From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753323AbdHQSml (ORCPT ); Thu, 17 Aug 2017 14:42:41 -0400 Received: from mail-by2nam03on0044.outbound.protection.outlook.com ([104.47.42.44]:40160 "EHLO NAM03-BY2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752270AbdHQSmi (ORCPT ); Thu, 17 Aug 2017 14:42:38 -0400 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Lendacky@amd.com; Subject: Re: [RFC Part1 PATCH v3 08/17] x86/efi: Access EFI data as encrypted when SEV is active To: Borislav Petkov , Brijesh Singh Cc: linux-kernel@vger.kernel.org, x86@kernel.org, linux-efi@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, kvm@vger.kernel.org, Thomas Gleixner , Ingo Molnar , "H . Peter Anvin" , Andy Lutomirski , Tony Luck , Piotr Luc , Fenghua Yu , Lu Baolu , Reza Arbab , David Howells , Matt Fleming , "Kirill A . Shutemov" , Laura Abbott , Ard Biesheuvel , Andrew Morton , Eric Biederman , Benjamin Herrenschmidt , Paul Mackerras , Konrad Rzeszutek Wilk , Jonathan Corbet , Dave Airlie , Kees Cook , Paolo Bonzini , =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= , Arnd Bergmann , Tejun Heo , Christoph Lameter References: <20170724190757.11278-1-brijesh.singh@amd.com> <20170724190757.11278-9-brijesh.singh@amd.com> <20170728103152.GE1889@nazgul.tnic> From: Tom Lendacky Message-ID: <9b56cea1-3338-8d75-e7ff-ecfa06046630@amd.com> Date: Thu, 17 Aug 2017 13:42:04 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <20170728103152.GE1889@nazgul.tnic> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [165.204.78.1] X-ClientProxiedBy: CO1PR15CA0055.namprd15.prod.outlook.com (10.175.176.23) To BN6PR12MB1137.namprd12.prod.outlook.com (10.168.226.139) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 7e73ae29-bf0c-4a89-068e-08d4e59fb857 X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(48565401081)(300000503095)(300135400095)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:BN6PR12MB1137; X-Microsoft-Exchange-Diagnostics: 1;BN6PR12MB1137;3:oiWGANBLgxoatZK1CMKVq8MEn0t7HCteA5BG+I2fSTYOY+jAH8M5HXoG/cyUsLf9QFvvCsQYb5Jv3mh6lT0FHTcYkBZ/dh+Gyw0udoCUTABcaJmyAzGMoZmcvxsqrUv6C1dWgz+Acfco3d127jLQBFblnh14KrxFnktD72roCPKm5dOtblHbb9EXOOP7YXRqtfJiwxt+MnWMglIjEP00W7Zx4p/EvyG/YKsiVkIbnvUVsw4rJ1OItmDf6k4/lDn4;25:OL6cZ1MT4a0xFe41l/Pjq0/OGT/+3r6Gte7GE4FCgUIuAcwGtchUxANl3gRmK+wBbv4Sv+JNjtHnroWWrwgTZdtqiObAdlVolUBSTKSnc891GiXPehkMo8TAHIwC+w2EjIDJQ4wlslGVl/j6LPGa/muYGD79achAPCviaW/L40aEhoivFxnJqTUGcQTy3+D8TY3pzKlo2IubQvDCIA+9j2YCtGrmfCGjljGNOzXXhh3+4og1EQiFjWbuS+KV3xuaVIA/vhReoze5VJURAyNiPsBF3iUUVsrN70s51nF2N1rNm4m6/EwFhKAkpQTXMtMk4zu22mJSXZxphcjfJVyCsQ==;31:lrACBbma0sPFjjfamyZZBkNaJ0YNDC1m2SbSvj9P3Fvz48kfVFNYcwvgrnV/w3xHWlXMM5NAvsRYqDUvifxC/Dq0oNDxi/Fah8jQwDMnetHPu2ek0ssI/CZSuAgwHabjZj+7IBb6ENS33ghFabCe3e/bF2GcaA8I0G8sJX7OKJEdcaKCI6NHhKAFgSrkeNKie7/o6gAFtEOZqN5xSHiBFdGeWPVb5QXccm8V+J5nf6A= X-MS-TrafficTypeDiagnostic: BN6PR12MB1137: X-Microsoft-Exchange-Diagnostics: 1;BN6PR12MB1137;20:8clwfE88mrRiVF4jk6ksol6g8dcJr0X0zMqGjRUV08dqdksWembG6r7nj2KfyMbBXPTRO5ke6OMHs9q3FUDMgV5QcjcMrKJn/wopnyeNoh99KG+zMBKFqNbbiqkuBQYkkeBfgWGqBHyukIOseowmTWXc3HpodwkJaVrrwLizkVkRQQR5KOlmKtCB5t3wjC1OR9XX5xo1a+3CXPn3Fb2pQwU3opnCI0Dltxk7i5PJfYDbjc3Xv36w3+/u6mM+G90siAn4/4bBiDSQtUXNuXtsCql8o9gSMglFse2WI9TNivrfk27vwGZ3uF6afK8pmoYAhE08SzECp+C1bmc1Gk5sX+bZJzyO7hbtxm5zO2/kmmRftwN5ML210uWJaUgnwDMsK05K4Uu1WhwrFVvB5LUPauggrb3rDRvi5qZFwMLM5fdzj72W6SUDa9XWMmPeoolyaytpKRTP4L2PZUPnk1ts/1pGFYo0HQDc0GcCH3IjQdN6HFK0vraG9ErVg6ox2okw;4:FoVd9zPJRTBTxRpOoBxMVHnCK1C/GsYTjmD2+RFVwqfhVT8uwgEPprP8+ejJqM3AL5yTWeBL/G0HA6sbgytzHvQhOqNgPkofq0dJfH/wjPJHQao6j80Mk55Q3KMRvPXj50fPO46tAC+4D8JN7MXlfPp82POBgq7PFsqr+rhjPnIIxeEyqhKOd/ygRMi1lxnsym8HJbtSQhnxt4EM5mYM+bmIQF1GTnNvuq3SknfcJ34MIozTofCHVy6k9PZpoe1CpoH3PKJNSfeck9IvkhcLq8o1PBl6OrQivDpGGLGjEV8= X-Exchange-Antispam-Report-Test: UriScan:(767451399110); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(5005006)(10201501046)(100000703101)(100105400095)(93006095)(93001095)(3002001)(6055026)(6041248)(20161123558100)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(20161123564025)(20161123562025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:BN6PR12MB1137;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:BN6PR12MB1137; X-Forefront-PRVS: 0402872DA1 X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(4630300001)(7370300001)(6009001)(6049001)(39860400002)(199003)(189002)(24454002)(377454003)(86362001)(305945005)(50986999)(7350300001)(90366009)(65806001)(54356999)(68736007)(53936002)(31686004)(47776003)(76176999)(6116002)(65956001)(31696002)(54906002)(230700001)(66066001)(3260700006)(189998001)(50466002)(25786009)(478600001)(101416001)(64126003)(3846002)(2906002)(7736002)(36756003)(4326008)(42186005)(105586002)(81166006)(81156014)(8676002)(72206003)(33646002)(229853002)(106356001)(53546010)(5660300001)(23676002)(6636002)(6666003)(2950100002)(65826007)(6486002)(77096006)(7416002)(4001350100001)(7406005)(6246003)(83506001)(97736004);DIR:OUT;SFP:1101;SCL:1;SRVR:BN6PR12MB1137;H:[10.236.64.250];FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtCTjZQUjEyTUIxMTM3OzIzOnpIUXJMVnBaS1N3Z0RadzkwZy8rMXJKMGFG?= =?utf-8?B?U2R0ZnUwMXE4d1JHejNJc04rZk13b1EwWWhKUWtVT2NXOXR4QUNYQ21QZTJh?= =?utf-8?B?U1ZPYWcwTW1JZVdKcGR6NlI3K3pKTDVmYk5xYTNNbHEybWpmbmVOR2dvQW94?= =?utf-8?B?bWdQNkRzUHg5TlQ0ckJqaXlDK2JvRDJzRk5pWjZ3bDJJQkVjY3JSYlpvVGJG?= =?utf-8?B?TTZ3b0pES0F1elJwMng3c0I4SGpGQnJFbVVjd0ovOTRkNytzdXRaZWhyRnlU?= =?utf-8?B?LzNqdVhQZzA1WDNsa3RRbEYzYVc3OW52ZEs5VHpNTkxubkRQL0p1bG95Ulhh?= =?utf-8?B?QVlJd0piS1I1dldQT3hKTUM3L0VkMUVvaTY4NWE3ZVRweVFPTHo4UEFOSk0z?= =?utf-8?B?QW9oanRHNVoyYjREUXY5aUdXUTJKU1kxKzhXNXhrRnVQcmd2MkJCMDlDNzFT?= =?utf-8?B?bi8rbmMzdXRDNEY0NVZ4dHkrQVF6ZndpUFZxeUcrNm5HbUF5ZjZiSTY3WW92?= =?utf-8?B?YlAwSGk2SFE5U2RnbCt0a0JtK01qMWNvUmlMV21DOEliWGdsaFRuVy9wMzA5?= =?utf-8?B?WDVZaVZwZmU4aU8xM3hyRUFKWDVoRGFuQVRTU1hCUWRZYkx0UDAzV3laYnU0?= =?utf-8?B?ZWJxTE5vR0pCT2x3SndPUVdjRXdTT2Nrc3MwRnRwbXgwMVU1NUtkZ3NzazYx?= =?utf-8?B?Ny9takwxZVpkQVNRcWpGQWhMbEJYTUZVa2RWRzd2NExUS2NYRXVzbW9kR0Fr?= =?utf-8?B?QTUwT0VhYXdnMU8vTHptRnJBTnkyQXNhcG5nekljQVJUR3ViMU9NSFN2d0w4?= =?utf-8?B?K25FSnB3cndyeWZGdkErc0NsWEUzeDZLV2JjdFZMd1hwSWZQQ2hSRHI5OEo2?= =?utf-8?B?a010U29vSVBXcjlRNjF6WUpWQVd0RlFTWnFuMmtsUnkra2JuNEUydm5mc0lK?= =?utf-8?B?cUw1bUt0YUplQ2RycUEwMUIrR3F5RTFvWEVRUFJ1dTg0ZHpGaWloRzNmMGhT?= =?utf-8?B?RUpWcjMwZ2tBR29IY21zN09ST1M3ZHFzTmh2L0w0bnI3bkZ1Sk1lWktpQTVZ?= =?utf-8?B?d05sSXRXNm9FQ1NZR2lZN29aRGZ5b1paVWxDRk01N2hZaWJaSGdId09FVmpq?= =?utf-8?B?VVJHTWxhTUF1ZnZWeGlRenNBYWsrNU1hQnlTNW04bUo4cFVpWEsyR0VEb3l3?= =?utf-8?B?V0k0emZXZ2svNkpUNWdVMEgzRHROd1JLMWJoRVJOZXplbWlTN1ZpS25pYUg0?= =?utf-8?B?MHplenNQd28wMVJ2NEVoZHMxR1hMKzJZR2M2VUpYM0VNMVZORCsyK21waVFR?= =?utf-8?B?cDA2U0tXdnVaalMzYndDOXlBc2FsczlJYU45WGZkYzBQQUgrU002cklnaUl1?= =?utf-8?B?ME5vTEo2NU9ySFhMQ091a09TeVJ2OUFzMXNGVC8rYnVRTDg1NG0rVGp5eXQ3?= =?utf-8?B?Y2o0U1kwRTAzWnZlZW04dVlTaitpMW5IdGFEOVVGRGczZXRRaWVrR203bXo1?= =?utf-8?B?MDRtYWw5ZGM4SzZpaU1lcm5QZ1lnY3NrUU1vRmc1ODlQdktVZDQ1MTVaUmU5?= =?utf-8?B?eU1ZVDM4UGk5OVVUVUMxd1RLMEVJcXBCckpPS3FlSE5oN0J4ZHFRcXhUYnh4?= =?utf-8?B?dFZ4VjFrdVhYMVhHK04xSk5OV1RWakVUWko0NUloMzBxSkFQT3Q3cytRVzdh?= =?utf-8?B?QTVTdE01MEw1Q2tWRGM5dWhMWWFIdnRjSjA2SnkvbDVia3Vxc3F1ajA1MVVO?= =?utf-8?B?ZW1Ia09ZTzcxODRzMFBWYkE2S2djMG16OWZjQWdwenFwT3dJdVNaVGMvN0xw?= =?utf-8?B?VzN1YWJHOWRZWTJTZytYZVpwWGh5TTVlVkdzYnhkajhJVHZLYUdZSFJISDl5?= =?utf-8?B?WGY3NGZJSkd1eFYvM2VpNWF2R2NLKzlGbVNNdCt1dFZFM2JMaVlZdU5hR1U3?= =?utf-8?B?bkxBZjRXOXZ1ak52dUduMTdqVG5ERzZGNW12ajJEd1Jlek0xbkh1NHZLY3lU?= =?utf-8?B?dFV2VExMRXlqaEhSMFhVWk9qWFJRbW1PR3lubkQyV040dmpNZ05GRE1KejV3?= =?utf-8?Q?+dXc=3D?= X-Microsoft-Exchange-Diagnostics: 1;BN6PR12MB1137;6:39aQ1PGJV//Y12Lxe1yiJ3XfZ8ayi+6QVByOcgw3ruLQI1thqbCULP67MIY8NWBdGI8rfQhpzaYOE2g2uk1lRm3BP/7eNv7RfQ7Akf2XfAHbCOrzRMNKL6SsCekt0HdG2XbWd3GMEWgXF2WmWmQUeZ1umaDsOxffTm17iBSPnSRkYx5GnYaMbTCKNvE1lgoYooxk1HY9qIJim8Gf+eyhMZoSts/1OijQBpP0GvbKJiV6qi+dhng70Yeieng/AvtbRrhj3Vu6PJfYSFUgy5qqiApgGZkZR9Y8hNTIr1RZbvJeesscp0lNfxFgkNJJmKtxcJwNHvB+2oOFC3JforJEmQ==;5:YGZF+ONUly/A6FFnY/F0arkBlAkL7IQyP8h5gx94vgKa9XSTmnKGuRYvDkUpau5KzcD5u5ms6kv3DEIxutks1pAr2df9gAPjCigz3Nj0L0TkVQZ/dDwNdul1NRimUC87jQ/Z3V+Ta6vD0CE/pnTVUQ==;24:T6TeDFxU8wunQ7UTN3YSIaf1gINcXFT8WbxdcpXwgfFYMI/3XliFQQ3HcOyg7QRWoCmI1XeufZSE6zCZ6N63y9SyxKiFNTxTi9rlqGjlmdI=;7:q++Ub021/W1oEUptkVGJrCpYOWbvFetI0Rn2wNxvzITJa7P3SZNeFkRQuOb6DNc3cC0hodDeXrHFLQuY37Z4SKg9LN6FEn5UzZP2AMowNc8oi+dUZg1vhB39MuZKLyzXNPL8y2+ebkzFwXBR/7qb33GsR3qRUjjv0D9Tz6RAg1CCr8MJVVOPLgMQBeIk5Ju/xXgVdZtJjyJmE7+NeyNYti6z+sHQ2caU2LUbl8/LD4M= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;BN6PR12MB1137;20:wGwW4xVe/fAaQ7gYam0YZ94GfUEGiYeYufX/KjLrNpJ9bNOfXhiJq8yfONy/Qx9vuBxUYNGycEWG/dHPc5Ho48PXGDAUasFSVeqYg+sTIqcByFAYLnN5AkLmnO2nFSbhm4zGJiVzcvEQjZ5mKeh2o371K9UhRSXexnxRAl79LSX8xlOOAHq814N+eBa6r2Ixfz+xkEfNVSpy1lY9wQXOohrkD79PNixP3+J0G96CzGuawGvE7DD31+Q07QhE7TZy X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Aug 2017 18:42:26.8541 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR12MB1137 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 7/28/2017 5:31 AM, Borislav Petkov wrote: > On Mon, Jul 24, 2017 at 02:07:48PM -0500, Brijesh Singh wrote: >> From: Tom Lendacky >> >> EFI data is encrypted when the kernel is run under SEV. Update the >> page table references to be sure the EFI memory areas are accessed >> encrypted. >> >> Signed-off-by: Tom Lendacky >> Signed-off-by: Brijesh Singh >> --- >> arch/x86/platform/efi/efi_64.c | 15 ++++++++++++++- >> 1 file changed, 14 insertions(+), 1 deletion(-) >> >> diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c >> index 12e8388..1ecb3f6 100644 >> --- a/arch/x86/platform/efi/efi_64.c >> +++ b/arch/x86/platform/efi/efi_64.c >> @@ -32,6 +32,7 @@ >> #include >> #include >> #include >> +#include >> >> #include >> #include >> @@ -369,7 +370,10 @@ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages) >> * as trim_bios_range() will reserve the first page and isolate it away >> * from memory allocators anyway. >> */ >> - if (kernel_map_pages_in_pgd(pgd, 0x0, 0x0, 1, _PAGE_RW)) { >> + pf = _PAGE_RW; >> + if (sev_active()) >> + pf |= _PAGE_ENC; > > \n here > >> + if (kernel_map_pages_in_pgd(pgd, 0x0, 0x0, 1, pf)) { >> pr_err("Failed to create 1:1 mapping for the first page!\n"); >> return 1; >> } >> @@ -412,6 +416,9 @@ static void __init __map_region(efi_memory_desc_t *md, u64 va) >> if (!(md->attribute & EFI_MEMORY_WB)) >> flags |= _PAGE_PCD; >> >> + if (sev_active()) >> + flags |= _PAGE_ENC; >> + >> pfn = md->phys_addr >> PAGE_SHIFT; >> if (kernel_map_pages_in_pgd(pgd, pfn, va, md->num_pages, flags)) >> pr_warn("Error mapping PA 0x%llx -> VA 0x%llx!\n", >> @@ -511,6 +518,9 @@ static int __init efi_update_mappings(efi_memory_desc_t *md, unsigned long pf) >> pgd_t *pgd = efi_pgd; >> int err1, err2; >> >> + if (sev_active()) >> + pf |= _PAGE_ENC; > > Move this assignment to the caller efi_update_mem_attr() where pf is being > set... Will do. > >> + >> /* Update the 1:1 mapping */ >> pfn = md->phys_addr >> PAGE_SHIFT; >> err1 = kernel_map_pages_in_pgd(pgd, pfn, md->phys_addr, md->num_pages, pf); >> @@ -589,6 +599,9 @@ void __init efi_runtime_update_mappings(void) >> (md->type != EFI_RUNTIME_SERVICES_CODE)) >> pf |= _PAGE_RW; >> >> + if (sev_active()) >> + pf |= _PAGE_ENC; > > ... just like here. Yup. Thanks, Tom > >> + >> efi_update_mappings(md, pf); > > In general, I'm not totally excited about that sprinkling of if > (sev_active())... :-\ > From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tom Lendacky Subject: Re: [RFC Part1 PATCH v3 08/17] x86/efi: Access EFI data as encrypted when SEV is active Date: Thu, 17 Aug 2017 13:42:04 -0500 Message-ID: <9b56cea1-3338-8d75-e7ff-ecfa06046630@amd.com> References: <20170724190757.11278-1-brijesh.singh@amd.com> <20170724190757.11278-9-brijesh.singh@amd.com> <20170728103152.GE1889@nazgul.tnic> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20170728103152.GE1889@nazgul.tnic> Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org To: Borislav Petkov , Brijesh Singh Cc: linux-kernel@vger.kernel.org, x86@kernel.org, linux-efi@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, kvm@vger.kernel.org, Thomas Gleixner , Ingo Molnar , "H . Peter Anvin" , Andy Lutomirski , Tony Luck , Piotr Luc , Fenghua Yu , Lu Baolu , Reza Arbab , David Howells , Matt Fleming , "Kirill A . Shutemov" , Laura Abbott , Ard Biesheuvel , Andrew Morton , Eric Biederman , Benjamin List-Id: linux-efi@vger.kernel.org On 7/28/2017 5:31 AM, Borislav Petkov wrote: > On Mon, Jul 24, 2017 at 02:07:48PM -0500, Brijesh Singh wrote: >> From: Tom Lendacky >> >> EFI data is encrypted when the kernel is run under SEV. Update the >> page table references to be sure the EFI memory areas are accessed >> encrypted. >> >> Signed-off-by: Tom Lendacky >> Signed-off-by: Brijesh Singh >> --- >> arch/x86/platform/efi/efi_64.c | 15 ++++++++++++++- >> 1 file changed, 14 insertions(+), 1 deletion(-) >> >> diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c >> index 12e8388..1ecb3f6 100644 >> --- a/arch/x86/platform/efi/efi_64.c >> +++ b/arch/x86/platform/efi/efi_64.c >> @@ -32,6 +32,7 @@ >> #include >> #include >> #include >> +#include >> >> #include >> #include >> @@ -369,7 +370,10 @@ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages) >> * as trim_bios_range() will reserve the first page and isolate it away >> * from memory allocators anyway. >> */ >> - if (kernel_map_pages_in_pgd(pgd, 0x0, 0x0, 1, _PAGE_RW)) { >> + pf = _PAGE_RW; >> + if (sev_active()) >> + pf |= _PAGE_ENC; > > \n here > >> + if (kernel_map_pages_in_pgd(pgd, 0x0, 0x0, 1, pf)) { >> pr_err("Failed to create 1:1 mapping for the first page!\n"); >> return 1; >> } >> @@ -412,6 +416,9 @@ static void __init __map_region(efi_memory_desc_t *md, u64 va) >> if (!(md->attribute & EFI_MEMORY_WB)) >> flags |= _PAGE_PCD; >> >> + if (sev_active()) >> + flags |= _PAGE_ENC; >> + >> pfn = md->phys_addr >> PAGE_SHIFT; >> if (kernel_map_pages_in_pgd(pgd, pfn, va, md->num_pages, flags)) >> pr_warn("Error mapping PA 0x%llx -> VA 0x%llx!\n", >> @@ -511,6 +518,9 @@ static int __init efi_update_mappings(efi_memory_desc_t *md, unsigned long pf) >> pgd_t *pgd = efi_pgd; >> int err1, err2; >> >> + if (sev_active()) >> + pf |= _PAGE_ENC; > > Move this assignment to the caller efi_update_mem_attr() where pf is being > set... Will do. > >> + >> /* Update the 1:1 mapping */ >> pfn = md->phys_addr >> PAGE_SHIFT; >> err1 = kernel_map_pages_in_pgd(pgd, pfn, md->phys_addr, md->num_pages, pf); >> @@ -589,6 +599,9 @@ void __init efi_runtime_update_mappings(void) >> (md->type != EFI_RUNTIME_SERVICES_CODE)) >> pf |= _PAGE_RW; >> >> + if (sev_active()) >> + pf |= _PAGE_ENC; > > ... just like here. Yup. Thanks, Tom > >> + >> efi_update_mappings(md, pf); > > In general, I'm not totally excited about that sprinkling of if > (sev_active())... :-\ > From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tom Lendacky Subject: Re: [RFC Part1 PATCH v3 08/17] x86/efi: Access EFI data as encrypted when SEV is active Date: Thu, 17 Aug 2017 13:42:04 -0500 Message-ID: <9b56cea1-3338-8d75-e7ff-ecfa06046630@amd.com> References: <20170724190757.11278-1-brijesh.singh@amd.com> <20170724190757.11278-9-brijesh.singh@amd.com> <20170728103152.GE1889@nazgul.tnic> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Cc: linux-kernel@vger.kernel.org, x86@kernel.org, linux-efi@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, kvm@vger.kernel.org, Thomas Gleixner , Ingo Molnar , "H . Peter Anvin" , Andy Lutomirski , Tony Luck , Piotr Luc , Fenghua Yu , Lu Baolu , Reza Arbab , David Howells , Matt Fleming , "Kirill A . Shutemov" , Laura Abbott , Ard Biesheuvel , Andrew Morton , Eric Biederman , Benjamin Herr To: Borislav Petkov , Brijesh Singh Return-path: In-Reply-To: <20170728103152.GE1889@nazgul.tnic> Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org List-Id: kvm.vger.kernel.org On 7/28/2017 5:31 AM, Borislav Petkov wrote: > On Mon, Jul 24, 2017 at 02:07:48PM -0500, Brijesh Singh wrote: >> From: Tom Lendacky >> >> EFI data is encrypted when the kernel is run under SEV. Update the >> page table references to be sure the EFI memory areas are accessed >> encrypted. >> >> Signed-off-by: Tom Lendacky >> Signed-off-by: Brijesh Singh >> --- >> arch/x86/platform/efi/efi_64.c | 15 ++++++++++++++- >> 1 file changed, 14 insertions(+), 1 deletion(-) >> >> diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c >> index 12e8388..1ecb3f6 100644 >> --- a/arch/x86/platform/efi/efi_64.c >> +++ b/arch/x86/platform/efi/efi_64.c >> @@ -32,6 +32,7 @@ >> #include >> #include >> #include >> +#include >> >> #include >> #include >> @@ -369,7 +370,10 @@ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages) >> * as trim_bios_range() will reserve the first page and isolate it away >> * from memory allocators anyway. >> */ >> - if (kernel_map_pages_in_pgd(pgd, 0x0, 0x0, 1, _PAGE_RW)) { >> + pf = _PAGE_RW; >> + if (sev_active()) >> + pf |= _PAGE_ENC; > > \n here > >> + if (kernel_map_pages_in_pgd(pgd, 0x0, 0x0, 1, pf)) { >> pr_err("Failed to create 1:1 mapping for the first page!\n"); >> return 1; >> } >> @@ -412,6 +416,9 @@ static void __init __map_region(efi_memory_desc_t *md, u64 va) >> if (!(md->attribute & EFI_MEMORY_WB)) >> flags |= _PAGE_PCD; >> >> + if (sev_active()) >> + flags |= _PAGE_ENC; >> + >> pfn = md->phys_addr >> PAGE_SHIFT; >> if (kernel_map_pages_in_pgd(pgd, pfn, va, md->num_pages, flags)) >> pr_warn("Error mapping PA 0x%llx -> VA 0x%llx!\n", >> @@ -511,6 +518,9 @@ static int __init efi_update_mappings(efi_memory_desc_t *md, unsigned long pf) >> pgd_t *pgd = efi_pgd; >> int err1, err2; >> >> + if (sev_active()) >> + pf |= _PAGE_ENC; > > Move this assignment to the caller efi_update_mem_attr() where pf is being > set... Will do. > >> + >> /* Update the 1:1 mapping */ >> pfn = md->phys_addr >> PAGE_SHIFT; >> err1 = kernel_map_pages_in_pgd(pgd, pfn, md->phys_addr, md->num_pages, pf); >> @@ -589,6 +599,9 @@ void __init efi_runtime_update_mappings(void) >> (md->type != EFI_RUNTIME_SERVICES_CODE)) >> pf |= _PAGE_RW; >> >> + if (sev_active()) >> + pf |= _PAGE_ENC; > > ... just like here. Yup. Thanks, Tom > >> + >> efi_update_mappings(md, pf); > > In general, I'm not totally excited about that sprinkling of if > (sev_active())... :-\ >