;------------------------------------------------------------------------------ | |
; @file | |
; Provide the functions to check whether SEV and SEV-ES is enabled. | |
; | |
; Copyright (c) 2017 - 2021, Advanced Micro Devices, Inc. All rights reserved.<BR> | |
; SPDX-License-Identifier: BSD-2-Clause-Patent | |
; | |
;------------------------------------------------------------------------------ | |
BITS 32 | |
; | |
; SEV-ES #VC exception handler support | |
; | |
; #VC handler local variable locations | |
; | |
%define VC_CPUID_RESULT_EAX 0 | |
%define VC_CPUID_RESULT_EBX 4 | |
%define VC_CPUID_RESULT_ECX 8 | |
%define VC_CPUID_RESULT_EDX 12 | |
%define VC_GHCB_MSR_EDX 16 | |
%define VC_GHCB_MSR_EAX 20 | |
%define VC_CPUID_REQUEST_REGISTER 24 | |
%define VC_CPUID_FUNCTION 28 | |
; #VC handler total local variable size | |
; | |
%define VC_VARIABLE_SIZE 32 | |
; #VC handler GHCB CPUID request/response protocol values | |
; | |
%define GHCB_CPUID_REQUEST 4 | |
%define GHCB_CPUID_RESPONSE 5 | |
%define GHCB_CPUID_REGISTER_SHIFT 30 | |
%define CPUID_INSN_LEN 2 | |
; #VC handler offsets/sizes for accessing SNP CPUID page | |
; | |
%define SNP_CPUID_ENTRY_SZ 48 | |
%define SNP_CPUID_COUNT 0 | |
%define SNP_CPUID_ENTRY 16 | |
%define SNP_CPUID_ENTRY_EAX_IN 0 | |
%define SNP_CPUID_ENTRY_ECX_IN 4 | |
%define SNP_CPUID_ENTRY_EAX 24 | |
%define SNP_CPUID_ENTRY_EBX 28 | |
%define SNP_CPUID_ENTRY_ECX 32 | |
%define SNP_CPUID_ENTRY_EDX 36 | |
%define SEV_GHCB_MSR 0xc0010130 | |
%define SEV_STATUS_MSR 0xc0010131 | |
; The #VC was not for CPUID | |
%define TERM_VC_NOT_CPUID 1 | |
; The unexpected response code | |
%define TERM_UNEXPECTED_RESP_CODE 2 | |
%define PAGE_PRESENT 0x01 | |
%define PAGE_READ_WRITE 0x02 | |
%define PAGE_USER_SUPERVISOR 0x04 | |
%define PAGE_WRITE_THROUGH 0x08 | |
%define PAGE_CACHE_DISABLE 0x010 | |
%define PAGE_ACCESSED 0x020 | |
%define PAGE_DIRTY 0x040 | |
%define PAGE_PAT 0x080 | |
%define PAGE_GLOBAL 0x0100 | |
%define PAGE_2M_MBO 0x080 | |
%define PAGE_2M_PAT 0x01000 | |
%define PAGE_4K_PDE_ATTR (PAGE_ACCESSED + \ | |
PAGE_DIRTY + \ | |
PAGE_READ_WRITE + \ | |
PAGE_PRESENT) | |
%define PAGE_PDP_ATTR (PAGE_ACCESSED + \ | |
PAGE_READ_WRITE + \ | |
PAGE_PRESENT) | |
; Macro is used to issue the MSR protocol based VMGEXIT. The caller is | |
; responsible to populate values in the EDX:EAX registers. After the vmmcall | |
; returns, it verifies that the response code matches with the expected | |
; code. If it does not match then terminate the guest. The result of request | |
; is returned in the EDX:EAX. | |
; | |
; args 1:Request code, 2: Response code | |
%macro VmgExit 2 | |
; | |
; Add request code: | |
; GHCB_MSR[11:0] = Request code | |
or eax, %1 | |
mov ecx, SEV_GHCB_MSR | |
wrmsr | |
; Issue VMGEXIT - NASM doesn't support the vmmcall instruction in 32-bit | |
; mode, so work around this by temporarily switching to 64-bit mode. | |
; | |
BITS 64 | |
rep vmmcall | |
BITS 32 | |
mov ecx, SEV_GHCB_MSR | |
rdmsr | |
; | |
; Verify the reponse code, if it does not match then request to terminate | |
; GHCB_MSR[11:0] = Response code | |
mov ecx, eax | |
and ecx, 0xfff | |
cmp ecx, %2 | |
jne SevEsUnexpectedRespTerminate | |
%endmacro | |
; Macro to terminate the guest using the VMGEXIT. | |
; arg 1: reason code | |
%macro TerminateVmgExit 1 | |
mov eax, %1 | |
; | |
; Use VMGEXIT to request termination. At this point the reason code is | |
; located in EAX, so shift it left 16 bits to the proper location. | |
; | |
; EAX[11:0] => 0x100 - request termination | |
; EAX[15:12] => 0x1 - OVMF | |
; EAX[23:16] => 0xXX - REASON CODE | |
; | |
shl eax, 16 | |
or eax, 0x1100 | |
xor edx, edx | |
mov ecx, SEV_GHCB_MSR | |
wrmsr | |
; | |
; Issue VMGEXIT - NASM doesn't support the vmmcall instruction in 32-bit | |
; mode, so work around this by temporarily switching to 64-bit mode. | |
; | |
BITS 64 | |
rep vmmcall | |
BITS 32 | |
; | |
; We shouldn't come back from the VMGEXIT, but if we do, just loop. | |
; | |
%%TerminateHlt: | |
hlt | |
jmp %%TerminateHlt | |
%endmacro | |
; Terminate the guest due to unexpected response code. | |
SevEsUnexpectedRespTerminate: | |
TerminateVmgExit TERM_UNEXPECTED_RESP_CODE | |
%ifdef ARCH_X64 | |
; If SEV-ES is enabled then initialize and make the GHCB page shared | |
SevClearPageEncMaskForGhcbPage: | |
; Check if SEV is enabled | |
cmp byte[WORK_AREA_GUEST_TYPE], 1 | |
jnz SevClearPageEncMaskForGhcbPageExit | |
; Check if SEV-ES is enabled | |
mov ecx, 1 | |
bt [SEV_ES_WORK_AREA_STATUS_MSR], ecx | |
jnc SevClearPageEncMaskForGhcbPageExit | |
; | |
; The initial GHCB will live at GHCB_BASE and needs to be un-encrypted. | |
; This requires the 2MB page for this range be broken down into 512 4KB | |
; pages. All will be marked encrypted, except for the GHCB. | |
; | |
mov ecx, (GHCB_BASE >> 21) | |
mov eax, GHCB_PT_ADDR + PAGE_PDP_ATTR | |
mov [ecx * 8 + PT_ADDR (0x2000)], eax | |
; | |
; Page Table Entries (512 * 4KB entries => 2MB) | |
; | |
mov ecx, 512 | |
pageTableEntries4kLoop: | |
mov eax, ecx | |
dec eax | |
shl eax, 12 | |
add eax, GHCB_BASE & 0xFFE0_0000 | |
add eax, PAGE_4K_PDE_ATTR | |
mov [ecx * 8 + GHCB_PT_ADDR - 8], eax | |
mov [(ecx * 8 + GHCB_PT_ADDR - 8) + 4], edx | |
loop pageTableEntries4kLoop | |
; | |
; Clear the encryption bit from the GHCB entry | |
; | |
mov ecx, (GHCB_BASE & 0x1F_FFFF) >> 12 | |
mov [ecx * 8 + GHCB_PT_ADDR + 4], strict dword 0 | |
SevClearPageEncMaskForGhcbPageExit: | |
OneTimeCallRet SevClearPageEncMaskForGhcbPage | |
; Check if SEV is enabled, and get the C-bit mask above 31. | |
; Modified: EDX | |
; | |
; The value is returned in the EDX | |
GetSevCBitMaskAbove31: | |
xor edx, edx | |
; Check if SEV is enabled | |
cmp byte[WORK_AREA_GUEST_TYPE], 1 | |
jnz GetSevCBitMaskAbove31Exit | |
mov edx, dword[SEV_ES_WORK_AREA_ENC_MASK + 4] | |
GetSevCBitMaskAbove31Exit: | |
OneTimeCallRet GetSevCBitMaskAbove31 | |
%endif | |
; Check if Secure Encrypted Virtualization (SEV) features are enabled. | |
; | |
; Register usage is tight in this routine, so multiple calls for the | |
; same CPUID and MSR data are performed to keep things simple. | |
; | |
; Modified: EAX, EBX, ECX, EDX, ESP | |
; | |
; If SEV is enabled then EAX will be at least 32. | |
; If SEV is disabled then EAX will be zero. | |
; | |
CheckSevFeatures: | |
; | |
; Clear the workarea, if SEV is enabled then later part of routine | |
; will populate the workarea fields. | |
; | |
mov ecx, SEV_ES_WORK_AREA_SIZE | |
mov eax, SEV_ES_WORK_AREA | |
ClearSevEsWorkArea: | |
mov byte [eax], 0 | |
inc eax | |
loop ClearSevEsWorkArea | |
; | |
; Set up exception handlers to check for SEV-ES | |
; Load temporary RAM stack based on PCDs (see SevEsIdtVmmComm for | |
; stack usage) | |
; Establish exception handlers | |
; | |
mov esp, SEV_ES_VC_TOP_OF_STACK | |
mov eax, ADDR_OF(Idtr) | |
lidt [cs:eax] | |
; Check if we have a valid (0x8000_001F) CPUID leaf | |
; CPUID raises a #VC exception if running as an SEV-ES guest | |
mov eax, 0x80000000 | |
cpuid | |
; This check should fail on Intel or Non SEV AMD CPUs. In future if | |
; Intel CPUs supports this CPUID leaf then we are guranteed to have exact | |
; same bit definition. | |
cmp eax, 0x8000001f | |
jl NoSev | |
; Check for SEV memory encryption feature: | |
; CPUID Fn8000_001F[EAX] - Bit 1 | |
; CPUID raises a #VC exception if running as an SEV-ES guest | |
mov eax, 0x8000001f | |
cpuid | |
bt eax, 1 | |
jnc NoSev | |
; Check if SEV memory encryption is enabled | |
; MSR_0xC0010131 - Bit 0 (SEV enabled) | |
mov ecx, SEV_STATUS_MSR | |
rdmsr | |
bt eax, 0 | |
jnc NoSev | |
; Set the work area header to indicate that the SEV is enabled | |
mov byte[WORK_AREA_GUEST_TYPE], 1 | |
; Save the SevStatus MSR value in the workarea | |
mov [SEV_ES_WORK_AREA_STATUS_MSR], eax | |
mov [SEV_ES_WORK_AREA_STATUS_MSR + 4], edx | |
; Check if SEV-ES is enabled | |
; MSR_0xC0010131 - Bit 1 (SEV-ES enabled) | |
mov ecx, SEV_STATUS_MSR | |
rdmsr | |
bt eax, 1 | |
jnc GetSevEncBit | |
GetSevEncBit: | |
; Get pte bit position to enable memory encryption | |
; CPUID Fn8000_001F[EBX] - Bits 5:0 | |
; | |
and ebx, 0x3f | |
mov eax, ebx | |
; The encryption bit position is always above 31 | |
sub ebx, 32 | |
jns SevSaveMask | |
; Encryption bit was reported as 31 or below, enter a HLT loop | |
SevEncBitLowHlt: | |
cli | |
hlt | |
jmp SevEncBitLowHlt | |
SevSaveMask: | |
xor edx, edx | |
bts edx, ebx | |
mov dword[SEV_ES_WORK_AREA_ENC_MASK], 0 | |
mov dword[SEV_ES_WORK_AREA_ENC_MASK + 4], edx | |
jmp SevExit | |
NoSev: | |
; | |
; Perform an SEV-ES sanity check by seeing if a #VC exception occurred. | |
; | |
; If SEV-ES is enabled, the CPUID instruction will trigger a #VC exception | |
; where the RECEIVED_VC offset in the workarea will be set to one. | |
; | |
cmp byte[SEV_ES_WORK_AREA_RECEIVED_VC], 0 | |
jz NoSevPass | |
; | |
; A #VC was received, yet CPUID indicates no SEV-ES support, something | |
; isn't right. | |
; | |
NoSevEsVcHlt: | |
cli | |
hlt | |
jmp NoSevEsVcHlt | |
NoSevPass: | |
xor eax, eax | |
SevExit: | |
; | |
; Clear exception handlers and stack | |
; | |
push eax | |
mov eax, ADDR_OF(IdtrClear) | |
lidt [cs:eax] | |
pop eax | |
mov esp, 0 | |
OneTimeCallRet CheckSevFeatures | |
; Start of #VC exception handling routines | |
; | |
SevEsIdtNotCpuid: | |
TerminateVmgExit TERM_VC_NOT_CPUID | |
iret | |
; Use the SNP CPUID page to handle the cpuid lookup | |
; | |
; Modified: EAX, EBX, ECX, EDX | |
; | |
; Relies on the stack setup/usage in #VC handler: | |
; | |
; On entry, | |
; [esp + VC_CPUID_FUNCTION] contains EAX input to cpuid instruction | |
; | |
; On return, stores corresponding results of CPUID lookup in: | |
; [esp + VC_CPUID_RESULT_EAX] | |
; [esp + VC_CPUID_RESULT_EBX] | |
; [esp + VC_CPUID_RESULT_ECX] | |
; [esp + VC_CPUID_RESULT_EDX] | |
; | |
SnpCpuidLookup: | |
mov eax, [esp + VC_CPUID_FUNCTION] | |
mov ebx, [CPUID_BASE + SNP_CPUID_COUNT] | |
mov ecx, CPUID_BASE + SNP_CPUID_ENTRY | |
; Zero these out now so we can simply return if lookup fails | |
mov dword[esp + VC_CPUID_RESULT_EAX], 0 | |
mov dword[esp + VC_CPUID_RESULT_EBX], 0 | |
mov dword[esp + VC_CPUID_RESULT_ECX], 0 | |
mov dword[esp + VC_CPUID_RESULT_EDX], 0 | |
SnpCpuidCheckEntry: | |
cmp ebx, 0 | |
je VmmDoneSnpCpuid | |
cmp dword[ecx + SNP_CPUID_ENTRY_EAX_IN], eax | |
jne SnpCpuidCheckEntryNext | |
; As with SEV-ES handler we assume requested CPUID sub-leaf/index is 0 | |
cmp dword[ecx + SNP_CPUID_ENTRY_ECX_IN], 0 | |
je SnpCpuidEntryFound | |
SnpCpuidCheckEntryNext: | |
dec ebx | |
add ecx, SNP_CPUID_ENTRY_SZ | |
jmp SnpCpuidCheckEntry | |
SnpCpuidEntryFound: | |
mov eax, [ecx + SNP_CPUID_ENTRY_EAX] | |
mov [esp + VC_CPUID_RESULT_EAX], eax | |
mov eax, [ecx + SNP_CPUID_ENTRY_EBX] | |
mov [esp + VC_CPUID_RESULT_EBX], eax | |
mov eax, [ecx + SNP_CPUID_ENTRY_EDX] | |
mov [esp + VC_CPUID_RESULT_ECX], eax | |
mov eax, [ecx + SNP_CPUID_ENTRY_ECX] | |
mov [esp + VC_CPUID_RESULT_EDX], eax | |
jmp VmmDoneSnpCpuid | |
; | |
; Total stack usage for the #VC handler is 44 bytes: | |
; - 12 bytes for the exception IRET (after popping error code) | |
; - 32 bytes for the local variables. | |
; | |
SevEsIdtVmmComm: | |
; | |
; If we're here, then we are an SEV-ES guest and this | |
; was triggered by a CPUID instruction | |
; | |
; Set the recievedVc field in the workarea to communicate that | |
; a #VC was taken. | |
mov byte[SEV_ES_WORK_AREA_RECEIVED_VC], 1 | |
pop ecx ; Error code | |
cmp ecx, 0x72 ; Be sure it was CPUID | |
jne SevEsIdtNotCpuid | |
; Set up local variable room on the stack | |
; CPUID function : + 28 | |
; CPUID request register : + 24 | |
; GHCB MSR (EAX) : + 20 | |
; GHCB MSR (EDX) : + 16 | |
; CPUID result (EDX) : + 12 | |
; CPUID result (ECX) : + 8 | |
; CPUID result (EBX) : + 4 | |
; CPUID result (EAX) : + 0 | |
sub esp, VC_VARIABLE_SIZE | |
; Save the CPUID function being requested | |
mov [esp + VC_CPUID_FUNCTION], eax | |
; If SEV-SNP is enabled, use the CPUID page to handle the CPUID | |
; instruction. | |
mov ecx, SEV_STATUS_MSR | |
rdmsr | |
bt eax, 2 | |
jc SnpCpuidLookup | |
; The GHCB CPUID protocol uses the following mapping to request | |
; a specific register: | |
; 0 => EAX, 1 => EBX, 2 => ECX, 3 => EDX | |
; | |
; Set EAX as the first register to request. This will also be used as a | |
; loop variable to request all register values (EAX to EDX). | |
xor eax, eax | |
mov [esp + VC_CPUID_REQUEST_REGISTER], eax | |
; Save current GHCB MSR value | |
mov ecx, SEV_GHCB_MSR | |
rdmsr | |
mov [esp + VC_GHCB_MSR_EAX], eax | |
mov [esp + VC_GHCB_MSR_EDX], edx | |
NextReg: | |
; | |
; Setup GHCB MSR | |
; GHCB_MSR[63:32] = CPUID function | |
; GHCB_MSR[31:30] = CPUID register | |
; GHCB_MSR[11:0] = CPUID request protocol | |
; | |
mov eax, [esp + VC_CPUID_REQUEST_REGISTER] | |
cmp eax, 4 | |
jge VmmDone | |
shl eax, GHCB_CPUID_REGISTER_SHIFT | |
mov edx, [esp + VC_CPUID_FUNCTION] | |
VmgExit GHCB_CPUID_REQUEST, GHCB_CPUID_RESPONSE | |
; | |
; Response GHCB MSR | |
; GHCB_MSR[63:32] = CPUID register value | |
; GHCB_MSR[31:30] = CPUID register | |
; GHCB_MSR[11:0] = CPUID response protocol | |
; | |
; Save returned value | |
shr eax, GHCB_CPUID_REGISTER_SHIFT | |
mov [esp + eax * 4], edx | |
; Next register | |
inc word [esp + VC_CPUID_REQUEST_REGISTER] | |
jmp NextReg | |
VmmDone: | |
; | |
; At this point we have all CPUID register values. Restore the GHCB MSR, | |
; set the return register values and return. | |
; | |
mov eax, [esp + VC_GHCB_MSR_EAX] | |
mov edx, [esp + VC_GHCB_MSR_EDX] | |
mov ecx, SEV_GHCB_MSR | |
wrmsr | |
VmmDoneSnpCpuid: | |
mov eax, [esp + VC_CPUID_RESULT_EAX] | |
mov ebx, [esp + VC_CPUID_RESULT_EBX] | |
mov ecx, [esp + VC_CPUID_RESULT_ECX] | |
mov edx, [esp + VC_CPUID_RESULT_EDX] | |
add esp, VC_VARIABLE_SIZE | |
; Update the EIP value to skip over the now handled CPUID instruction | |
; (the CPUID instruction has a length of 2) | |
add word [esp], CPUID_INSN_LEN | |
iret | |
ALIGN 2 | |
Idtr: | |
dw IDT_END - IDT_BASE - 1 ; Limit | |
dd ADDR_OF(IDT_BASE) ; Base | |
IdtrClear: | |
dw 0 ; Limit | |
dd 0 ; Base | |
ALIGN 16 | |
; | |
; The Interrupt Descriptor Table (IDT) | |
; This will be used to determine if SEV-ES is enabled. Upon execution | |
; of the CPUID instruction, a VMM Communication Exception will occur. | |
; This will tell us if SEV-ES is enabled. We can use the current value | |
; of the GHCB MSR to determine the SEV attributes. | |
; | |
IDT_BASE: | |
; | |
; Vectors 0 - 28 (No handlers) | |
; | |
%rep 29 | |
dw 0 ; Offset low bits 15..0 | |
dw 0x10 ; Selector | |
db 0 ; Reserved | |
db 0x8E ; Gate Type (IA32_IDT_GATE_TYPE_INTERRUPT_32) | |
dw 0 ; Offset high bits 31..16 | |
%endrep | |
; | |
; Vector 29 (VMM Communication Exception) | |
; | |
dw (ADDR_OF(SevEsIdtVmmComm) & 0xffff) ; Offset low bits 15..0 | |
dw 0x10 ; Selector | |
db 0 ; Reserved | |
db 0x8E ; Gate Type (IA32_IDT_GATE_TYPE_INTERRUPT_32) | |
dw (ADDR_OF(SevEsIdtVmmComm) >> 16) ; Offset high bits 31..16 | |
; | |
; Vectors 30 - 31 (No handlers) | |
; | |
%rep 2 | |
dw 0 ; Offset low bits 15..0 | |
dw 0x10 ; Selector | |
db 0 ; Reserved | |
db 0x8E ; Gate Type (IA32_IDT_GATE_TYPE_INTERRUPT_32) | |
dw 0 ; Offset high bits 31..16 | |
%endrep | |
IDT_END: |