From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1762282AbcINNus (ORCPT ); Wed, 14 Sep 2016 09:50:48 -0400 Received: from mail-co1nam03on0064.outbound.protection.outlook.com ([104.47.40.64]:49607 "EHLO NAM03-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1756126AbcINNuk (ORCPT ); Wed, 14 Sep 2016 09:50:40 -0400 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Lendacky@amd.com; Subject: Re: [RFC PATCH v2 16/20] x86: Check for memory encryption on the APs To: Borislav Petkov References: <20160822223529.29880.50884.stgit@tlendack-t1.amdoffice.net> <20160822223829.29880.10341.stgit@tlendack-t1.amdoffice.net> <20160912121739.rwuumwpwo5megmd7@pd.tnic> CC: , , , , , , , , , =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= , Arnd Bergmann , Jonathan Corbet , Matt Fleming , Joerg Roedel , Konrad Rzeszutek Wilk , Andrey Ryabinin , Ingo Molnar , Andy Lutomirski , "H. Peter Anvin" , Paolo Bonzini , Alexander Potapenko , Thomas Gleixner , Dmitry Vyukov From: Tom Lendacky Message-ID: <06a97eaa-d54f-9f7e-d207-4ff3e576169f@amd.com> Date: Wed, 14 Sep 2016 08:50:25 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20160912121739.rwuumwpwo5megmd7@pd.tnic> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: DM5PR09CA0037.namprd09.prod.outlook.com (10.172.184.151) To DM5PR12MB1145.namprd12.prod.outlook.com (10.168.236.140) X-MS-Office365-Filtering-Correlation-Id: e6968d86-8f46-405f-5f9a-08d3dca61afb X-Microsoft-Exchange-Diagnostics: 1;DM5PR12MB1145;2:Myy1lrRk3iazg+DBl1AWJGLUEjL0Tf7JSbn6fIgiRstFfRbfv8Hzbi5yKqoVJXYB6X1XymXTSyYah9BkQRUshKHqM5lv1S8zogoARacm2mFJZQ7nDX8cHQKo9cJz32WPNZ1SbaxSM/KWdAv7wMlf72trbJD1sx9763R4c16ujDswsRnje7GHh+2Olu1TRg59;3:fw2oclEMfD+EgC9eF3lb9XTMfx6vjbMEekQx+lPcgsYY/hESV2YCyDplMshJV1bU9mOmOz2obaey+HtWl1Jae68ErtOLlYvApyDYYvoArPm+w5Q2coE51FN2FtUDwW3R X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM5PR12MB1145; X-Microsoft-Exchange-Diagnostics: 1;DM5PR12MB1145;25:kSqXIea6vAwsT1RAZFl6dHh+L+mFsIcJvkXwdCtviaRoBRWoZnMD0zLGEI04lsL7LXtJ8bInuVA62/6DDvX2pwPWNYgIk5VrhFJmxfU/sjiEPvToJsTSUNar1ArZJlGs1VtCb99KPdobVWGQ8NIC+na5J26N0fE0lgVkx5OA7FlPqPOeX2tq5LFVq2HX8SPel6zdM6LHdvS7ZbnyUxrheUzZf0zRhOYix6YsOP5edRk6DTf8RMtbtj/O5XZZflOPosT2cl7vR5ANRAhJK42s4dg/B1XzAYHcsZJWy7yEr0EKLonWWvVwi8C3heCaBpl7YakXNIFRzbW3hYW1KVpwQ3RUXVS5eKXfMys5xxvlWpMOSU3jGGUiHc04KV4T1ZUjc75frNxUHxmOiF0kbgCqrzM5SxzP3i++MeZxRkHNsa1GztkB8RkFv7g3drHmyQWnGdZ5yCOkAfC04/vPfUBD2wQDsoVr7wYorIDREQT803dfrMwAXd/uD+Xpb/BUsC5DLUiWaybxlq5lAfDLngqUilmJfAn5B5mdDwGJ4+BMTeHl7vtdxnm8W3LWxSa2MlRGxgIJNlTy1Djjm7cmhBTZS329uMHYyulZfb1QfU3cCMbQO++n/TymrOvvymOnLKMFJFrNrHWcjwsSmNGsuhdvb6vvUvIDWy0jjCcOWnNWqlrENFKUf/GxrJ0HABbiwI2g+8JUP9GhsHoX7GhbKxbJFQ==;31:Zuj2cY5wZMfxUfN9rjdrnEoAw4f/aNtS1qQXpAMdpYCc6m3yZRDwugtH5RxDWsk12XiRrvG+wh4v3V3XyNNTuKvHDcfGh4Fm40aMK5pro17OcMk8WFoHawnhD92czdhLPyBZYZYUO69FxzmH/RgL3hcRa1DE8gr4TZwyrfZ8CYC7xCNQ0o6zhkKCH6sV7mUSA5SCd+sMEHlN4mzmY6sSHR/zoHmYTulF2JMNCCjgyE4= X-Microsoft-Exchange-Diagnostics: 1;DM5PR12MB1145;20:xRZTkAeYV9fL3+01m0hcSXJ7DVaZ1BxLyY1kitu81vMInExRhiAyQchBxaAZrfQt7NzD8ylGLLXAkKOQovahcrpyoH/juaZiq3kK4ok6G3iM4uV804UJvw6bKl+JtqT2YOQURO+23/H9aZyFCsT097pl6aRQehnNlsKSdkn+/MlgrRzDcrEZrFp4qVtFuuULlHRDkxrSQh4d0YsC7CI5KM1JptO6c7OkuhbbjSeu9IQv+NKTslVBGw3CmVuSxpGuusk2ouQq3A/nb8Y1uXc96klHczpSIy5ZpT4SJIAKGe3/tsKELJ28wq1q6id7b1Wud7/UjUJFMC73eibC7D3LDGh2I9po1TnjkN6Q/4YhFv/oAQcVBIfNURBn3b4J16oElj97ckbHvdkjB3SuCA0ot4cHaJPtwCbPQ7VHAgeAWRR6p8Tnbt2fZhWN0ZnUFeEIct9mJ6qMTjZp41IKpgMEzM+QB02P1xEo348ZR9p5/OYH/mx3ia8xTCAN/Hw9vWNo;4:6Maq31T3Vrb6OmWqOoERdoZ3kkLcCrJzSqsHss/S9yKdp52SrLmZqy607ZifPGuwaUpFUR6UtcfQOzQcoTKXIKrcddKzvjsxI4RB2JyNJePO33qprkIBpw+GLSQL7QAFzZFgtEbqqhtS+MX48vu3vXdX7Eoh0i84OfDFLAvZty6W4dcHiD7mmrsy/0V9TpqLIrFcyKY6TEr9Etom9YkFMQvSSw/3q32HgkHPPiIFcwVL58sjjHO0cg6r1Q8qxYnd93YtyJcXeR/QoUpRBkWsYCuRXLhc0HwbJy4+7wAvj8+Vkbxskwu7MBMDAiumvrv6z7zO0qO9L2I1H3LIXD8QLjVq4y7nwwvtwmUaPAc6QyGvQ4Cy6PLr8UD8Ucpsq/98Lyt78DeySrgVj03JD8MM5ALgpUgX1ckZKGIdcVt+XvbAcd/8R3hEEY25V6Opb0e5 X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(767451399110); X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040176)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026);SRVR:DM5PR12MB1145;BCL:0;PCL:0;RULEID:;SRVR:DM5PR12MB1145; X-Forefront-PRVS: 006546F32A X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(4630300001)(6049001)(6009001)(7916002)(24454002)(377454003)(199003)(189002)(83506001)(36756003)(2906002)(4326007)(19580395003)(19580405001)(586003)(64126003)(6116002)(42186005)(3846002)(230700001)(50466002)(92566002)(81166006)(7846002)(81156014)(33646002)(7736002)(106356001)(68736007)(77096005)(305945005)(76176999)(101416001)(5660300001)(2950100001)(7416002)(4001350100001)(50986999)(8676002)(65826007)(97736004)(65956001)(86362001)(105586002)(65806001)(189998001)(54356999)(110136003)(66066001)(31686004)(23676002)(47776003)(31696002)(217873001);DIR:OUT;SFP:1101;SCL:1;SRVR:DM5PR12MB1145;H:[10.236.18.82];FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtETTVQUjEyTUIxMTQ1OzIzOko3M2Rzb015cW44cmdHOXY0Q3YxU1A0dldM?= =?utf-8?B?cWVwUDNvWThpM2J2QkR4Y3RURVBWUTltZkJwODhxYnNORHVjMlZQYlF1NVpB?= =?utf-8?B?V2x1enFkNGJWSVhFTkZsQVY4NDVqL0VZeTdKYkhISmQxRnRrUEdaaWEySWdF?= =?utf-8?B?TGMwN2FGV052ckhMOXBrTE1JTmphVmhYcGFwN0RYMTdpaTFtQmJLK3BZY0lo?= =?utf-8?B?a1NVWk1ucEhJNnM3aEw1WjBmclJBNkJ0UTBZTW9OcHhMSTNCa012aWd1WTdD?= =?utf-8?B?TXR6NTRrUVhlMENKZm9sVUVQRjFiQ0VMajJvZ3lCSmlOcHV6S3R5Uzh2VzJC?= =?utf-8?B?b21yYW00MGR4bER6R1ZnMEdOMXp2VnR2cFZoekQ5aWcwcnV2U1krUVlZZ1I0?= =?utf-8?B?dDgxVU5zWGd6RDRKRDR0MXVjZUdZNjRZQVA2WGl2dVZZb0R2ZDczMGdPSXBI?= =?utf-8?B?dzQ1Q0RONWpFbTU0U0lLU3pYSmE0OW00ZDF3S250VUZXc3NndjhPNE04d0Nu?= =?utf-8?B?SEhwazEraC9KbVZlNGRHYXFxOVU1N1lEVXVPT05WTjlJR3JsWVQyemZ0M29j?= =?utf-8?B?bkxCSy9nVTZsQ0Qvems4bWhCaVhLeWw4TS9vVUw3VXU4cGJQNFd5SjZLak1u?= =?utf-8?B?L3k3US9PRXByT0NwS3BoVHJaSzZkWmQ1VDNQbDlvUXVCY2dNY25QMmtvTVFv?= =?utf-8?B?MHR5eWh1L1Blcm00RU95NDgvYVFwZmpYU0tnYk81RVZrTUZPbHMwa2h1OGNK?= =?utf-8?B?M1FBRjRhQWlYR2ZWNmlQa2NTcVNLNzBYMHJFMWhBSUtSZ1RVV1VjZ253QlpW?= =?utf-8?B?UFdOeWhHQ01UV0pCMWQxWWJ5b01FS3NKUmxNWThjeUxXenRVOVdZbWpXbDRy?= =?utf-8?B?ckk5QzNlY3VHMkFDSEJwbU50QmVFMmdvMWFDakJKRTdpb3h0UkszcHVNOEkw?= =?utf-8?B?NHVUbENDN2NXNmFZZ2E1Ky9KWXVmVzZqcGN1UHphc2dydmN6eTI4cFpSMytM?= =?utf-8?B?Unp1MWVwODlENDVDZ1dCRllLMzBKRy9Wdmp6MzZJZVZpRVgrenIzS2JKZ1FV?= =?utf-8?B?bkdSSmJlWHhENkpXYlYwdG5qaXpLQk9hNUNLeld6U2V1Ynp0dHdNcGdoQ3Bt?= =?utf-8?B?OXFEZW9kR2xlWmFreWtXK085MWdEelZRVTlqem81dlovd2oxL2NtQjcrbnZx?= =?utf-8?B?N3dDK2dmc25IMFBrZ1RGU05QYmJMTjN0VWdZZWtaVmZ5ZlpBdUZYcVFzT3BE?= =?utf-8?B?TkVwRSswNm9SUnp2MTRNNmsvcTQ2OG1HWGFTS3dKY0ZhZGlnc2JBWExHUlpE?= =?utf-8?B?NUJoWXRLNU9zQXJ1QnNjMmp2L0h0Q1hJcktOdXVyclVtWHlkQVI4UGJ1K0lF?= =?utf-8?B?ak9mNFRQRjJIK1BIdi9sNmY3K3F1clNJRExSVjlnZzBYeEc2MHJ6eHFtc1k2?= =?utf-8?B?UjVMTWo4TFdzMC90cGlndmEwRGFvMVlnbkF4SzFkZk5WY0RiTEwrZEw2eU9E?= =?utf-8?B?ellaSVVGdzF2NlVvTFgwdjVvUkxQYWtUZ2JVMkpvUStPWm9aVlVsTGhzTWk1?= =?utf-8?B?RHd2d1hiLzJSNHUzVlh3Tlc1dFZKNFlCTFZUQWo2cE1NanAzT1FXRmJQSmln?= =?utf-8?B?K2xtVmJkb1JkSVJWUWVYSEN3cCt1dUQ4NmdwQVRrV2VCcnM5UzA0VHVYcTVl?= =?utf-8?B?dWRkWHJ1UndZR1hHclhkK2R0YndVZXpKT1FiRDRFL3hjaUllWU52MHJBY0FF?= =?utf-8?B?YmZmVDQ3ZGRXZVhVQy9EbFVRRmR5bEtENWFsTzRmUXRCR29MbzdVd3dNcE5V?= =?utf-8?Q?tXbtcAZj9rLbK?= X-Microsoft-Exchange-Diagnostics: 1;DM5PR12MB1145;6:g5zxx77BWG+hn36dAgEzO5spktlWNfflnkrG573iipjMS3uP1VVyll4tB3ufebhgkKqbnd4QDgjb79xVL9oJIoMk0tz63Q2Ljw1/wuQGLHijBQX/lW8kGhLcT088eq3fxPg7YHXhPrWcMWDPsJmboZxysTXUT5xPEovtDch0Ul16O87A7IbRq6zJneJsVU/6R8Qx6FjvzDM3Cw+IhiCTPWCqDRjHPcNItpYJzaEzvkPaTJfE5+u6rbII4edcpDOMBncEzpsKpX78s/R2AEoJtjlsH8kRuclcSO8kY4cW98Py8wEMAzzAzAdh2XzDYuMuiuHmHCFvTXTPoglXyIbeKA==;5:uvaidD8gBY/lTP2U98y3z4JUcN1pQRD/x0ADfVz+XeJmk6AW9m+HWx116cnzNucAZsD134syt3D1b5X1lX8rjvMM3HIX6DEpLa2KCptfnzYuL+L+8kO4rO+rQmGLWVl9tyJkCMku0dob8NE1CYlOxw==;24:kZx7GIYtlEUsSQgOWME/aA3WAV8+Vmug6PeoHYTCFZCyDyFOqtAFc1n9ZTtDqeBVMU63o9n+lkPjN9UHrgHmyp9ImRyrOPUum0oThln/+dM=;7:CqfIe2+7tlAqAN+RfBAEzaDjMeCYQ3bBinB+7+7SSQe/bi1VaSkx0FYjFnb9TQvKYTdnX41jovUzZTw8wNUqYYa66bMHmA3+EGpxbGTthWLqt6CPUGbha24kmkHDXwSfYhifvh+P2p38EAaD1U6365Ipq6yPBcAv2Z90PjnN03NCQL/P3vfDCUHTpn3WRk14wXWhUnsbE6zM9PNla+m/ya3eqgXbPIatT6XX+jIvqcw5xXJmSZm3YIFgak2sjxwG SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;DM5PR12MB1145;20:r0h9LDr68DBjC37JPvWmlcYxfqnNVhuSksLs4R3eLvm8kC7xMgACVt7ZQVXTrm3W9xwVKg+LHyLP1TjAYtTUVyPL9a9LdQEaarpTFLUeXVmmznRYa6MTUtN2sk+SQKuxZySxkkUnoTHn7de9VoA7TrsSM0cJQE5jo3nW9qYLim4oOJRUkur7j8OyPG1j5SEctG343f0Bm9N38SXtk2H/I77fPC83LgJnFaYUTQB4feET5x+OzDTIuj8KvvBwbvof X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Sep 2016 13:50:35.3836 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR12MB1145 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 09/12/2016 07:17 AM, Borislav Petkov wrote: > On Mon, Aug 22, 2016 at 05:38:29PM -0500, Tom Lendacky wrote: >> Add support to check if memory encryption is active in the kernel and that >> it has been enabled on the AP. If memory encryption is active in the kernel >> but has not been enabled on the AP then do not allow the AP to continue >> start up. >> >> Signed-off-by: Tom Lendacky >> --- >> arch/x86/include/asm/msr-index.h | 2 ++ >> arch/x86/include/asm/realmode.h | 12 ++++++++++++ >> arch/x86/realmode/init.c | 4 ++++ >> arch/x86/realmode/rm/trampoline_64.S | 19 +++++++++++++++++++ >> 4 files changed, 37 insertions(+) > > ... > >> diff --git a/arch/x86/realmode/rm/trampoline_64.S b/arch/x86/realmode/rm/trampoline_64.S >> index dac7b20..94e29f4 100644 >> --- a/arch/x86/realmode/rm/trampoline_64.S >> +++ b/arch/x86/realmode/rm/trampoline_64.S >> @@ -30,6 +30,7 @@ >> #include >> #include >> #include >> +#include >> #include "realmode.h" >> >> .text >> @@ -92,6 +93,23 @@ ENTRY(startup_32) >> movl %edx, %fs >> movl %edx, %gs >> >> + /* Check for memory encryption support */ >> + bt $TH_FLAGS_SME_ENABLE_BIT, pa_tr_flags >> + jnc .Ldone >> + movl $MSR_K8_SYSCFG, %ecx >> + rdmsr >> + bt $MSR_K8_SYSCFG_MEM_ENCRYPT_BIT, %eax >> + jc .Ldone >> + >> + /* >> + * Memory encryption is enabled but the MSR has not been set on this >> + * CPU so we can't continue > > Hmm, let me try to parse this correctly: BSP has SME enabled but the > BIOS might not've set this on the AP? Really? Is that even possible? Anything is possible, although it's highly unlikely. > > Because if SME is enabled, that means that MSR_K8_SYSCFG[23] on the BSP > is set, right? Correct. > > Also, I want to rule out here simple BIOS idiocy: if the only problem > with the bit not being set in the AP is because some BIOS monkey forgot > to do so, then we should try to set it ourselves and not die for no real > reason. Yes, we can do that. I was debating on which way to go with this. Most likely this would never happen, but if it did... I can change this to set the MSR bit and continue. Thanks, Tom > > Or is there another issue? > From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tom Lendacky Subject: Re: [RFC PATCH v2 16/20] x86: Check for memory encryption on the APs Date: Wed, 14 Sep 2016 08:50:25 -0500 Message-ID: <06a97eaa-d54f-9f7e-d207-4ff3e576169f@amd.com> References: <20160822223529.29880.50884.stgit@tlendack-t1.amdoffice.net> <20160822223829.29880.10341.stgit@tlendack-t1.amdoffice.net> <20160912121739.rwuumwpwo5megmd7@pd.tnic> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20160912121739.rwuumwpwo5megmd7@pd.tnic> Sender: owner-linux-mm@kvack.org To: Borislav Petkov Cc: linux-arch@vger.kernel.org, linux-efi@vger.kernel.org, kvm@vger.kernel.org, linux-doc@vger.kernel.org, x86@kernel.org, linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, iommu@lists.linux-foundation.org, =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= , Arnd Bergmann , Jonathan Corbet , Matt Fleming , Joerg Roedel , Konrad Rzeszutek Wilk , Andrey Ryabinin , Ingo Molnar , Andy Lutomirski , "H. Peter Anvin" , Paolo Bonzini , Alexander Potapenko , Thomas Gleixner , Dmitry Vyukov List-Id: linux-efi@vger.kernel.org On 09/12/2016 07:17 AM, Borislav Petkov wrote: > On Mon, Aug 22, 2016 at 05:38:29PM -0500, Tom Lendacky wrote: >> Add support to check if memory encryption is active in the kernel and that >> it has been enabled on the AP. If memory encryption is active in the kernel >> but has not been enabled on the AP then do not allow the AP to continue >> start up. >> >> Signed-off-by: Tom Lendacky >> --- >> arch/x86/include/asm/msr-index.h | 2 ++ >> arch/x86/include/asm/realmode.h | 12 ++++++++++++ >> arch/x86/realmode/init.c | 4 ++++ >> arch/x86/realmode/rm/trampoline_64.S | 19 +++++++++++++++++++ >> 4 files changed, 37 insertions(+) > > ... > >> diff --git a/arch/x86/realmode/rm/trampoline_64.S b/arch/x86/realmode/rm/trampoline_64.S >> index dac7b20..94e29f4 100644 >> --- a/arch/x86/realmode/rm/trampoline_64.S >> +++ b/arch/x86/realmode/rm/trampoline_64.S >> @@ -30,6 +30,7 @@ >> #include >> #include >> #include >> +#include >> #include "realmode.h" >> >> .text >> @@ -92,6 +93,23 @@ ENTRY(startup_32) >> movl %edx, %fs >> movl %edx, %gs >> >> + /* Check for memory encryption support */ >> + bt $TH_FLAGS_SME_ENABLE_BIT, pa_tr_flags >> + jnc .Ldone >> + movl $MSR_K8_SYSCFG, %ecx >> + rdmsr >> + bt $MSR_K8_SYSCFG_MEM_ENCRYPT_BIT, %eax >> + jc .Ldone >> + >> + /* >> + * Memory encryption is enabled but the MSR has not been set on this >> + * CPU so we can't continue > > Hmm, let me try to parse this correctly: BSP has SME enabled but the > BIOS might not've set this on the AP? Really? Is that even possible? Anything is possible, although it's highly unlikely. > > Because if SME is enabled, that means that MSR_K8_SYSCFG[23] on the BSP > is set, right? Correct. > > Also, I want to rule out here simple BIOS idiocy: if the only problem > with the bit not being set in the AP is because some BIOS monkey forgot > to do so, then we should try to set it ourselves and not die for no real > reason. Yes, we can do that. I was debating on which way to go with this. Most likely this would never happen, but if it did... I can change this to set the MSR bit and continue. Thanks, Tom > > Or is there another issue? > -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org