* Re: Patch "x86/boot/compressed/64: Check SEV encryption in the 32-bit boot-path" has been added to the 5.12-stable tree [not found] <20210508032224.039CF613ED@mail.kernel.org> @ 2021-05-08 10:26 ` Greg KH 2021-05-18 11:39 ` [PATCH stable-5.10,5.11,5.12] x86/boot/compressed/64: Check SEV encryption in the 32-bit boot-path Joerg Roedel 0 siblings, 1 reply; 4+ messages in thread From: Greg KH @ 2021-05-08 10:26 UTC (permalink / raw) To: linux-kernel; +Cc: jroedel, stable-commits On Fri, May 07, 2021 at 11:22:23PM -0400, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > x86/boot/compressed/64: Check SEV encryption in the 32-bit boot-path > > to the 5.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary > > The filename of the patch is: > x86-boot-compressed-64-check-sev-encryption-in-the-3.patch > and it can be found in the queue-5.12 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable@vger.kernel.org> know about it. > > > > commit 2c622aeb46b16fd945fc681fec16b989940b826d > Author: Joerg Roedel <jroedel@suse.de> > Date: Fri Mar 12 13:38:23 2021 +0100 > > x86/boot/compressed/64: Check SEV encryption in the 32-bit boot-path > > [ Upstream commit fef81c86262879d4b1176ef51a834c15b805ebb9 ] > > Check whether the hypervisor reported the correct C-bit when running > as an SEV guest. Using a wrong C-bit position could be used to leak > sensitive data from the guest to the hypervisor. > > Signed-off-by: Joerg Roedel <jroedel@suse.de> > Signed-off-by: Borislav Petkov <bp@suse.de> > Link: https://lkml.kernel.org/r/20210312123824.306-8-joro@8bytes.org > Signed-off-by: Sasha Levin <sashal@kernel.org> This breaks the build (link time) for 5.12, 5.11, and 5.10 trees, so I'll go drop it for now. if it needs to come back, can someone submit a working version? thanks, greg k-h ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH stable-5.10,5.11,5.12] x86/boot/compressed/64: Check SEV encryption in the 32-bit boot-path 2021-05-08 10:26 ` Patch "x86/boot/compressed/64: Check SEV encryption in the 32-bit boot-path" has been added to the 5.12-stable tree Greg KH @ 2021-05-18 11:39 ` Joerg Roedel 2021-05-18 11:40 ` Joerg Roedel 0 siblings, 1 reply; 4+ messages in thread From: Joerg Roedel @ 2021-05-18 11:39 UTC (permalink / raw) To: Greg KH; +Cc: linux-kernel, stable-commits [ Upstream commit fef81c86262879d4b1176ef51a834c15b805ebb9 ] Check whether the hypervisor reported the correct C-bit when running as an SEV guest. Using a wrong C-bit position could be used to leak sensitive data from the guest to the hypervisor. Signed-off-by: Joerg Roedel <jroedel@suse.de> Signed-off-by: Borislav Petkov <bp@suse.de> Link: https://lkml.kernel.org/r/20210312123824.306-8-joro@8bytes.org --- arch/x86/boot/compressed/head_64.S | 85 ++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S index e94874f4bbc1..ae1fe558a2d8 100644 --- a/arch/x86/boot/compressed/head_64.S +++ b/arch/x86/boot/compressed/head_64.S @@ -172,11 +172,21 @@ SYM_FUNC_START(startup_32) */ call get_sev_encryption_bit xorl %edx, %edx +#ifdef CONFIG_AMD_MEM_ENCRYPT testl %eax, %eax jz 1f subl $32, %eax /* Encryption bit is always above bit 31 */ bts %eax, %edx /* Set encryption mask for page tables */ + /* + * Mark SEV as active in sev_status so that startup32_check_sev_cbit() + * will do a check. The sev_status memory will be fully initialized + * with the contents of MSR_AMD_SEV_STATUS later in + * set_sev_encryption_mask(). For now it is sufficient to know that SEV + * is active. + */ + movl $1, rva(sev_status)(%ebp) 1: +#endif /* Initialize Page tables to 0 */ leal rva(pgtable)(%ebx), %edi @@ -261,6 +271,9 @@ SYM_FUNC_START(startup_32) movl %esi, %edx 1: #endif + /* Check if the C-bit position is correct when SEV is active */ + call startup32_check_sev_cbit + pushl $__KERNEL_CS pushl %eax @@ -786,6 +799,78 @@ SYM_DATA_START_LOCAL(loaded_image_proto) SYM_DATA_END(loaded_image_proto) #endif +/* + * Check for the correct C-bit position when the startup_32 boot-path is used. + * + * The check makes use of the fact that all memory is encrypted when paging is + * disabled. The function creates 64 bits of random data using the RDRAND + * instruction. RDRAND is mandatory for SEV guests, so always available. If the + * hypervisor violates that the kernel will crash right here. + * + * The 64 bits of random data are stored to a memory location and at the same + * time kept in the %eax and %ebx registers. Since encryption is always active + * when paging is off the random data will be stored encrypted in main memory. + * + * Then paging is enabled. When the C-bit position is correct all memory is + * still mapped encrypted and comparing the register values with memory will + * succeed. An incorrect C-bit position will map all memory unencrypted, so that + * the compare will use the encrypted random data and fail. + */ + __HEAD + .code32 +SYM_FUNC_START(startup32_check_sev_cbit) +#ifdef CONFIG_AMD_MEM_ENCRYPT + pushl %eax + pushl %ebx + pushl %ecx + pushl %edx + + /* Check for non-zero sev_status */ + movl rva(sev_status)(%ebp), %eax + testl %eax, %eax + jz 4f + + /* + * Get two 32-bit random values - Don't bail out if RDRAND fails + * because it is better to prevent forward progress if no random value + * can be gathered. + */ +1: rdrand %eax + jnc 1b +2: rdrand %ebx + jnc 2b + + /* Store to memory and keep it in the registers */ + movl %eax, rva(sev_check_data)(%ebp) + movl %ebx, rva(sev_check_data+4)(%ebp) + + /* Enable paging to see if encryption is active */ + movl %cr0, %edx /* Backup %cr0 in %edx */ + movl $(X86_CR0_PG | X86_CR0_PE), %ecx /* Enable Paging and Protected mode */ + movl %ecx, %cr0 + + cmpl %eax, rva(sev_check_data)(%ebp) + jne 3f + cmpl %ebx, rva(sev_check_data+4)(%ebp) + jne 3f + + movl %edx, %cr0 /* Restore previous %cr0 */ + + jmp 4f + +3: /* Check failed - hlt the machine */ + hlt + jmp 3b + +4: + popl %edx + popl %ecx + popl %ebx + popl %eax +#endif + ret +SYM_FUNC_END(startup32_check_sev_cbit) + /* * Stack and heap for uncompression */ -- 2.31.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH stable-5.10,5.11,5.12] x86/boot/compressed/64: Check SEV encryption in the 32-bit boot-path 2021-05-18 11:39 ` [PATCH stable-5.10,5.11,5.12] x86/boot/compressed/64: Check SEV encryption in the 32-bit boot-path Joerg Roedel @ 2021-05-18 11:40 ` Joerg Roedel 2021-05-24 12:50 ` Greg KH 0 siblings, 1 reply; 4+ messages in thread From: Joerg Roedel @ 2021-05-18 11:40 UTC (permalink / raw) To: Greg KH; +Cc: linux-kernel, stable-commits On Tue, May 18, 2021 at 01:39:02PM +0200, Joerg Roedel wrote: > [ Upstream commit fef81c86262879d4b1176ef51a834c15b805ebb9 ] > > Check whether the hypervisor reported the correct C-bit when running > as an SEV guest. Using a wrong C-bit position could be used to leak > sensitive data from the guest to the hypervisor. > > Signed-off-by: Joerg Roedel <jroedel@suse.de> > Signed-off-by: Borislav Petkov <bp@suse.de> > Link: https://lkml.kernel.org/r/20210312123824.306-8-joro@8bytes.org > --- > arch/x86/boot/compressed/head_64.S | 85 ++++++++++++++++++++++++++++++ > 1 file changed, 85 insertions(+) This is compile-tested now for 5.10, 5.11 and 5.12. With 5.12 I also did a boot-test using the 32-bit boot-path and verified it still works as expected. Regards, Joerg ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH stable-5.10,5.11,5.12] x86/boot/compressed/64: Check SEV encryption in the 32-bit boot-path 2021-05-18 11:40 ` Joerg Roedel @ 2021-05-24 12:50 ` Greg KH 0 siblings, 0 replies; 4+ messages in thread From: Greg KH @ 2021-05-24 12:50 UTC (permalink / raw) To: Joerg Roedel; +Cc: linux-kernel, stable-commits On Tue, May 18, 2021 at 01:40:18PM +0200, Joerg Roedel wrote: > On Tue, May 18, 2021 at 01:39:02PM +0200, Joerg Roedel wrote: > > [ Upstream commit fef81c86262879d4b1176ef51a834c15b805ebb9 ] > > > > Check whether the hypervisor reported the correct C-bit when running > > as an SEV guest. Using a wrong C-bit position could be used to leak > > sensitive data from the guest to the hypervisor. > > > > Signed-off-by: Joerg Roedel <jroedel@suse.de> > > Signed-off-by: Borislav Petkov <bp@suse.de> > > Link: https://lkml.kernel.org/r/20210312123824.306-8-joro@8bytes.org > > --- > > arch/x86/boot/compressed/head_64.S | 85 ++++++++++++++++++++++++++++++ > > 1 file changed, 85 insertions(+) > > This is compile-tested now for 5.10, 5.11 and 5.12. With 5.12 I also did > a boot-test using the 32-bit boot-path and verified it still works as > expected. Now queued up, thanks. greg k-h ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-05-24 12:50 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <20210508032224.039CF613ED@mail.kernel.org> 2021-05-08 10:26 ` Patch "x86/boot/compressed/64: Check SEV encryption in the 32-bit boot-path" has been added to the 5.12-stable tree Greg KH 2021-05-18 11:39 ` [PATCH stable-5.10,5.11,5.12] x86/boot/compressed/64: Check SEV encryption in the 32-bit boot-path Joerg Roedel 2021-05-18 11:40 ` Joerg Roedel 2021-05-24 12:50 ` Greg KH
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).