| 1 | /** @file
|
|---|
| 2 | File defines the Sec routines for the AMD SEV
|
|---|
| 3 |
|
|---|
| 4 | Copyright (c) 2021, Advanced Micro Devices, Inc. All rights reserved.<BR>
|
|---|
| 5 |
|
|---|
| 6 | SPDX-License-Identifier: BSD-2-Clause-Patent
|
|---|
| 7 |
|
|---|
| 8 | **/
|
|---|
| 9 |
|
|---|
| 10 | #ifndef _AMD_SEV_SEC_INTERNAL_H__
|
|---|
| 11 | #define _AMD_SEV_SEC_INTERNAL_H__
|
|---|
| 12 |
|
|---|
| 13 | /**
|
|---|
| 14 | Handle an SEV-ES/GHCB protocol check failure.
|
|---|
| 15 |
|
|---|
| 16 | Notify the hypervisor using the VMGEXIT instruction that the SEV-ES guest
|
|---|
| 17 | wishes to be terminated.
|
|---|
| 18 |
|
|---|
| 19 | @param[in] ReasonCode Reason code to provide to the hypervisor for the
|
|---|
| 20 | termination request.
|
|---|
| 21 |
|
|---|
| 22 | **/
|
|---|
| 23 | VOID
|
|---|
| 24 | SevEsProtocolFailure (
|
|---|
| 25 | IN UINT8 ReasonCode
|
|---|
| 26 | );
|
|---|
| 27 |
|
|---|
| 28 | /**
|
|---|
| 29 | Validate the SEV-ES/GHCB protocol level.
|
|---|
| 30 |
|
|---|
| 31 | Verify that the level of SEV-ES/GHCB protocol supported by the hypervisor
|
|---|
| 32 | and the guest intersect. If they don't intersect, request termination.
|
|---|
| 33 |
|
|---|
| 34 | **/
|
|---|
| 35 | VOID
|
|---|
| 36 | SevEsProtocolCheck (
|
|---|
| 37 | VOID
|
|---|
| 38 | );
|
|---|
| 39 |
|
|---|
| 40 | /**
|
|---|
| 41 | Determine if the SEV is active.
|
|---|
| 42 |
|
|---|
| 43 | During the early booting, GuestType is set in the work area. Verify that it
|
|---|
| 44 | is an SEV guest.
|
|---|
| 45 |
|
|---|
| 46 | @retval TRUE SEV is enabled
|
|---|
| 47 | @retval FALSE SEV is not enabled
|
|---|
| 48 |
|
|---|
| 49 | **/
|
|---|
| 50 | BOOLEAN
|
|---|
| 51 | IsSevGuest (
|
|---|
| 52 | VOID
|
|---|
| 53 | );
|
|---|
| 54 |
|
|---|
| 55 | /**
|
|---|
| 56 | Determine if SEV-ES is active.
|
|---|
| 57 |
|
|---|
| 58 | During early booting, SEV-ES support code will set a flag to indicate that
|
|---|
| 59 | SEV-ES is enabled. Return the value of this flag as an indicator that SEV-ES
|
|---|
| 60 | is enabled.
|
|---|
| 61 |
|
|---|
| 62 | @retval TRUE SEV-ES is enabled
|
|---|
| 63 | @retval FALSE SEV-ES is not enabled
|
|---|
| 64 |
|
|---|
| 65 | **/
|
|---|
| 66 | BOOLEAN
|
|---|
| 67 | SevEsIsEnabled (
|
|---|
| 68 | VOID
|
|---|
| 69 | );
|
|---|
| 70 |
|
|---|
| 71 | /**
|
|---|
| 72 | Validate System RAM used for decompressing the PEI and DXE firmware volumes
|
|---|
| 73 | when SEV-SNP is active. The PCDs SecValidatedStart and SecValidatedEnd are
|
|---|
| 74 | set in OvmfPkg/Include/Fdf/FvmainCompactScratchEnd.fdf.inc.
|
|---|
| 75 |
|
|---|
| 76 | **/
|
|---|
| 77 | VOID
|
|---|
| 78 | SecValidateSystemRam (
|
|---|
| 79 | VOID
|
|---|
| 80 | );
|
|---|
| 81 |
|
|---|
| 82 | /**
|
|---|
| 83 | Determine if SEV-SNP is active.
|
|---|
| 84 |
|
|---|
| 85 | @retval TRUE SEV-SNP is enabled
|
|---|
| 86 | @retval FALSE SEV-SNP is not enabled
|
|---|
| 87 |
|
|---|
| 88 | **/
|
|---|
| 89 | BOOLEAN
|
|---|
| 90 | SevSnpIsEnabled (
|
|---|
| 91 | VOID
|
|---|
| 92 | );
|
|---|
| 93 |
|
|---|
| 94 | /**
|
|---|
| 95 | Map MMIO regions unencrypted if SEV-ES is active.
|
|---|
| 96 |
|
|---|
| 97 | During early booting, page table entries default to having the encryption bit
|
|---|
| 98 | set for SEV-ES/SEV-SNP guests. In cases where there is MMIO to an address, the
|
|---|
| 99 | encryption bit should be cleared. Clear it here for any known MMIO accesses
|
|---|
| 100 | during SEC, which is currently just the APIC base address.
|
|---|
| 101 |
|
|---|
| 102 | **/
|
|---|
| 103 | VOID
|
|---|
| 104 | SecMapApicBaseUnencrypted (
|
|---|
| 105 | VOID
|
|---|
| 106 | );
|
|---|
| 107 |
|
|---|
| 108 | #endif
|
|---|
