linuxppc-dev.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed
From: Brijesh Singh <brijesh.singh@amd.com>
To: linux-kernel@vger.kernel.org, x86@kernel.org,
	linux-efi@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
	kvm@vger.kernel.org
Cc: "Thomas Gleixner" <tglx@linutronix.de>,
	"Ingo Molnar" <mingo@redhat.com>,
	"H . Peter Anvin" <hpa@zytor.com>, "Borislav Petkov" <bp@suse.de>,
	"Andy Lutomirski" <luto@kernel.org>,
	"Tony Luck" <tony.luck@intel.com>,
	"Piotr Luc" <piotr.luc@intel.com>,
	"Tom Lendacky" <thomas.lendacky@amd.com>,
	"Fenghua Yu" <fenghua.yu@intel.com>,
	"Lu Baolu" <baolu.lu@linux.intel.com>,
	"Reza Arbab" <arbab@linux.vnet.ibm.com>,
	"David Howells" <dhowells@redhat.com>,
	"Matt Fleming" <matt@codeblueprint.co.uk>,
	"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
	"Laura Abbott" <labbott@redhat.com>,
	"Ard Biesheuvel" <ard.biesheuvel@linaro.org>,
	"Andrew Morton" <akpm@linux-foundation.org>,
	"Eric Biederman" <ebiederm@xmission.com>,
	"Benjamin Herrenschmidt" <benh@kernel.crashing.org>,
	"Paul Mackerras" <paulus@samba.org>,
	"Konrad Rzeszutek Wilk" <konrad.wilk@oracle.com>,
	"Jonathan Corbet" <corbet@lwn.net>,
	"Dave Airlie" <airlied@redhat.com>,
	"Kees Cook" <keescook@chromium.org>,
	"Paolo Bonzini" <pbonzini@redhat.com>,
	"Radim Krčmář" <rkrcmar@redhat.com>,
	"Arnd Bergmann" <arnd@arndb.de>, "Tejun Heo" <tj@kernel.org>,
	"Christoph Lameter" <cl@linux.com>,
	"Brijesh Singh" <brijesh.singh@amd.com>
Subject: [RFC Part1 PATCH v3 06/17] x86/mm: Use encrypted access of boot related data with SEV
Date: Mon, 24 Jul 2017 14:07:46 -0500	[thread overview]
Message-ID: <20170724190757.11278-7-brijesh.singh@amd.com> (raw)
In-Reply-To: <20170724190757.11278-1-brijesh.singh@amd.com>

From: Tom Lendacky <thomas.lendacky@amd.com>

When Secure Encrypted Virtualization (SEV) is active, boot data (such as
EFI related data, setup data) is encrypted and needs to be accessed as
such when mapped. Update the architecture override in early_memremap to
keep the encryption attribute when mapping this data.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
 arch/x86/mm/ioremap.c | 44 ++++++++++++++++++++++++++++++++------------
 1 file changed, 32 insertions(+), 12 deletions(-)

diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
index 34f0e18..c0be7cf 100644
--- a/arch/x86/mm/ioremap.c
+++ b/arch/x86/mm/ioremap.c
@@ -422,6 +422,9 @@ void unxlate_dev_mem_ptr(phys_addr_t phys, void *addr)
  * areas should be mapped decrypted. And since the encryption key can
  * change across reboots, persistent memory should also be mapped
  * decrypted.
+ *
+ * If SEV is active, that implies that BIOS/UEFI also ran encrypted so
+ * only persistent memory should be mapped decrypted.
  */
 static bool memremap_should_map_decrypted(resource_size_t phys_addr,
 					  unsigned long size)
@@ -458,6 +461,11 @@ static bool memremap_should_map_decrypted(resource_size_t phys_addr,
 	case E820_TYPE_ACPI:
 	case E820_TYPE_NVS:
 	case E820_TYPE_UNUSABLE:
+		/* For SEV, these areas are encrypted */
+		if (sev_active())
+			break;
+		/* Fallthrough */
+
 	case E820_TYPE_PRAM:
 		return true;
 	default:
@@ -581,7 +589,7 @@ static bool __init early_memremap_is_setup_data(resource_size_t phys_addr,
 bool arch_memremap_can_ram_remap(resource_size_t phys_addr, unsigned long size,
 				 unsigned long flags)
 {
-	if (!sme_active())
+	if (!sme_active() && !sev_active())
 		return true;
 
 	if (flags & MEMREMAP_ENC)
@@ -590,10 +598,15 @@ bool arch_memremap_can_ram_remap(resource_size_t phys_addr, unsigned long size,
 	if (flags & MEMREMAP_DEC)
 		return false;
 
-	if (memremap_is_setup_data(phys_addr, size) ||
-	    memremap_is_efi_data(phys_addr, size) ||
-	    memremap_should_map_decrypted(phys_addr, size))
-		return false;
+	if (sme_active()) {
+		if (memremap_is_setup_data(phys_addr, size) ||
+		    memremap_is_efi_data(phys_addr, size) ||
+		    memremap_should_map_decrypted(phys_addr, size))
+			return false;
+	} else if (sev_active()) {
+		if (memremap_should_map_decrypted(phys_addr, size))
+			return false;
+	}
 
 	return true;
 }
@@ -608,15 +621,22 @@ pgprot_t __init early_memremap_pgprot_adjust(resource_size_t phys_addr,
 					     unsigned long size,
 					     pgprot_t prot)
 {
-	if (!sme_active())
+	if (!sme_active() && !sev_active())
 		return prot;
 
-	if (early_memremap_is_setup_data(phys_addr, size) ||
-	    memremap_is_efi_data(phys_addr, size) ||
-	    memremap_should_map_decrypted(phys_addr, size))
-		prot = pgprot_decrypted(prot);
-	else
-		prot = pgprot_encrypted(prot);
+	if (sme_active()) {
+		if (early_memremap_is_setup_data(phys_addr, size) ||
+		    memremap_is_efi_data(phys_addr, size) ||
+		    memremap_should_map_decrypted(phys_addr, size))
+			prot = pgprot_decrypted(prot);
+		else
+			prot = pgprot_encrypted(prot);
+	} else if (sev_active()) {
+		if (memremap_should_map_decrypted(phys_addr, size))
+			prot = pgprot_decrypted(prot);
+		else
+			prot = pgprot_encrypted(prot);
+	}
 
 	return prot;
 }
-- 
2.9.4

  parent reply	other threads:[~2017-07-24 19:08 UTC|newest]

Thread overview: 79+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-07-24 19:07 [RFC Part1 PATCH v3 00/17] x86: Secure Encrypted Virtualization (AMD) Brijesh Singh
2017-07-24 19:07 ` [RFC Part1 PATCH v3 01/17] Documentation/x86: Add AMD Secure Encrypted Virtualization (SEV) descrption Brijesh Singh
2017-07-25  5:45   ` Borislav Petkov
2017-07-25 14:59     ` Brijesh Singh
2017-07-24 19:07 ` [RFC Part1 PATCH v3 02/17] x86/CPU/AMD: Add the Secure Encrypted Virtualization CPU feature Brijesh Singh
2017-07-25 10:26   ` Borislav Petkov
2017-07-25 14:29     ` Tom Lendacky
2017-07-25 14:36       ` Borislav Petkov
2017-07-25 14:58         ` Tom Lendacky
2017-07-25 15:13           ` Borislav Petkov
2017-07-25 15:29             ` Tom Lendacky
2017-07-25 15:33               ` Borislav Petkov
2017-08-09 18:17                 ` Tom Lendacky
2017-08-17  8:12                   ` Borislav Petkov
2017-07-24 19:07 ` [RFC Part1 PATCH v3 03/17] x86/mm: Secure Encrypted Virtualization (SEV) support Brijesh Singh
2017-07-26  4:28   ` Borislav Petkov
2017-07-26 16:47     ` Tom Lendacky
2017-07-27 13:39       ` Borislav Petkov
2017-07-24 19:07 ` [RFC Part1 PATCH v3 04/17] x86/mm: Don't attempt to encrypt initrd under SEV Brijesh Singh
2017-07-26 14:44   ` Borislav Petkov
2017-07-24 19:07 ` [RFC Part1 PATCH v3 05/17] x86, realmode: Don't decrypt trampoline area " Brijesh Singh
2017-07-26 16:03   ` Borislav Petkov
2017-08-10 13:03     ` Tom Lendacky
2017-07-24 19:07 ` Brijesh Singh [this message]
2017-07-27 13:31   ` [RFC Part1 PATCH v3 06/17] x86/mm: Use encrypted access of boot related data with SEV Borislav Petkov
2017-08-17 18:05     ` Tom Lendacky
2017-07-24 19:07 ` [RFC Part1 PATCH v3 07/17] x86/mm: Include SEV for encryption memory attribute changes Brijesh Singh
2017-07-27 14:58   ` Borislav Petkov
2017-07-28  8:47     ` David Laight
2017-08-17 18:21       ` Tom Lendacky
2017-08-17 18:10     ` Tom Lendacky
2017-07-24 19:07 ` [RFC Part1 PATCH v3 08/17] x86/efi: Access EFI data as encrypted when SEV is active Brijesh Singh
2017-07-28 10:31   ` Borislav Petkov
2017-08-17 18:42     ` Tom Lendacky
2017-07-24 19:07 ` [RFC Part1 PATCH v3 09/17] resource: Consolidate resource walking code Brijesh Singh
2017-07-28 15:23   ` Borislav Petkov
2017-08-17 18:55     ` Tom Lendacky
2017-08-17 19:03       ` Tom Lendacky
2017-07-24 19:07 ` [RFC Part1 PATCH v3 10/17] resource: Provide resource struct in resource walk callback Brijesh Singh
2017-07-31  8:26   ` Borislav Petkov
2017-07-31 22:19   ` Kees Cook
2017-07-24 19:07 ` [RFC Part1 PATCH v3 11/17] x86/mm, resource: Use PAGE_KERNEL protection for ioremap of memory pages Brijesh Singh
2017-08-02  4:02   ` Borislav Petkov
2017-08-17 19:22     ` Tom Lendacky
2017-07-24 19:07 ` [RFC Part1 PATCH v3 12/17] x86/mm: DMA support for SEV memory encryption Brijesh Singh
2017-08-07  3:48   ` Borislav Petkov
2017-08-17 19:35     ` Tom Lendacky
2017-07-24 19:07 ` [RFC Part1 PATCH v3 13/17] x86/io: Unroll string I/O when SEV is active Brijesh Singh
2017-07-25  9:51   ` David Laight
2017-07-26 10:45     ` Arnd Bergmann
2017-07-26 19:24       ` Brijesh Singh
2017-07-26 19:26         ` H. Peter Anvin
2017-07-26 20:07           ` Brijesh Singh
2017-07-27  7:45             ` David Laight
2017-08-22 16:52             ` Borislav Petkov
2017-09-15 12:24               ` Borislav Petkov
2017-09-15 14:13                 ` Brijesh Singh
2017-09-15 14:40                   ` Borislav Petkov
2017-09-15 14:48                     ` Brijesh Singh
2017-09-15 16:22                       ` Borislav Petkov
2017-09-15 16:27                         ` Brijesh Singh
2017-07-24 19:07 ` [RFC Part1 PATCH v3 14/17] x86/boot: Add early boot support when running with SEV active Brijesh Singh
2017-08-23 15:30   ` Borislav Petkov
2017-08-24 18:54     ` Tom Lendacky
2017-08-25 12:54       ` Borislav Petkov
2017-07-24 19:07 ` [RFC Part1 PATCH v3 15/17] x86: Add support for changing memory encryption attribute in early boot Brijesh Singh
2017-08-28 10:51   ` Borislav Petkov
2017-08-28 11:49     ` Brijesh Singh
2017-07-24 19:07 ` [RFC Part1 PATCH v3 16/17] X86/KVM: Provide support to create Guest and HV shared per-CPU variables Brijesh Singh
2017-08-29 10:22   ` Borislav Petkov
2017-08-30 16:18     ` Brijesh Singh
2017-08-30 17:46       ` Borislav Petkov
2017-09-01 22:52         ` Brijesh Singh
2017-09-02  3:21           ` Andy Lutomirski
2017-09-03  2:34             ` Brijesh Singh
2017-09-04 17:05           ` Borislav Petkov
2017-09-04 17:47             ` Brijesh Singh
2017-07-24 19:07 ` [RFC Part1 PATCH v3 17/17] X86/KVM: Clear encryption attribute when SEV is active Brijesh Singh
2017-08-31 15:06   ` Borislav Petkov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170724190757.11278-7-brijesh.singh@amd.com \
    --to=brijesh.singh@amd.com \
    --cc=airlied@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=arbab@linux.vnet.ibm.com \
    --cc=ard.biesheuvel@linaro.org \
    --cc=arnd@arndb.de \
    --cc=baolu.lu@linux.intel.com \
    --cc=benh@kernel.crashing.org \
    --cc=bp@suse.de \
    --cc=cl@linux.com \
    --cc=corbet@lwn.net \
    --cc=dhowells@redhat.com \
    --cc=ebiederm@xmission.com \
    --cc=fenghua.yu@intel.com \
    --cc=hpa@zytor.com \
    --cc=keescook@chromium.org \
    --cc=kirill.shutemov@linux.intel.com \
    --cc=konrad.wilk@oracle.com \
    --cc=kvm@vger.kernel.org \
    --cc=labbott@redhat.com \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linuxppc-dev@lists.ozlabs.org \
    --cc=luto@kernel.org \
    --cc=matt@codeblueprint.co.uk \
    --cc=mingo@redhat.com \
    --cc=paulus@samba.org \
    --cc=pbonzini@redhat.com \
    --cc=piotr.luc@intel.com \
    --cc=rkrcmar@redhat.com \
    --cc=tglx@linutronix.de \
    --cc=thomas.lendacky@amd.com \
    --cc=tj@kernel.org \
    --cc=tony.luck@intel.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).