OvmfPkg/BaseMemEncryptLib: Check for presence of an SVSM when not at …

…VMPL0 BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4654 Currently, an SEV-SNP guest will terminate if it is not running at VMPL0. The requirement for running at VMPL0 is removed if an SVSM is present. Update the current VMPL0 check to additionally check for the presence of an SVSM is the guest is not running at VMPL0. Cc: Ard Biesheuvel <[email protected]> Cc: Erdem Aktas <[email protected]> Cc: Gerd Hoffmann <[email protected]> Cc: Jiewen Yao <[email protected]> Cc: Laszlo Ersek <[email protected]> Cc: Michael Roth <[email protected]> Cc: Min Xu <[email protected]> Acked-by: Gerd Hoffmann <[email protected]> Signed-off-by: Tom Lendacky <[email protected]>
Wenxing-hou · Apr 17, 2024 · 0afb874 · 0afb874
1 parent 47001ab
commit 0afb874
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c
@@ -12,6 +12,7 @@
 #include <Library/BaseLib.h>
 #include <Library/DebugLib.h>
 #include <Library/MemEncryptSevLib.h>
+#include <Library/AmdSvsmLib.h>
 
 #include "SnpPageStateChange.h"
 
@@ -74,10 +75,12 @@ MemEncryptSevSnpPreValidateSystemRam (
 
   //
   // The page state change uses the PVALIDATE instruction. The instruction
-  // can be run on VMPL-0 only. If its not VMPL-0 guest then terminate
-  // the boot.
+  // can be run at VMPL-0 only. If its not a VMPL-0 guest, then an SVSM must
+  // be present to perform the operation on behalf of the guest. If the guest
+  // is not running at VMPL-0 and an SVSM is not present, then terminate the
+  // boot.
   //
-  if (!SevSnpIsVmpl0 ()) {
+  if (!SevSnpIsVmpl0 () && !AmdSvsmIsSvsmPresent ()) {
     SnpPageStateFailureTerminate ();
   }