diff options
Diffstat (limited to 'OvmfPkg/Sec')
| -rw-r--r-- | OvmfPkg/Sec/AmdSev.c | 22 | ||||
| -rw-r--r-- | OvmfPkg/Sec/AmdSev.h | 23 | ||||
| -rw-r--r-- | OvmfPkg/Sec/SecMain.c | 5 | ||||
| -rw-r--r-- | OvmfPkg/Sec/SecMain.inf | 3 |
4 files changed, 52 insertions, 1 deletions
diff --git a/OvmfPkg/Sec/AmdSev.c b/OvmfPkg/Sec/AmdSev.c index aa655fd9cb..499d0c27d8 100644 --- a/OvmfPkg/Sec/AmdSev.c +++ b/OvmfPkg/Sec/AmdSev.c @@ -55,7 +55,6 @@ SevEsProtocolFailure ( @retval FALSE SEV-SNP is not enabled
**/
-STATIC
BOOLEAN
SevSnpIsEnabled (
VOID
@@ -281,3 +280,24 @@ SevEsIsEnabled ( return (SevEsWorkArea->SevEsEnabled != 0);
}
+
+/**
+ Validate System RAM used for decompressing the PEI and DXE firmware volumes
+ when SEV-SNP is active. The PCDs SecValidatedStart and SecValidatedEnd are
+ set in OvmfPkg/FvmainCompactScratchEnd.fdf.inc.
+
+**/
+VOID
+SecValidateSystemRam (
+ VOID
+ )
+{
+ PHYSICAL_ADDRESS Start, End;
+
+ if (IsSevGuest () && SevSnpIsEnabled ()) {
+ Start = (EFI_PHYSICAL_ADDRESS)(UINTN)PcdGet32 (PcdOvmfSecValidatedStart);
+ End = (EFI_PHYSICAL_ADDRESS)(UINTN)PcdGet32 (PcdOvmfSecValidatedEnd);
+
+ MemEncryptSevSnpPreValidateSystemRam (Start, EFI_SIZE_TO_PAGES ((UINTN)(End - Start)));
+ }
+}
diff --git a/OvmfPkg/Sec/AmdSev.h b/OvmfPkg/Sec/AmdSev.h index c0b1ca9618..dffd2ceb96 100644 --- a/OvmfPkg/Sec/AmdSev.h +++ b/OvmfPkg/Sec/AmdSev.h @@ -68,4 +68,27 @@ SevEsIsEnabled ( VOID
);
+/**
+ Validate System RAM used for decompressing the PEI and DXE firmware volumes
+ when SEV-SNP is active. The PCDs SecValidatedStart and SecValidatedEnd are
+ set in OvmfPkg/FvmainCompactScratchEnd.fdf.inc.
+
+**/
+VOID
+SecValidateSystemRam (
+ VOID
+ );
+
+/**
+ Determine if SEV-SNP is active.
+
+ @retval TRUE SEV-SNP is enabled
+ @retval FALSE SEV-SNP is not enabled
+
+**/
+BOOLEAN
+SevSnpIsEnabled (
+ VOID
+ );
+
#endif
diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c index 58e3b923b4..2c5561661e 100644 --- a/OvmfPkg/Sec/SecMain.c +++ b/OvmfPkg/Sec/SecMain.c @@ -861,6 +861,11 @@ SecCoreStartupWithStack ( SecCoreData.BootFirmwareVolumeSize = (UINTN)BootFv->FvLength;
//
+ // Validate the System RAM used in the SEC Phase
+ //
+ SecValidateSystemRam ();
+
+ //
// Make sure the 8259 is masked before initializing the Debug Agent and the debug timer is enabled
//
IoWrite8 (0x21, 0xff);
diff --git a/OvmfPkg/Sec/SecMain.inf b/OvmfPkg/Sec/SecMain.inf index 41dcdba120..95cf0025e1 100644 --- a/OvmfPkg/Sec/SecMain.inf +++ b/OvmfPkg/Sec/SecMain.inf @@ -52,6 +52,7 @@ PeCoffExtraActionLib
ExtractGuidedSectionLib
LocalApicLib
+ MemEncryptSevLib
CpuExceptionHandlerLib
[Ppis]
@@ -74,6 +75,8 @@ gEfiMdeModulePkgTokenSpaceGuid.PcdInitValueInTempStack
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedStart
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedEnd
[FeaturePcd]
gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire
|