Volume 2 System Programming (794096), страница 104
Текст из файла (страница 104)
Signal the TPM to complete the hash and verify the signature. If any failures have occurred alongthe way, the TPM will conclude that no valid SL was started.6. Clear the Global Interrupt Flag. This disables all interrupts, including NMI, SMI and INIT andensures that the subsequent code can execute atomically. If the processor enters the shutdownstate (due to a triple fault for instance) while GIF is clear, it can only be restarted by means of aRESET.414Secure Virtual Machine24593—Rev. 3.13—July 2007AMD64 Technology7. Update the ESP register to point to the first byte beyond the end of the SLB (SLB base + 65536),so that the first item pushed onto the stack by the SL will be at the top of the SLB.8.
Add the unsigned 16-bit entry point offset value from the SLB to the SLB base address to formthe SL entry point address, and jump to it.The validation of the SL image by the TPM is a one-way transaction as far as SKINIT is concerned. Itdoes not depend on any response from the TPM after transferring the SL image before jumping to theSL entry point, and initiates execution of the Secure Loader unconditionally. Because of the processorinitialization performed, SKINIT does not honor instruction or data breakpoint traps, or trace traps dueto EFLAGS.TF.Pending interrupts.
Device interrupts that may be pending prior to SKINIT execution due toEFLAGS.IF being clear, or that assert during the execution of SKINIT, will be held pending untilsoftware subsequently sets GIF to 1. Similarly, SMI, INIT and NMI interrupts that assert after the startof SKINIT execution will also be held pending until GIF is set to 1.Debug Considerations. SKINIT automatically disables various implementation-specific hardwaredebug features.
A debug version of the SL can reenable those features by clearing the VM_CR.DPDflag immediately upon entry.15.26.7 SL AbortIf the SL determines that it cannot properly initialize a valid SK, it must cause GIF to be set to 1 andclear the VM_CR MSR to re-enable normal processor operation.15.26.8 Secure Multiprocessor InitializationThe following standard APIC features are used for secure MP initialization:•••The concept of a single Bootstrap Processor (BSP) and multiple Application Processors (APs).The INIT interprocessor interrupt (IPI), which puts the target processors into a halted state which isresponsive only to a subsequent Startup IPI.The Startup IPI causes target processors to begin execution at a location in memory that isspecified by the Boot Processor and conveyed along with the Startup IPI.
The operation of theprocessor in response to a Startup IPI is slightly modified to support secure initialization, asdescribed below.A Startup IPI normally causes an AP to start execution at a location provided by the IPI. To supportsecure MP startup, each AP responds to a startup IPI by additionally clearing its GIF and setting theDPD, R_INIT and DIS_A20M flags in the VM_CR register if, and only if, the BSP has indicated thatit has executed an SKINIT.
All other aspects of Startup IPI behavior remain unchanged.Software Requirements for Secure MP initialization. The driver that starts the SL must execute onthe BSP. Prior to executing the SKINIT instruction, the driver must save any processor-specific systemregister contents to memory for restoration after reinitialization of the APs. The driver should also putall APs in an idle state. The driver must first confirmed that all APs are idle and then it must issue anSecure Virtual Machine415AMD64 Technology24593—Rev. 3.13—July 2007INIT IPI to all APs and wait for its local APIC busy indication to clear.
This places the APs into ahalted state which is responsive only to a subsequent Startup IPI. APs will still respond to snoops forcache coherency. The driver may execute SKINIT at any time after this point. Depending on processorimplementation, a fixed delay of no more than 1000 processor cycles may be necessary beforeexecuting SKINIT to ensure reliable sensing of APIC INIT state by the SKINIT.AP Startup Sequence. While the SL starts executing on the BSP, the APs remain halted in APICINIT state.
Either the SL or the SK may issue the Startup IPI for the APs at whatever point is deemedappropriate. The Startup IPI conveys an 8-bit vector specified by the software that issues the IPI to theAPs. This vector provides the upper 8 bits of a 20-bit physical address. Therefore, the AP startup codemust reside in the lower 1Mbyte of physical memory—with the entry point at offset 0 on that particularpage.In response to the Startup IPI, the APs start executing at the specified location in 16-bit real mode.
ThisAP startup code must set up protections on each processor as determined by the SL or SK. It must alsoset GIF to re-enable interrupts, and restore the pre-SKINIT system context (as directed by the SL orSK executing on the BSP), before resuming normal system operation.The SL must guarantee the integrity of the AP startup sequence, for example by including the startupcode in the hashed SL image and setting up DEV protection for it before copying it to the desired area.The AP startup code does not need to (and should not) execute SKINIT.Pending interrupts. Device interrupts that may be pending on an AP prior to the APIC INIT IPI dueto EFLAGS.IF being clear, or that assert any time after the processor has accepted the INIT IPI, will beheld pending through the subsequent Startup IPI, and remain pending until software sets GIF to 1 onthat AP.
Similarly, SMI, INIT, and NMI interrupts that assert after the processor has accepted the INITIPI will also be held pending until GIF is set to 1.Aborting MP initialization. In the event that the SL or SK on the BSP decides to abort SVM systeminitialization for any reason, the following clean-up actions must be performed by SL code executingon each processor before returning control to the original operating environment:••The BSP and all APs that responded to the Startup IPI must restore GIF and clear VM_CR on eachprocessor for normal operation.For each processor that has a distinct memory controller associated with it, the SL_DEV_EN flagin the DEV control register must be cleared in order to restore normal device accessibility to the64KB SL memory range.Any secure context created by the SL that should not be exposed to untrusted code should be cleanedup as appropriate before these steps are taken.15.27Security Exception (#SX)The Security Exception fault signals security-sensitive events that occur while executing the VMM, inthe form of an exception so that the VMM may take appropriate action.
(A VMM would typicallyintercept comparable sensitive events in the guest.) In the current implementation, the only use of the416Secure Virtual Machine24593—Rev. 3.13—July 2007AMD64 Technology#SX is to redirect external INITs into an exception so that the VMM may — among other possibilities— destroy sensitive information before re-issuing the INIT, this time without redirection. The INITredirection is controlled by the VM_CR.R_INIT bit.The #SX exception dispatches to vector 30, and behaves like other fault-class exceptions such asGeneral Protection Fault (#GP). The #SX exception pushes an error code.
The only error codecurrently defined is 1, and indicates redirection of INIT has occurred.The #SX exception is a contributory fault.15.28SVM Related MSRsSVM uses the following MSRs for various control purposes. These MSRs are available regardless ofwhether SVM is enabled in EFER.SVME. For details on implementation-specific features, see theAMD BIOS and Kernel Developer’s Guide for your processor implementation.15.28.1 VM_CR MSR (C001_0114h)The VM_CR MSR controls certain global aspects of SVM.
The layout of the MSR is shown inFigure 15-14.635Reserved, MBZFigure 15-14.43210SVMDIS LOCK DIS_A20M R_INIT DPDLayout of VM_CR MSR (C001_0114h)The individual fields are as follows:•••••DPD—Bit 0. If set, disables HDT and certain internal debug features.R_INIT—Bit 1. If set, non-intercepted INIT signals are converted into an #SX exception.DIS_A20M—Bit 2. If set, disables A20 masking.LOCK—Bit 3.
When this bit is set, writes to LOCK and SVMDIS are silently ignored. When thisbit is clear, VM_CR bits 3 and 4 can be written. Once set, LOCK can only be cleared using theSVM_KEY MSR (see Section 15.29, “SVM-Lock,” on page 419.) This bit is not affected by INITor SKINIT.SVMDIS—Bit 4.
When this bit is set, writes to EFER treat the SVME bit as MBZ. When this bit isclear, EFER.SVME can be written normally. This bit does not prevent CPUID from reporting thatSVM is available. Setting SVMDIS while EFER.SVME is 1 generates a #GP fault, regardless ofthe current state of VM_CR.LOCK. This bit is not affected by SKINIT. It is cleared by INIT whenLOCK is cleared to 0; otherwise, it is not affected.Secure Virtual Machine417AMD64 Technology24593—Rev. 3.13—July 200715.28.2 IGNNE MSR (C001_0115h)The read/write IGNNE MSR is used to set the state of the processor-internal IGNNE signal directly.This is only useful if IGNNE emulation has been enabled in the HW_CR MSR (and thus the externalsignal is being ignored).
Bit 0 specifies the current value of IGNNE; all other bits are MBZ.15.28.3 SMM_CTL MSR (C001_0116h)The write-only SMM_CTL MSR provides software control over SMM signals.635Reserved, MBZ43210RSM_CYCLE EXIT SMI_CYCLE ENTER DISMISSFigure 15-15. Layout of SMM_CTL MSR (C001_0116h)Writing individual bits causes the following actions:•••••DISMISS—Bit 0. Clear the processor-internal “SMI pending” flag.ENTER—Bit 1. Enter SMM: map the SMRAM memory areas, record whether NMI was currentlyblocked and block further NMI and SMI interrupts.SMI_CYCLE—Bit 2. Send SMI special cycle.EXIT—Bit 3.
Exit SMM: unmap the SMRAM memory areas, restore the previous masking statusof NMI and unconditionally reenable SMI.RSM_CYCLE—Bit 4. Send RSM special cycle.Writes to the SMM_CTL MSR cause a #GP if the BIOS has locked the SMM control registers bysetting HWCR[SMMLOCK].Conceptually, the bits are processed in the order of ENTER, SMI_CYCLE, DISMISS, RSM_CYCLE,EXIT, though only the following bit combinations may be set together in a single write (for all othercombinations of more than one bit, behavior is undefined):••••ENTER + SMI_CYCLEDISMISS + ENTERDISMISS + ENTER + SMI_CYCLEEXIT + RSM_CYCLEThe VMM must ensure that ENTER and EXIT operations are properly matched, and not nested,otherwise processor behavior is undefined.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
