docs/master/_tpm_mmio_sev_decrypt_peim_8c_source.html

#include <PiPei.h>


#include <Library/DebugLib.h>

#include <Library/MemEncryptSevLib.h>

#include <Library/PcdLib.h>

#include <Library/PeiServicesLib.h>


STATIC CONST EFI_PEI_PPI_DESCRIPTOR  mTpmMmioRangeAccessible = {

  EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST,

  &gOvmfTpmMmioAccessiblePpiGuid,

  NULL

};


EFI_STATUS

EFIAPI

TpmMmioSevDecryptPeimEntryPoint (

  IN       EFI_PEI_FILE_HANDLE  FileHandle,

  IN CONST EFI_PEI_SERVICES     **PeiServices

  )

{

  RETURN_STATUS  DecryptStatus;

  EFI_STATUS     Status;


  DEBUG ((DEBUG_INFO, "%a\n", __func__));


  //

  // If SEV is active, MMIO succeeds against an encrypted physical address

  // because the nested page fault (NPF) that occurs on access does not

  // include the encryption bit in the guest physical address provided to the

  // hypervisor.

  //

  // If SEV-ES is active, MMIO would succeed against an encrypted physical

  // address because the #VC handler uses the virtual address (which is an

  // identity mapped physical address without the encryption bit) as the guest

  // physical address of the MMIO target in the VMGEXIT.

  //

  // However, if SEV-ES is active, before performing the actual MMIO, an

  // additional MMIO mitigation check is performed in the #VC handler to ensure

  // that MMIO is being done to/from an unencrypted address. To prevent guest

  // termination in this scenario, mark the range unencrypted ahead of access.

  //

  if (MemEncryptSevEsIsEnabled ()) {

    DEBUG ((

      DEBUG_INFO,

      "%a: mapping TPM MMIO address range unencrypted\n",

      __func__

      ));


    DecryptStatus = MemEncryptSevClearMmioPageEncMask (

                      0,

                      FixedPcdGet64 (PcdTpmBaseAddress),

                      EFI_SIZE_TO_PAGES ((UINTN)0x5000)

                      );


    if (RETURN_ERROR (DecryptStatus)) {

      DEBUG ((

        DEBUG_ERROR,

        "%a: failed to map TPM MMIO address range unencrypted\n",

        __func__

        ));

      ASSERT_RETURN_ERROR (DecryptStatus);

    }

  }


  //

  // MMIO range available

  //

  Status = PeiServicesInstallPpi (&mTpmMmioRangeAccessible);

  ASSERT_EFI_ERROR (Status);


  return EFI_ABORTED;

}

UINTN
UINT64 UINTN
Definition: ProcessorBind.h:112

PeiServicesInstallPpi
EFI_STATUS EFIAPI PeiServicesInstallPpi(IN CONST EFI_PEI_PPI_DESCRIPTOR *PpiList)
Definition: PeiServicesLib.c:43

NULL
#define NULL
Definition: Base.h:319

CONST
#define CONST
Definition: Base.h:259

STATIC
#define STATIC
Definition: Base.h:264

RETURN_ERROR
#define RETURN_ERROR(StatusCode)
Definition: Base.h:1061

IN
#define IN
Definition: Base.h:279

DebugLib.h

ASSERT_EFI_ERROR
#define ASSERT_EFI_ERROR(StatusParameter)
Definition: DebugLib.h:462

ASSERT_RETURN_ERROR
#define ASSERT_RETURN_ERROR(StatusParameter)
Definition: DebugLib.h:493

DEBUG
#define DEBUG(Expression)
Definition: DebugLib.h:434

MemEncryptSevLib.h

MemEncryptSevClearMmioPageEncMask
RETURN_STATUS EFIAPI MemEncryptSevClearMmioPageEncMask(IN PHYSICAL_ADDRESS Cr3BaseAddress, IN PHYSICAL_ADDRESS BaseAddress, IN UINTN NumPages)
Definition: MemEncryptSevLib.c:128

MemEncryptSevEsIsEnabled
BOOLEAN EFIAPI MemEncryptSevEsIsEnabled(VOID)
Definition: DxeMemEncryptSevLibInternal.c:128

PcdLib.h

FixedPcdGet64
#define FixedPcdGet64(TokenName)
Definition: PcdLib.h:106

PeiServicesLib.h

PiPei.h

EFI_PEI_FILE_HANDLE
VOID * EFI_PEI_FILE_HANDLE
Definition: PiPeiCis.h:26

TpmMmioSevDecryptPeimEntryPoint
EFI_STATUS EFIAPI TpmMmioSevDecryptPeimEntryPoint(IN EFI_PEI_FILE_HANDLE FileHandle, IN CONST EFI_PEI_SERVICES **PeiServices)
Definition: TpmMmioSevDecryptPeim.c:33

EFI_STATUS
RETURN_STATUS EFI_STATUS
Definition: UefiBaseType.h:29

EFI_SIZE_TO_PAGES
#define EFI_SIZE_TO_PAGES(Size)
Definition: UefiBaseType.h:200

_EFI_PEI_SERVICES
Definition: PiPeiCis.h:877

EFI_PEI_PPI_DESCRIPTOR
Definition: PiPeiCis.h:90