1 /**@file
2   Initialize Secure Encrypted Virtualization (SEV) support
3 
4   Copyright (c) 2017 - 2020, Advanced Micro Devices. All rights reserved.<BR>
5 
6   SPDX-License-Identifier: BSD-2-Clause-Patent
7 
8 **/
9 //
10 // The package level header files this module uses
11 //
12 #include <IndustryStandard/Q35MchIch9.h>
13 #include <Library/DebugLib.h>
14 #include <Library/HobLib.h>
15 #include <Library/MemEncryptSevLib.h>
16 #include <Library/PcdLib.h>
17 #include <PiPei.h>
18 #include <Register/Intel/SmramSaveStateMap.h>
19 
20 #include "Platform.h"
21 
22 /**
23 
24   Function checks if SEV support is available, if present then it sets
25   the dynamic PcdPteMemoryEncryptionAddressOrMask with memory encryption mask.
26 
27   **/
28 VOID
AmdSevInitialize(VOID)29 AmdSevInitialize (
30   VOID
31   )
32 {
33   UINT64                            EncryptionMask;
34   RETURN_STATUS                     PcdStatus;
35 
36   //
37   // Check if SEV is enabled
38   //
39   if (!MemEncryptSevIsEnabled ()) {
40     return;
41   }
42 
43   //
44   // Set Memory Encryption Mask PCD
45   //
46   EncryptionMask = MemEncryptSevGetEncryptionMask ();
47   PcdStatus = PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, EncryptionMask);
48   ASSERT_RETURN_ERROR (PcdStatus);
49 
50   DEBUG ((DEBUG_INFO, "SEV is enabled (mask 0x%lx)\n", EncryptionMask));
51 
52   //
53   // Set Pcd to Deny the execution of option ROM when security
54   // violation.
55   //
56   PcdStatus = PcdSet32S (PcdOptionRomImageVerificationPolicy, 0x4);
57   ASSERT_RETURN_ERROR (PcdStatus);
58 
59   //
60   // When SMM is required, cover the pages containing the initial SMRAM Save
61   // State Map with a memory allocation HOB:
62   //
63   // There's going to be a time interval between our decrypting those pages for
64   // SMBASE relocation and re-encrypting the same pages after SMBASE
65   // relocation. We shall ensure that the DXE phase stay away from those pages
66   // until after re-encryption, in order to prevent an information leak to the
67   // hypervisor.
68   //
69   if (FeaturePcdGet (PcdSmmSmramRequire) && (mBootMode != BOOT_ON_S3_RESUME)) {
70     RETURN_STATUS LocateMapStatus;
71     UINTN         MapPagesBase;
72     UINTN         MapPagesCount;
73 
74     LocateMapStatus = MemEncryptSevLocateInitialSmramSaveStateMapPages (
75                         &MapPagesBase,
76                         &MapPagesCount
77                         );
78     ASSERT_RETURN_ERROR (LocateMapStatus);
79 
80     if (mQ35SmramAtDefaultSmbase) {
81       //
82       // The initial SMRAM Save State Map has been covered as part of a larger
83       // reserved memory allocation in InitializeRamRegions().
84       //
85       ASSERT (SMM_DEFAULT_SMBASE <= MapPagesBase);
86       ASSERT (
87         (MapPagesBase + EFI_PAGES_TO_SIZE (MapPagesCount) <=
88          SMM_DEFAULT_SMBASE + MCH_DEFAULT_SMBASE_SIZE)
89         );
90     } else {
91       BuildMemoryAllocationHob (
92         MapPagesBase,                      // BaseAddress
93         EFI_PAGES_TO_SIZE (MapPagesCount), // Length
94         EfiBootServicesData                // MemoryType
95         );
96     }
97   }
98 }
99