From: Zixuan Wang <zxwang42@gmail.com>
To: kvm@vger.kernel.org, pbonzini@redhat.com, drjones@redhat.com
Cc: marcorr@google.com, baekhw@google.com, tmroeder@google.com,
erdemaktas@google.com, rientjes@google.com, seanjc@google.com,
brijesh.singh@amd.com, Thomas.Lendacky@amd.com,
varad.gautam@suse.com, jroedel@suse.de, bp@suse.de
Subject: [kvm-unit-tests PATCH v3 16/17] x86 AMD SEV-ES: Set up GHCB page
Date: Mon, 4 Oct 2021 13:49:30 -0700 [thread overview]
Message-ID: <20211004204931.1537823-17-zxwang42@gmail.com> (raw)
In-Reply-To: <20211004204931.1537823-1-zxwang42@gmail.com>
From: Zixuan Wang <zixuanwang@google.com>
AMD SEV-ES introduces a GHCB page for guest/host communication. This
page should be unencrypted, i.e. its c-bit should be unset, otherwise
the guest VM may crash when #VC exception happens.
By default, KVM-Unit-Tests only sets up 2MiB pages, i.e. only Level 2
page table entries are provided. Unsetting GHCB Level 2 pte's c-bit
still crashes the guest VM. The solution is to unset only its Level 1
pte's c-bit.
This commit provides GHCB page set up code that:
1. finds GHCB Level 1 pte
2. if not found, installs corresponding Level 1 pages
3. unsets GHCB Level 1 pte's c-bit
In this commit, KVM-Unit-Tests can run in an SEV-ES VM and boot into
test cases' main().
Signed-off-by: Zixuan Wang <zixuanwang@google.com>
---
lib/x86/amd_sev.c | 37 +++++++++++++++++++++++++++++++++++++
lib/x86/amd_sev.h | 7 +++++++
lib/x86/setup.c | 4 ++++
3 files changed, 48 insertions(+)
diff --git a/lib/x86/amd_sev.c b/lib/x86/amd_sev.c
index 50352df..6672214 100644
--- a/lib/x86/amd_sev.c
+++ b/lib/x86/amd_sev.c
@@ -11,6 +11,7 @@
#include "amd_sev.h"
#include "x86/processor.h"
+#include "x86/vm.h"
static unsigned short amd_sev_c_bit_pos;
@@ -117,6 +118,42 @@ efi_status_t setup_amd_sev_es(void)
return EFI_SUCCESS;
}
+void setup_ghcb_pte(pgd_t *page_table)
+{
+ /*
+ * SEV-ES guest uses GHCB page to communicate with the host. This page
+ * must be unencrypted, i.e. its c-bit should be unset. To do so, this
+ * function searches GHCB's L1 pte, creates corresponding L1 ptes if not
+ * found, and unsets the c-bit of GHCB's L1 pte.
+ */
+ phys_addr_t ghcb_addr, ghcb_base_addr;
+ pteval_t *pte;
+
+ /* Read the current GHCB page addr */
+ ghcb_addr = rdmsr(SEV_ES_GHCB_MSR_INDEX);
+
+ /* Search Level 1 page table entry for GHCB page */
+ pte = get_pte_level(page_table, (void *)ghcb_addr, 1);
+
+ /* Create Level 1 pte for GHCB page if not found */
+ if (pte == NULL) {
+ /* Find Level 2 page base address */
+ ghcb_base_addr = ghcb_addr & ~(LARGE_PAGE_SIZE - 1);
+ /* Install Level 1 ptes */
+ install_pages(page_table, ghcb_base_addr, LARGE_PAGE_SIZE, (void *)ghcb_base_addr);
+ /* Find Level 2 pte, set as 4KB pages */
+ pte = get_pte_level(page_table, (void *)ghcb_addr, 2);
+ assert(pte);
+ *pte &= ~(PT_PAGE_SIZE_MASK);
+ /* Find Level 1 GHCB pte */
+ pte = get_pte_level(page_table, (void *)ghcb_addr, 1);
+ assert(pte);
+ }
+
+ /* Unset c-bit in Level 1 GHCB pte */
+ *pte &= ~(get_amd_sev_c_bit_mask());
+}
+
unsigned long long get_amd_sev_c_bit_mask(void)
{
if (amd_sev_enabled()) {
diff --git a/lib/x86/amd_sev.h b/lib/x86/amd_sev.h
index 0ea1fda..6a10f84 100644
--- a/lib/x86/amd_sev.h
+++ b/lib/x86/amd_sev.h
@@ -45,8 +45,15 @@ efi_status_t setup_amd_sev(void);
*/
#define SEV_ES_VC_HANDLER_VECTOR 29
+/*
+ * AMD Programmer's Manual Volume 2
+ * - Section "GHCB"
+ */
+#define SEV_ES_GHCB_MSR_INDEX 0xc0010130
+
bool amd_sev_es_enabled(void);
efi_status_t setup_amd_sev_es(void);
+void setup_ghcb_pte(pgd_t *page_table);
unsigned long long get_amd_sev_c_bit_mask(void);
unsigned long long get_amd_sev_addr_upperbound(void);
diff --git a/lib/x86/setup.c b/lib/x86/setup.c
index 529c3d0..1f2cdde 100644
--- a/lib/x86/setup.c
+++ b/lib/x86/setup.c
@@ -314,6 +314,10 @@ static void setup_page_table(void)
curr_pt[i] = ((phys_addr_t)(i << 21)) | flags;
}
+ if (amd_sev_es_enabled()) {
+ setup_ghcb_pte((pgd_t *)&ptl4);
+ }
+
/* Load 4-level page table */
write_cr3((ulong)&ptl4);
}
--
2.33.0
next prev parent reply other threads:[~2021-10-04 20:50 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-04 20:49 [kvm-unit-tests PATCH v3 00/17] x86_64 UEFI and AMD SEV/SEV-ES support Zixuan Wang
2021-10-04 20:49 ` [kvm-unit-tests PATCH v3 01/17] x86: Move IDT, GDT and TSS to desc.c Zixuan Wang
2021-10-20 15:26 ` Paolo Bonzini
2021-10-20 17:56 ` Zixuan Wang
2021-10-21 11:50 ` Paolo Bonzini
2021-10-04 20:49 ` [kvm-unit-tests PATCH v3 02/17] x86 UEFI: Copy code from Linux Zixuan Wang
2021-10-04 20:49 ` [kvm-unit-tests PATCH v3 03/17] x86 UEFI: Implement UEFI function calls Zixuan Wang
2021-10-04 20:49 ` [kvm-unit-tests PATCH v3 04/17] x86 UEFI: Copy code from GNU-EFI Zixuan Wang
2021-10-04 20:49 ` [kvm-unit-tests PATCH v3 05/17] x86 UEFI: Boot from UEFI Zixuan Wang
2021-10-21 12:18 ` Paolo Bonzini
2021-10-21 14:11 ` Paolo Bonzini
2021-10-04 20:49 ` [kvm-unit-tests PATCH v3 06/17] x86 UEFI: Load IDT after UEFI boot up Zixuan Wang
2021-10-04 20:49 ` [kvm-unit-tests PATCH v3 07/17] x86 UEFI: Load GDT and TSS " Zixuan Wang
2021-10-04 20:49 ` [kvm-unit-tests PATCH v3 08/17] x86 UEFI: Set up memory allocator Zixuan Wang
2021-10-04 20:49 ` [kvm-unit-tests PATCH v3 09/17] x86 UEFI: Set up RSDP after UEFI boot up Zixuan Wang
2021-10-04 20:49 ` [kvm-unit-tests PATCH v3 10/17] x86 UEFI: Set up page tables Zixuan Wang
2021-10-04 20:49 ` [kvm-unit-tests PATCH v3 11/17] x86 UEFI: Convert x86 test cases to PIC Zixuan Wang
2021-10-21 14:12 ` Paolo Bonzini
2021-10-26 6:26 ` Zixuan Wang
2021-10-04 20:49 ` [kvm-unit-tests PATCH v3 12/17] x86 AMD SEV: Initial support Zixuan Wang
2021-10-21 13:31 ` Paolo Bonzini
2021-10-04 20:49 ` [kvm-unit-tests PATCH v3 13/17] x86 AMD SEV: Page table with c-bit Zixuan Wang
2021-10-04 20:49 ` [kvm-unit-tests PATCH v3 14/17] x86 AMD SEV-ES: Check SEV-ES status Zixuan Wang
2021-10-04 20:49 ` [kvm-unit-tests PATCH v3 15/17] x86 AMD SEV-ES: Copy UEFI #VC IDT entry Zixuan Wang
2021-10-04 20:49 ` Zixuan Wang [this message]
2021-10-04 20:49 ` [kvm-unit-tests PATCH v3 17/17] x86 AMD SEV-ES: Add test cases Zixuan Wang
2021-10-18 11:47 ` Varad Gautam
2021-10-19 4:38 ` Zixuan Wang
2021-10-19 14:14 ` Marc Orr
2021-10-19 15:31 ` Andrew Jones
2021-10-20 17:59 ` Zixuan Wang
2021-10-19 16:44 ` Varad Gautam
2021-10-20 17:59 ` Zixuan Wang
2021-10-21 14:04 ` Paolo Bonzini
2021-10-21 14:10 ` [kvm-unit-tests PATCH v3 00/17] x86_64 UEFI and AMD SEV/SEV-ES support Paolo Bonzini
2021-10-21 14:22 ` Marc Orr
2021-10-21 14:27 ` Paolo Bonzini
2021-11-25 15:21 ` Varad Gautam
2021-11-29 14:44 ` Marc Orr
2021-11-29 15:24 ` Tom Lendacky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211004204931.1537823-17-zxwang42@gmail.com \
--to=zxwang42@gmail.com \
--cc=Thomas.Lendacky@amd.com \
--cc=baekhw@google.com \
--cc=bp@suse.de \
--cc=brijesh.singh@amd.com \
--cc=drjones@redhat.com \
--cc=erdemaktas@google.com \
--cc=jroedel@suse.de \
--cc=kvm@vger.kernel.org \
--cc=marcorr@google.com \
--cc=pbonzini@redhat.com \
--cc=rientjes@google.com \
--cc=seanjc@google.com \
--cc=tmroeder@google.com \
--cc=varad.gautam@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.