From: Tom Lendacky <thomas.lendacky@amd.com>
To: Borislav Petkov <bp@alien8.de>
Cc: linux-arch@vger.kernel.org, linux-efi@vger.kernel.org,
kvm@vger.kernel.org, linux-doc@vger.kernel.org, x86@kernel.org,
linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com,
linux-mm@kvack.org, iommu@lists.linux-foundation.org,
"Radim Krčmář" <rkrcmar@redhat.com>,
"Arnd Bergmann" <arnd@arndb.de>,
"Jonathan Corbet" <corbet@lwn.net>,
"Matt Fleming" <matt@codeblueprint.co.uk>,
"Joerg Roedel" <joro@8bytes.org>,
"Konrad Rzeszutek Wilk" <konrad.wilk@oracle.com>,
"Andrey Ryabinin" <aryabinin@virtuozzo.com>,
"Ingo Molnar" <mingo@redhat.com>,
"Andy Lutomirski" <luto@kernel.org>,
"H. Peter Anvin" <hpa@zytor.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Alexander Potapenko" <glider@google.com>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Dmitry Vyukov" <dvyukov@google.com>
Subject: Re: [RFC PATCH v2 20/20] x86: Add support to make use of Secure Memory Encryption
Date: Wed, 14 Sep 2016 09:31:42 -0500 [thread overview]
Message-ID: <11306db6-fec1-db98-5e1b-400f7d828f7e@amd.com> (raw)
In-Reply-To: <20160912170856.2uklaoc4vxmkgnkq@pd.tnic>
On 09/12/2016 12:08 PM, Borislav Petkov wrote:
> On Mon, Aug 22, 2016 at 05:39:08PM -0500, Tom Lendacky wrote:
>> This patch adds the support to check if SME has been enabled and if the
>> mem_encrypt=on command line option is set. If both of these conditions
>> are true, then the encryption mask is set and the kernel is encrypted
>> "in place."
>>
>> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
>> ---
>> Documentation/kernel-parameters.txt | 3
>> arch/x86/kernel/asm-offsets.c | 2
>> arch/x86/kernel/mem_encrypt.S | 302 +++++++++++++++++++++++++++++++++++
>> arch/x86/mm/mem_encrypt.c | 2
>> 4 files changed, 309 insertions(+)
>>
>> diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
>> index 46c030a..a1986c8 100644
>> --- a/Documentation/kernel-parameters.txt
>> +++ b/Documentation/kernel-parameters.txt
>> @@ -2268,6 +2268,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
>> memory contents and reserves bad memory
>> regions that are detected.
>>
>> + mem_encrypt=on [X86_64] Enable memory encryption on processors
>> + that support this feature.
>> +
>> meye.*= [HW] Set MotionEye Camera parameters
>> See Documentation/video4linux/meye.txt.
>>
>> diff --git a/arch/x86/kernel/asm-offsets.c b/arch/x86/kernel/asm-offsets.c
>> index 2bd5c6f..e485ada 100644
>> --- a/arch/x86/kernel/asm-offsets.c
>> +++ b/arch/x86/kernel/asm-offsets.c
>> @@ -85,6 +85,8 @@ void common(void) {
>> OFFSET(BP_init_size, boot_params, hdr.init_size);
>> OFFSET(BP_pref_address, boot_params, hdr.pref_address);
>> OFFSET(BP_code32_start, boot_params, hdr.code32_start);
>> + OFFSET(BP_cmd_line_ptr, boot_params, hdr.cmd_line_ptr);
>> + OFFSET(BP_ext_cmd_line_ptr, boot_params, ext_cmd_line_ptr);
>>
>> BLANK();
>> DEFINE(PTREGS_SIZE, sizeof(struct pt_regs));
>> diff --git a/arch/x86/kernel/mem_encrypt.S b/arch/x86/kernel/mem_encrypt.S
>> index f2e0536..bf9f6a9 100644
>> --- a/arch/x86/kernel/mem_encrypt.S
>> +++ b/arch/x86/kernel/mem_encrypt.S
>> @@ -12,13 +12,230 @@
>>
>> #include <linux/linkage.h>
>>
>> +#include <asm/processor-flags.h>
>> +#include <asm/pgtable.h>
>> +#include <asm/page.h>
>> +#include <asm/msr.h>
>> +#include <asm/asm-offsets.h>
>> +
>> .text
>> .code64
>> ENTRY(sme_enable)
>> +#ifdef CONFIG_AMD_MEM_ENCRYPT
>> + /* Check for AMD processor */
>> + xorl %eax, %eax
>> + cpuid
>> + cmpl $0x68747541, %ebx # AuthenticAMD
>> + jne .Lmem_encrypt_exit
>> + cmpl $0x69746e65, %edx
>> + jne .Lmem_encrypt_exit
>> + cmpl $0x444d4163, %ecx
>> + jne .Lmem_encrypt_exit
>> +
>> + /* Check for memory encryption leaf */
>> + movl $0x80000000, %eax
>> + cpuid
>> + cmpl $0x8000001f, %eax
>> + jb .Lmem_encrypt_exit
>> +
>> + /*
>> + * Check for memory encryption feature:
>> + * CPUID Fn8000_001F[EAX] - Bit 0
>> + * Secure Memory Encryption support
>> + * CPUID Fn8000_001F[EBX] - Bits 5:0
>> + * Pagetable bit position used to indicate encryption
>> + * CPUID Fn8000_001F[EBX] - Bits 11:6
>> + * Reduction in physical address space (in bits) when enabled
>> + */
>> + movl $0x8000001f, %eax
>> + cpuid
>> + bt $0, %eax
>> + jnc .Lmem_encrypt_exit
>> +
>> + /* Check if BIOS/UEFI has allowed memory encryption */
>> + movl $MSR_K8_SYSCFG, %ecx
>> + rdmsr
>> + bt $MSR_K8_SYSCFG_MEM_ENCRYPT_BIT, %eax
>> + jnc .Lmem_encrypt_exit
>
> Like other people suggested, it would be great if this were in C. Should be
> actually readable :)
Yup, working on that. I'll try and make it all completely C.
>
>> +
>> + /* Check for the mem_encrypt=on command line option */
>> + push %rsi /* Save RSI (real_mode_data) */
>> + push %rbx /* Save CPUID information */
>> + movl BP_ext_cmd_line_ptr(%rsi), %ecx
>> + shlq $32, %rcx
>> + movl BP_cmd_line_ptr(%rsi), %edi
>> + addq %rcx, %rdi
>> + leaq mem_encrypt_enable_option(%rip), %rsi
>> + call cmdline_find_option_bool
>> + pop %rbx /* Restore CPUID information */
>> + pop %rsi /* Restore RSI (real_mode_data) */
>> + testl %eax, %eax
>> + jz .Lno_mem_encrypt
>
> This too.
>
>> +
>> + /* Set memory encryption mask */
>> + movl %ebx, %ecx
>> + andl $0x3f, %ecx
>> + bts %ecx, sme_me_mask(%rip)
>> +
>> +.Lno_mem_encrypt:
>> + /*
>> + * BIOS/UEFI has allowed memory encryption so we need to set
>> + * the amount of physical address space reduction even if
>> + * the user decides not to use memory encryption.
>> + */
>> + movl %ebx, %ecx
>> + shrl $6, %ecx
>> + andl $0x3f, %ecx
>> + movb %cl, sme_me_loss(%rip)
>> +
>> +.Lmem_encrypt_exit:
>> +#endif /* CONFIG_AMD_MEM_ENCRYPT */
>> +
>> ret
>> ENDPROC(sme_enable)
>>
>> ENTRY(sme_encrypt_kernel)
>
> This should be doable too but I guess you'll have to try it to see.
>
> ...
>
>> diff --git a/arch/x86/mm/mem_encrypt.c b/arch/x86/mm/mem_encrypt.c
>> index 2f28d87..1154353 100644
>> --- a/arch/x86/mm/mem_encrypt.c
>> +++ b/arch/x86/mm/mem_encrypt.c
>> @@ -183,6 +183,8 @@ void __init mem_encrypt_init(void)
>>
>> /* Make SWIOTLB use an unencrypted DMA area */
>> swiotlb_clear_encryption();
>> +
>> + pr_info("memory encryption active\n");
>
> Let's make it more official with nice caps and so on...
>
> pr_info("AMD Secure Memory Encryption active.\n");
Will do.
Thanks,
Tom
>
prev parent reply other threads:[~2016-09-14 14:31 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-22 22:35 [RFC PATCH v2 00/20] x86: Secure Memory Encryption (AMD) Tom Lendacky
2016-08-22 22:35 ` [RFC PATCH v2 01/20] x86: Documentation for AMD Secure Memory Encryption (SME) Tom Lendacky
2016-09-02 8:50 ` Borislav Petkov
2016-09-07 14:02 ` Tom Lendacky
2016-09-07 15:23 ` Borislav Petkov
2016-08-22 22:35 ` [RFC PATCH v2 02/20] x86: Set the write-protect cache mode for full PAT support Tom Lendacky
2016-08-25 3:58 ` Borislav Petkov
2016-08-22 22:35 ` [RFC PATCH v2 03/20] x86: Secure Memory Encryption (SME) build enablement Tom Lendacky
2016-09-02 11:03 ` Borislav Petkov
2016-09-07 14:03 ` Tom Lendacky
2016-08-22 22:36 ` [RFC PATCH v2 04/20] x86: Secure Memory Encryption (SME) support Tom Lendacky
2016-08-25 13:04 ` Thomas Gleixner
2016-08-30 13:19 ` Tom Lendacky
2016-08-30 14:57 ` Andy Lutomirski
2016-08-31 13:26 ` Tom Lendacky
2016-08-22 22:36 ` [RFC PATCH v2 05/20] x86: Add the Secure Memory Encryption cpu feature Tom Lendacky
2016-09-02 14:09 ` Borislav Petkov
2016-09-07 14:07 ` Tom Lendacky
2016-08-22 22:36 ` [RFC PATCH v2 06/20] x86: Handle reduction in physical address size with SME Tom Lendacky
2016-08-22 22:36 ` [RFC PATCH v2 07/20] x86: Provide general kernel support for memory encryption Tom Lendacky
2016-09-02 18:14 ` Borislav Petkov
2016-09-07 14:11 ` Tom Lendacky
2016-09-05 8:48 ` Borislav Petkov
2016-09-07 14:16 ` Tom Lendacky
2016-09-05 15:22 ` Borislav Petkov
2016-09-07 14:19 ` Tom Lendacky
2016-09-06 9:31 ` Borislav Petkov
2016-09-07 14:30 ` Tom Lendacky
2016-09-07 15:55 ` Borislav Petkov
2016-09-08 13:26 ` Tom Lendacky
2016-09-08 13:55 ` Borislav Petkov
2016-09-12 13:43 ` Tom Lendacky
2016-08-22 22:37 ` [RFC PATCH v2 08/20] x86: Extend the early_memmap support with additional attrs Tom Lendacky
2016-08-22 22:37 ` [RFC PATCH v2 09/20] x86: Add support for early encryption/decryption of memory Tom Lendacky
2016-09-06 16:12 ` Borislav Petkov
2016-08-22 22:37 ` [RFC PATCH v2 10/20] x86: Insure that memory areas are encrypted when possible Tom Lendacky
2016-09-09 15:53 ` Borislav Petkov
2016-09-12 15:05 ` Tom Lendacky
2016-09-12 16:33 ` Borislav Petkov
2016-09-14 14:11 ` Tom Lendacky
2016-08-22 22:37 ` [RFC PATCH v2 11/20] mm: Access BOOT related data in the clear Tom Lendacky
2016-09-09 16:38 ` Borislav Petkov
2016-09-12 15:14 ` Tom Lendacky
2016-09-12 16:35 ` Borislav Petkov
2016-09-12 16:55 ` Andy Lutomirski
2016-09-14 14:20 ` Tom Lendacky
2016-09-15 9:57 ` Matt Fleming
2016-09-15 16:52 ` Tom Lendacky
2016-08-22 22:37 ` [RFC PATCH v2 12/20] x86: Add support for changing memory encryption attribute Tom Lendacky
2016-09-09 17:23 ` Borislav Petkov
2016-09-12 15:41 ` Tom Lendacky
2016-09-12 16:41 ` Borislav Petkov
2016-08-22 22:37 ` [RFC PATCH v2 13/20] x86: Decrypt trampoline area if memory encryption is active Tom Lendacky
2016-09-09 17:34 ` Borislav Petkov
2016-09-12 15:43 ` Tom Lendacky
2016-08-22 22:38 ` [RFC PATCH v2 14/20] x86: DMA support for memory encryption Tom Lendacky
2016-09-12 10:58 ` Borislav Petkov
2016-09-14 13:36 ` Tom Lendacky
2016-08-22 22:38 ` [RFC PATCH v2 15/20] iommu/amd: AMD IOMMU " Tom Lendacky
2016-09-12 11:45 ` Borislav Petkov
2016-09-14 13:45 ` Tom Lendacky
2016-09-14 14:41 ` Borislav Petkov
2016-09-15 16:57 ` Tom Lendacky
2016-09-16 7:08 ` Borislav Petkov
2016-08-22 22:38 ` [RFC PATCH v2 16/20] x86: Check for memory encryption on the APs Tom Lendacky
2016-09-12 12:17 ` Borislav Petkov
2016-09-14 13:50 ` Tom Lendacky
2016-09-12 16:43 ` Borislav Petkov
2016-09-14 14:12 ` Tom Lendacky
2016-08-22 22:38 ` [RFC PATCH v2 17/20] x86: Do not specify encrypted memory for VGA mapping Tom Lendacky
2016-08-22 22:38 ` [RFC PATCH v2 18/20] x86/kvm: Enable Secure Memory Encryption of nested page tables Tom Lendacky
2016-09-12 14:35 ` Borislav Petkov
2016-09-14 14:02 ` Tom Lendacky
2016-08-22 22:38 ` [RFC PATCH v2 19/20] x86: Access the setup data through debugfs un-encrypted Tom Lendacky
2016-09-12 16:59 ` Borislav Petkov
2016-09-14 14:29 ` Tom Lendacky
2016-09-14 14:51 ` Borislav Petkov
2016-09-15 17:08 ` Tom Lendacky
2016-09-16 7:11 ` Borislav Petkov
2016-08-22 22:39 ` [RFC PATCH v2 20/20] x86: Add support to make use of Secure Memory Encryption Tom Lendacky
2016-09-12 17:08 ` Borislav Petkov
2016-09-14 14:31 ` Tom Lendacky [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=11306db6-fec1-db98-5e1b-400f7d828f7e@amd.com \
--to=thomas.lendacky@amd.com \
--cc=arnd@arndb.de \
--cc=aryabinin@virtuozzo.com \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=hpa@zytor.com \
--cc=iommu@lists.linux-foundation.org \
--cc=joro@8bytes.org \
--cc=kasan-dev@googlegroups.com \
--cc=konrad.wilk@oracle.com \
--cc=kvm@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=matt@codeblueprint.co.uk \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=rkrcmar@redhat.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).