From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933832AbcIFJVO (ORCPT ); Tue, 6 Sep 2016 05:21:14 -0400 Received: from mail.skyhub.de ([78.46.96.112]:33008 "EHLO mail.skyhub.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754086AbcIFJUH (ORCPT ); Tue, 6 Sep 2016 05:20:07 -0400 Date: Tue, 6 Sep 2016 11:31:13 +0200 From: Borislav Petkov To: Tom Lendacky Cc: linux-arch@vger.kernel.org, linux-efi@vger.kernel.org, kvm@vger.kernel.org, linux-doc@vger.kernel.org, x86@kernel.org, linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, iommu@lists.linux-foundation.org, Radim =?utf-8?B?S3LEjW3DocWZ?= , Arnd Bergmann , Jonathan Corbet , Matt Fleming , Joerg Roedel , Konrad Rzeszutek Wilk , Andrey Ryabinin , Ingo Molnar , Andy Lutomirski , "H. Peter Anvin" , Paolo Bonzini , Alexander Potapenko , Thomas Gleixner , Dmitry Vyukov Subject: Re: [RFC PATCH v2 07/20] x86: Provide general kernel support for memory encryption Message-ID: <20160906093113.GA18319@pd.tnic> References: <20160822223529.29880.50884.stgit@tlendack-t1.amdoffice.net> <20160822223646.29880.28794.stgit@tlendack-t1.amdoffice.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20160822223646.29880.28794.stgit@tlendack-t1.amdoffice.net> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Aug 22, 2016 at 05:36:46PM -0500, Tom Lendacky wrote: > Adding general kernel support for memory encryption includes: > - Modify and create some page table macros to include the Secure Memory > Encryption (SME) memory encryption mask > - Update kernel boot support to call an SME routine that checks for and > sets the SME capability (the SME routine will grow later and for now > is just a stub routine) > - Update kernel boot support to call an SME routine that encrypts the > kernel (the SME routine will grow later and for now is just a stub > routine) > - Provide an SME initialization routine to update the protection map with > the memory encryption mask so that it is used by default > > Signed-off-by: Tom Lendacky ... > diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c > index 54a2372..88c7bae 100644 > --- a/arch/x86/kernel/head64.c > +++ b/arch/x86/kernel/head64.c > @@ -28,6 +28,7 @@ > #include > #include > #include > +#include > > /* > * Manage page tables very early on. > @@ -42,7 +43,7 @@ static void __init reset_early_page_tables(void) > { > memset(early_level4_pgt, 0, sizeof(pgd_t)*(PTRS_PER_PGD-1)); > next_early_pgt = 0; > - write_cr3(__pa_nodebug(early_level4_pgt)); > + write_cr3(__sme_pa_nodebug(early_level4_pgt)); > } > > /* Create a new PMD entry */ > @@ -54,7 +55,7 @@ int __init early_make_pgtable(unsigned long address) > pmdval_t pmd, *pmd_p; > > /* Invalid address or early pgt is done ? */ > - if (physaddr >= MAXMEM || read_cr3() != __pa_nodebug(early_level4_pgt)) > + if (physaddr >= MAXMEM || read_cr3() != __sme_pa_nodebug(early_level4_pgt)) > return -1; > > again: > @@ -157,6 +158,11 @@ asmlinkage __visible void __init x86_64_start_kernel(char * real_mode_data) > > clear_page(init_level4_pgt); > > + /* Update the early_pmd_flags with the memory encryption mask */ > + early_pmd_flags |= _PAGE_ENC; > + > + sme_early_init(); > + So maybe this comes later but you're setting _PAGE_ENC unconditionally *before* sme_early_init(). I think you should set it in sme_early_init() and iff SME is enabled. -- Regards/Gruss, Boris. ECO tip #101: Trim your mails when you reply. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Borislav Petkov Subject: Re: [RFC PATCH v2 07/20] x86: Provide general kernel support for memory encryption Date: Tue, 6 Sep 2016 11:31:13 +0200 Message-ID: <20160906093113.GA18319@pd.tnic> References: <20160822223529.29880.50884.stgit@tlendack-t1.amdoffice.net> <20160822223646.29880.28794.stgit@tlendack-t1.amdoffice.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <20160822223646.29880.28794.stgit-qCXWGYdRb2BnqfbPTmsdiZQ+2ll4COg0XqFh9Ls21Oc@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: iommu-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: iommu-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Tom Lendacky Cc: linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, kvm-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Radim =?utf-8?B?S3LEjW3DocWZ?= , Matt Fleming , x86-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org, linux-mm-Bw31MaZKKs3YtjvyW6yDsg@public.gmane.org, Alexander Potapenko , "H. Peter Anvin" , linux-arch-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Jonathan Corbet , linux-doc-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, kasan-dev-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org, Ingo Molnar , Andrey Ryabinin , Arnd Bergmann , Andy Lutomirski , Thomas Gleixner , Dmitry Vyukov , linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, iommu-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, Paolo Bonzini List-Id: linux-efi@vger.kernel.org On Mon, Aug 22, 2016 at 05:36:46PM -0500, Tom Lendacky wrote: > Adding general kernel support for memory encryption includes: > - Modify and create some page table macros to include the Secure Memory > Encryption (SME) memory encryption mask > - Update kernel boot support to call an SME routine that checks for and > sets the SME capability (the SME routine will grow later and for now > is just a stub routine) > - Update kernel boot support to call an SME routine that encrypts the > kernel (the SME routine will grow later and for now is just a stub > routine) > - Provide an SME initialization routine to update the protection map with > the memory encryption mask so that it is used by default > > Signed-off-by: Tom Lendacky ... > diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c > index 54a2372..88c7bae 100644 > --- a/arch/x86/kernel/head64.c > +++ b/arch/x86/kernel/head64.c > @@ -28,6 +28,7 @@ > #include > #include > #include > +#include > > /* > * Manage page tables very early on. > @@ -42,7 +43,7 @@ static void __init reset_early_page_tables(void) > { > memset(early_level4_pgt, 0, sizeof(pgd_t)*(PTRS_PER_PGD-1)); > next_early_pgt = 0; > - write_cr3(__pa_nodebug(early_level4_pgt)); > + write_cr3(__sme_pa_nodebug(early_level4_pgt)); > } > > /* Create a new PMD entry */ > @@ -54,7 +55,7 @@ int __init early_make_pgtable(unsigned long address) > pmdval_t pmd, *pmd_p; > > /* Invalid address or early pgt is done ? */ > - if (physaddr >= MAXMEM || read_cr3() != __pa_nodebug(early_level4_pgt)) > + if (physaddr >= MAXMEM || read_cr3() != __sme_pa_nodebug(early_level4_pgt)) > return -1; > > again: > @@ -157,6 +158,11 @@ asmlinkage __visible void __init x86_64_start_kernel(char * real_mode_data) > > clear_page(init_level4_pgt); > > + /* Update the early_pmd_flags with the memory encryption mask */ > + early_pmd_flags |= _PAGE_ENC; > + > + sme_early_init(); > + So maybe this comes later but you're setting _PAGE_ENC unconditionally *before* sme_early_init(). I think you should set it in sme_early_init() and iff SME is enabled. -- Regards/Gruss, Boris. ECO tip #101: Trim your mails when you reply.