From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751670AbdG0HRX (ORCPT ); Thu, 27 Jul 2017 03:17:23 -0400 Received: from mail-wm0-f68.google.com ([74.125.82.68]:38137 "EHLO mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750878AbdG0HRW (ORCPT ); Thu, 27 Jul 2017 03:17:22 -0400 Date: Thu, 27 Jul 2017 09:17:18 +0200 From: Ingo Molnar To: Tom Lendacky Cc: x86@kernel.org, linux-kernel@vger.kernel.org, Ingo Molnar , Borislav Petkov , Andy Lutomirski , "H. Peter Anvin" , Thomas Gleixner , Dave Young , Brijesh Singh , kexec@lists.infradead.org, Linus Torvalds Subject: Re: [PATCH v1 1/2] x86/mm, kexec: Fix memory corruption with SME on successive kexecs Message-ID: <20170727071717.aydwpzaji6l2o6xs@gmail.com> References: <28648b23b9957506069e20bd985e3d7e8af94780.1501092102.git.thomas.lendacky@amd.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <28648b23b9957506069e20bd985e3d7e8af94780.1501092102.git.thomas.lendacky@amd.com> User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org * Tom Lendacky wrote: > After issuing successive kexecs it was found that the SHA hash failed > verification when booting the kexec'd kernel. When SME is enabled, the > change from using pages that were marked encrypted to now being marked as > not encrypted (through new identify mapped page tables) results in memory > corruption if there are any cache entries for the previously encrypted > pages. This is because separate cache entries can exist for the same > physical location but tagged both with and without the encryption bit. > > To prevent this, issue a wbinvd before copying the pages from the source > location to the destination location to clear any possible cache entry > conflicts. > > Cc: > Signed-off-by: Tom Lendacky > --- > arch/x86/kernel/relocate_kernel_64.S | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/arch/x86/kernel/relocate_kernel_64.S b/arch/x86/kernel/relocate_kernel_64.S > index 98111b3..c11d8bc 100644 > --- a/arch/x86/kernel/relocate_kernel_64.S > +++ b/arch/x86/kernel/relocate_kernel_64.S > @@ -132,6 +132,13 @@ identity_mapped: > /* Flush the TLB (needed?) */ > movq %r9, %cr3 > > + /* > + * If SME is/was active, there could be old encrypted cache line > + * entries that will conflict with the now unencrypted memory > + * used by kexec. Flush the caches before copying the kernel. > + */ > + wbinvd WBINVD is very expensive IIRC - several milliseconds. So if we change the page table from encrypted to unencrypted we need to do a full cache flush sounds pretty broken to me - how can then this be done via an API such as mmap() without executing WBINVD? Thanks, Ingo From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mail-wm0-x243.google.com ([2a00:1450:400c:c09::243]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1dad3H-00070z-1v for kexec@lists.infradead.org; Thu, 27 Jul 2017 07:17:45 +0000 Received: by mail-wm0-x243.google.com with SMTP id c184so10013374wmd.1 for ; Thu, 27 Jul 2017 00:17:22 -0700 (PDT) Date: Thu, 27 Jul 2017 09:17:18 +0200 From: Ingo Molnar Subject: Re: [PATCH v1 1/2] x86/mm, kexec: Fix memory corruption with SME on successive kexecs Message-ID: <20170727071717.aydwpzaji6l2o6xs@gmail.com> References: <28648b23b9957506069e20bd985e3d7e8af94780.1501092102.git.thomas.lendacky@amd.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <28648b23b9957506069e20bd985e3d7e8af94780.1501092102.git.thomas.lendacky@amd.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "kexec" Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: Tom Lendacky Cc: Brijesh Singh , Linus Torvalds , x86@kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Ingo Molnar , Borislav Petkov , Andy Lutomirski , "H. Peter Anvin" , Thomas Gleixner , Dave Young * Tom Lendacky wrote: > After issuing successive kexecs it was found that the SHA hash failed > verification when booting the kexec'd kernel. When SME is enabled, the > change from using pages that were marked encrypted to now being marked as > not encrypted (through new identify mapped page tables) results in memory > corruption if there are any cache entries for the previously encrypted > pages. This is because separate cache entries can exist for the same > physical location but tagged both with and without the encryption bit. > > To prevent this, issue a wbinvd before copying the pages from the source > location to the destination location to clear any possible cache entry > conflicts. > > Cc: > Signed-off-by: Tom Lendacky > --- > arch/x86/kernel/relocate_kernel_64.S | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/arch/x86/kernel/relocate_kernel_64.S b/arch/x86/kernel/relocate_kernel_64.S > index 98111b3..c11d8bc 100644 > --- a/arch/x86/kernel/relocate_kernel_64.S > +++ b/arch/x86/kernel/relocate_kernel_64.S > @@ -132,6 +132,13 @@ identity_mapped: > /* Flush the TLB (needed?) */ > movq %r9, %cr3 > > + /* > + * If SME is/was active, there could be old encrypted cache line > + * entries that will conflict with the now unencrypted memory > + * used by kexec. Flush the caches before copying the kernel. > + */ > + wbinvd WBINVD is very expensive IIRC - several milliseconds. So if we change the page table from encrypted to unencrypted we need to do a full cache flush sounds pretty broken to me - how can then this be done via an API such as mmap() without executing WBINVD? Thanks, Ingo _______________________________________________ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec