From: Tom Lendacky <thomas.lendacky@amd.com>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: Ard Biesheuvel <ardb+git@google.com>,
linux-kernel@vger.kernel.org,
Kevin Loughlin <kevinloughlin@google.com>,
Dionna Glaze <dionnaglaze@google.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
Andy Lutomirski <luto@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
Nathan Chancellor <nathan@kernel.org>,
Nick Desaulniers <ndesaulniers@google.com>,
Justin Stitt <justinstitt@google.com>,
Kees Cook <keescook@chromium.org>,
Brian Gerst <brgerst@gmail.com>,
linux-arch@vger.kernel.org, llvm@lists.linux.dev
Subject: Re: [PATCH v4 07/11] efi/libstub: Add generic support for parsing mem_encrypt=
Date: Tue, 20 Feb 2024 13:28:00 -0600 [thread overview]
Message-ID: <fccd8544-76ab-4723-9616-ff4bc783b692@amd.com> (raw)
In-Reply-To: <CAMj1kXG_sQ-+ULtvE7SqD0DYe3p9=tP8K9VPgfiR-0Z55A9vVw@mail.gmail.com>
On 2/19/24 11:06, Ard Biesheuvel wrote:
> On Mon, 19 Feb 2024 at 18:00, Tom Lendacky <thomas.lendacky@amd.com> wrote:
>>
>> On 2/13/24 06:41, Ard Biesheuvel wrote:
>>> From: Ard Biesheuvel <ardb@kernel.org>
>>>
>>> Parse the mem_encrypt= command line parameter from the EFI stub if
>>> CONFIG_ARCH_HAS_MEM_ENCRYPT=y, so that it can be passed to the early
>>> boot code by the arch code in the stub.
>>>
>>> This avoids the need for the core kernel to do any string parsing very
>>> early in the boot.
>>>
>>> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
>>> ---
>>> drivers/firmware/efi/libstub/efi-stub-helper.c | 8 ++++++++
>>> drivers/firmware/efi/libstub/efistub.h | 2 +-
>>> 2 files changed, 9 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c
>>> index bfa30625f5d0..3dc2f9aaf08d 100644
>>> --- a/drivers/firmware/efi/libstub/efi-stub-helper.c
>>> +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
>>> @@ -24,6 +24,8 @@ static bool efi_noinitrd;
>>> static bool efi_nosoftreserve;
>>> static bool efi_disable_pci_dma = IS_ENABLED(CONFIG_EFI_DISABLE_PCI_DMA);
>>>
>>> +int efi_mem_encrypt;
>>> +
>>> bool __pure __efi_soft_reserve_enabled(void)
>>> {
>>> return !efi_nosoftreserve;
>>> @@ -75,6 +77,12 @@ efi_status_t efi_parse_options(char const *cmdline)
>>> efi_noinitrd = true;
>>> } else if (IS_ENABLED(CONFIG_X86_64) && !strcmp(param, "no5lvl")) {
>>> efi_no5lvl = true;
>>> + } else if (IS_ENABLED(CONFIG_ARCH_HAS_MEM_ENCRYPT) &&
>>> + !strcmp(param, "mem_encrypt") && val) {
>>> + if (parse_option_str(val, "on"))
>>> + efi_mem_encrypt = 1;
>>> + else if (parse_option_str(val, "off"))
>>> + efi_mem_encrypt = -1;
>>
>> With CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT having recently been
>> removed, I'm not sure what parsing for mem_encrypt=off does.
>>
>> (Same thing in the next patch.)
>>
>
> We have to deal with both mem_encrypt=on and mem_encrypt=off occurring
> on the command line. efi_parse_options() may be called more than once,
> i.e., when there is a default command line baked into the image that
> can be overridden at runtime. So if the baked in one has
> mem_encrypt=on, mem_encrypt=off appearing later should counter that.
>
> The same applies to the next patch, although the decompressor appears
> to ignore the built-in command line entirely (I made a note of that in
> the commit log)
Ah, makes sense.
Thanks,
Tom
next prev parent reply other threads:[~2024-02-20 19:28 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-13 12:41 [PATCH v4 00/11] x86: Confine early 1:1 mapped startup code Ard Biesheuvel
2024-02-13 12:41 ` [PATCH v4 01/11] x86/startup_64: Simplify global variable accesses in GDT/IDT programming Ard Biesheuvel
2024-02-13 20:05 ` Borislav Petkov
2024-02-13 21:53 ` Ard Biesheuvel
2024-02-14 7:28 ` Ard Biesheuvel
2024-02-15 13:52 ` Borislav Petkov
2024-02-13 12:41 ` [PATCH v4 02/11] x86/startup_64: Replace pointer fixups with RIP-relative references Ard Biesheuvel
2024-02-17 12:51 ` Borislav Petkov
2024-02-17 13:58 ` Ard Biesheuvel
2024-02-17 16:10 ` Ard Biesheuvel
2024-02-19 9:55 ` Borislav Petkov
2024-02-19 10:45 ` Ard Biesheuvel
2024-02-19 10:01 ` Borislav Petkov
2024-02-19 10:47 ` Ard Biesheuvel
2024-02-13 12:41 ` [PATCH v4 03/11] x86/startup_64: Simplify CR4 handling in startup code Ard Biesheuvel
2024-02-19 10:32 ` Borislav Petkov
2024-02-13 12:41 ` [PATCH v4 04/11] x86/startup_64: Defer assignment of 5-level paging global variables Ard Biesheuvel
2024-02-20 18:45 ` Borislav Petkov
2024-02-20 23:33 ` Ard Biesheuvel
2024-02-21 10:09 ` Borislav Petkov
2024-02-21 10:20 ` Ard Biesheuvel
2024-02-21 11:12 ` Borislav Petkov
2024-02-21 11:21 ` Ard Biesheuvel
2024-02-21 11:23 ` Borislav Petkov
2024-02-13 12:41 ` [PATCH v4 05/11] x86/startup_64: Simplify calculation of initial page table address Ard Biesheuvel
2024-02-13 12:41 ` [PATCH v4 06/11] x86/startup_64: Simplify virtual switch on primary boot Ard Biesheuvel
2024-02-13 12:41 ` [PATCH v4 07/11] efi/libstub: Add generic support for parsing mem_encrypt= Ard Biesheuvel
2024-02-19 17:00 ` Tom Lendacky
2024-02-19 17:06 ` Ard Biesheuvel
2024-02-20 19:28 ` Tom Lendacky [this message]
2024-02-13 12:41 ` [PATCH v4 08/11] x86/boot: Move mem_encrypt= parsing to the decompressor Ard Biesheuvel
2024-02-13 12:41 ` [PATCH v4 09/11] x86/sme: Move early SME kernel encryption handling into .head.text Ard Biesheuvel
2024-02-13 12:41 ` [PATCH v4 10/11] x86/sev: Move early startup code into .head.text section Ard Biesheuvel
2024-02-13 12:41 ` [PATCH v4 11/11] x86/startup_64: Drop global variables keeping track of LA57 state Ard Biesheuvel
2024-02-14 15:24 ` Brian Gerst
2024-02-14 15:44 ` Ard Biesheuvel
2024-02-14 20:25 ` Brian Gerst
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fccd8544-76ab-4723-9616-ff4bc783b692@amd.com \
--to=thomas.lendacky@amd.com \
--cc=ardb+git@google.com \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=bp@alien8.de \
--cc=brgerst@gmail.com \
--cc=dave.hansen@linux.intel.com \
--cc=dionnaglaze@google.com \
--cc=justinstitt@google.com \
--cc=keescook@chromium.org \
--cc=kevinloughlin@google.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.