||
| + )); | ||
| + | ||
| + return TRUE; | ||
| + } | ||
| + } | ||
| + } | ||
| + | ||
| + return FALSE; | ||
| +} | ||
| diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibInternal.h b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibInternal.h | ||
| new file mode 100644 | ||
| index 00000000..b0ef053c | ||
| --- /dev/null | ||
| +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibInternal.h | ||
| @@ -0,0 +1,31 @@ | ||
| +/** @file | ||
| + | ||
| + Secure Encrypted Virtualization (SEV) library helper function | ||
| + | ||
| + Copyright (c) 2021, AMD Incorporated. All rights reserved.<BR> | ||
| + | ||
| + SPDX-License-Identifier: BSD-2-Clause-Patent | ||
| + | ||
| +**/ | ||
| + | ||
| +#ifndef PEI_DXE_MEM_ENCRYPT_SEV_LIB_INTERNAL_H_ | ||
| +#define PEI_DXE_MEM_ENCRYPT_SEV_LIB_INTERNAL_H_ | ||
| + | ||
| +#include <Library/BaseLib.h> | ||
| + | ||
| +#define KVM_FEATURE_MIGRATION_CONTROL BIT17 | ||
| + | ||
| +/** | ||
| + Figures out if we are running inside KVM HVM and | ||
| + KVM HVM supports SEV Live Migration feature. | ||
| + | ||
| + @retval TRUE SEV live migration is supported. | ||
| + @retval FALSE SEV live migration is not supported. | ||
| +**/ | ||
| +BOOLEAN | ||
| +EFIAPI | ||
| +KvmDetectSevLiveMigrationFeature ( | ||
| + VOID | ||
| + ); | ||
| + | ||
| +#endif // PEI_DXE_MEM_ENCRYPT_SEV_LIB_INTERNAL_H_ | ||
| diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c | ||
| index f381b925..b20ffc11 100644 | ||
| --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c | ||
| +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c | ||
| @@ -17,6 +17,11 @@ | ||
| #include <Register/Cpuid.h> | ||
| #include <Uefi/UefiBaseType.h> | ||
|
|
||
| +#include "PeiDxeMemEncryptSevLibInternal.h" | ||
| + | ||
| +STATIC BOOLEAN mSevLiveMigrationStatus = FALSE; | ||
| +STATIC BOOLEAN mSevLiveMigrationStatusChecked = FALSE; | ||
| + | ||
| /** | ||
| Read the workarea to determine whether SEV is enabled. If enabled, | ||
| then return the SevEsWorkArea pointer. | ||
| @@ -83,6 +88,24 @@ MemEncryptSevSnpIsEnabled ( | ||
| return Msr.Bits.SevSnpBit ? TRUE : FALSE; | ||
| } | ||
|
|
||
| +/** | ||
| + Figures out if we are running inside KVM HVM and | ||
| + KVM HVM supports SEV Live Migration feature. | ||
| +**/ | ||
| +STATIC | ||
| +VOID | ||
| +EFIAPI | ||
| +InternalDetectSevLiveMigrationFeature ( | ||
| + VOID | ||
| + ) | ||
| +{ | ||
| + if (KvmDetectSevLiveMigrationFeature ()) { | ||
| + mSevLiveMigrationStatus = TRUE; | ||
| + } | ||
| + | ||
| + mSevLiveMigrationStatusChecked = TRUE; | ||
| +} | ||
| + | ||
| /** | ||
| Returns a boolean to indicate whether SEV-ES is enabled. | ||
|
|
||
| @@ -121,6 +144,25 @@ MemEncryptSevIsEnabled ( | ||
| return Msr.Bits.SevBit ? TRUE : FALSE; | ||
| } | ||
|
|
||
| +/** | ||
| + Returns a boolean to indicate whether SEV live migration is enabled. | ||
| + | ||
| + @retval TRUE SEV live migration is enabled | ||
| + @retval FALSE SEV live migration is not enabled | ||
| +**/ | ||
| +BOOLEAN | ||
| +EFIAPI | ||
| +MemEncryptSevLiveMigrationIsEnabled ( | ||
| + VOID | ||
| + ) | ||
| +{ | ||
| + if (!mSevLiveMigrationStatusChecked) { | ||
| + InternalDetectSevLiveMigrationFeature (); | ||
| + } | ||
| + | ||
| + return mSevLiveMigrationStatus; | ||
| +} | ||
| + | ||
| /** | ||
| Returns the SEV encryption mask. | ||
|
|
||
| diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c | ||
| index 946bed2a..0e5faa1b 100644 | ||
| --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c | ||
| +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c | ||
| @@ -121,6 +121,24 @@ MemEncryptSevIsEnabled ( | ||
| return Msr.Bits.SevBit ? TRUE : FALSE; | ||
| } | ||
|
|
||
| +/** | ||
| + Returns a boolean to indicate whether SEV live migration is enabled. | ||
| + | ||
| + @retval TRUE SEV live migration is enabled | ||
| + @retval FALSE SEV live migration is not enabled | ||
| +**/ | ||
| +BOOLEAN | ||
| +EFIAPI | ||
| +MemEncryptSevLiveMigrationIsEnabled ( | ||
| + VOID | ||
| + ) | ||
| +{ | ||
| + // | ||
| + // Not used in SEC phase. | ||
| + // | ||
| + return FALSE; | ||
| +} | ||
| + | ||
| /** | ||
| Returns the SEV encryption mask. | ||
|
|
||
| -- | ||
| 2.25.1 | ||
|
|
Oops, something went wrong.