Add support for Hygon CSV3 feature

[wojiaohanliyang]

CSV3 provides an enhancement technology named memory isolation to improve the security. A
dedicated memory isolation hardware is built in Hygon hardware. Only the secure processor
has privilege to configure the isolation hardware. The VMM allocates CMA memory and transfers
them to secure processor. The secure processor maps the memory to secure nested page table
and manages them as guest's private memory. Any memory access (read or write) to CSV3 guest's
private memory outside the guest will be blocked by isolation hardware.

0004-MdePkg-Add-StandardSignatureIsHygonGenuine-in-BaseCp.patch
- Add Hygon platform detection code
0005-UefiCpuPkg-LocalApicLib-Exclude-second-SendIpi-seque.patch
- Delete the 2nd SendIpi messages in SendInitSipiSipi and SendInitSipiSipiAllExcludingSelf for Hygon guest.
0006-OvmfPkg-Add-CSV-secure-call-library-on-Hygon-CPU.patch
- Add CSV3 secure call library. The secure call provides a secure data exchange channel between the CSV3 guest and the security processor.
0007-OvmfPkg-ResetVector-Support-CSV-in-ResetVector-phase.patch
- Support CSV3 function in ResetVector phase.
0008-OvmfPkg-PlatformPei-Initialize-CSV-VM-s-memory.patch
- Initialize the memory of the current CSV3 guest.
0009-OvmfPkg-BaseMemcryptSevLib-update-page-status-to-Sec.patch
- Update page enc/dec status of the current CSV3 guest.
0010-OvmfPkg-Tcg-Add-CsvLib-for-TpmMmioSevDecryptPei.patch
- Support compile with TpmMmio.
0011-OvmfPkg-Add-CsvDxe-driver.patch
- Add CSV3 DXE driver. The driver creates and installs the CSV3 shared memory protocol for supporting data exchange with peripherals.
0012-OvmfPkg-IoMmuDxe-Add-CsvIoMmu-protocol.patch
- Add CSV3 iommu protocol. This driver creates a proprietary iommu protocol for the CSV3 guest to support operations such as DMA.
0013-OvmfPkg-Use-classic-mmio-window-for-CSV-guest.patch
- Limited by the MMIO range of the CSV3 firmware, the CSV3 guest uses the classic MMIO address range.
0014-OvmfPkg-IoMmuDxe-Implement-SetAttribute-of-CsvIoMmu.patch
- The commit 049695a0b1 ("MdeModulePkg/PciBusDxe: Add feedback status for PciIoMap") has adds feedback with the status of SetAttribute () return value in PciIoMap (), it is necessary to implement SetAttribute () for CsvIoMmu to fix the CSV3 boot up failure issue.

How to test:

Code requirement:

• Linux Kernel (both host and guest use this kernel, https://github.com/deepin-community/kernel/tree/linux-6.6.y, commit 96767233880246ea3a33825d2998f21f3c8741a5);
• Qemu (https://github.com/deepin-community/qemu/tree/master + Support Hygon CSV3 guest, support live migration for Hygon CSV3 guest qemu#22);
• Edk2 (https://github.com/deepin-community/edk2/tree/master + Add support for Hygon CSV3 feature #4);

Generated binaries:

• Linux Kernel: deb packages of the kernel, install these packages on both the host and guest, reboot the host with this new kernel.

• Linux cmdline must contains: csv_mem_percentage=@xxx kvm-amd.sev=1 kvm-amd.sev_es=1. The @xxx is decimal number, for example, 50 means provide 50% of the total main memory for CSV3 guest at most.
• The CPU must support CSV3 hardware feature.
• Run command dmesg | grep 'CSV3 enabled', if we see CSV: CSV3 enabled (ASIDs ...) at the host side，it means we can launch and run CSV3 guest.

• Qemu: assume the qemu bin is installed to /usr/bin/qemu-system-x86_64
• Edk2: assuem the OVMF bin is installed to /usr/share/OVMF/OVMF_CODE_4M.fd

Create and run CSV3 guest

• Qemu command line

/usr/bin/qemu-system-x86_64 \
-enable-kvm -cpu host -smp 40 -m 10G \
-drive if=pflash,format=raw,unit=0,file=/usr/share/OVMF/OVMF_CODE_4M.fd,readonly=on \
-object sev-guest,id=sev0,policy=0x45,cbitpos=47,reduced-phys-bits=5 \
-machine memory-encryption=sev0 -machine q35 \
-device virtio-scsi-pci,id=scsi0,disable-legacy=on,iommu_platform=on \
-drive file=./vm.qcow2,if=none,id=drive0 -device scsi-hd,drive=drive0,bootindex=1 \
-vnc 0.0.0.0:0,to=90

• login the CSV3 guest

Run command dmesg | grep CSV3 at the guest side, if we see HYGON CSV3, it means CSV3 security feature is active for this guest.

[deepin-ci-robot]

Hi @wojiaohanliyang. Thanks for your PR. 😃

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign yukarichiba for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• https:/raw.githubusercontent.com/deepin-community/template-repository/master/debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[deepin-ci-robot]

Hi @wojiaohanliyang. Thanks for your PR.

I'm waiting for a deepin-community member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

TAG Bot

TAG: 2024.08-2deepin1
EXISTED: no
DISTRIBUTION: unstable