From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754593AbcKNQj4 (ORCPT ); Mon, 14 Nov 2016 11:39:56 -0500 Received: from mail-cys01nam02on0075.outbound.protection.outlook.com ([104.47.37.75]:55559 "EHLO NAM02-CY1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752253AbcKNQjw (ORCPT ); Mon, 14 Nov 2016 11:39:52 -0500 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Lendacky@amd.com; Subject: Re: [RFC PATCH v3 10/20] Add support to access boot related data in the clear To: "Kani, Toshimitsu" , "kvm@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-mm@kvack.org" , "kasan-dev@googlegroups.com" , "x86@kernel.org" , "iommu@lists.linux-foundation.org" , "linux-efi@vger.kernel.org" , "linux-arch@vger.kernel.org" , "linux-doc@vger.kernel.org" References: <20161110003426.3280.2999.stgit@tlendack-t1.amdoffice.net> <20161110003631.3280.73292.stgit@tlendack-t1.amdoffice.net> <1478880929.20881.148.camel@hpe.com> CC: "matt@codeblueprint.co.uk" , "corbet@lwn.net" , "tglx@linutronix.de" , "konrad.wilk@oracle.com" , "joro@8bytes.org" , "dvyukov@google.com" , "aryabinin@virtuozzo.com" , "riel@redhat.com" , "lwoodman@redhat.com" , "mingo@redhat.com" , "hpa@zytor.com" , "luto@kernel.org" , "pbonzini@redhat.com" , "bp@alien8.de" , "glider@google.com" , "rkrcmar@redhat.com" , "arnd@arndb.de" From: Tom Lendacky Message-ID: Date: Mon, 14 Nov 2016 10:24:14 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <1478880929.20881.148.camel@hpe.com> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: MWHPR07CA0013.namprd07.prod.outlook.com (10.172.94.23) To CY4PR12MB1142.namprd12.prod.outlook.com (10.168.163.150) X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1142;2:JcyLntUAdJroC7zH8XmkRV7akhliSWot/SjHB0x7UQDxddLw4nSuAgdJRyCUKJGst5Jboi31u6ByFWms48qiawYTrycPAQFiNLFYRsMG5QSkaPkfnyLRQQarnD01+VcgEdY8u7e3METh6kiYYctN9H3P+rowEUMRKaT/gTIZGrQ=;3:ISI0aBDUUDwkkUFcFx12i8Z21IqHEefGYnGi5Aw27SJ4D9wWPG6RhlbwPNcvfR6WZqbkbEeNp/aQS6HGViVZF6ppxBIt/czWjHZ37bVZbUV6CsSUlW9BpWfiv2WYZcKIra3cuqApvA/cpEwdTkEgcwED6+INrgeb5HJg/YWHtHc=;25:aJGlpy3KY2BFAmO3cNE9OX/8mvuSSzK0VCPMh0Zvs0dN3ryeByPMRXiP4lNVwMHWiifAwJukpQQcbK7+RTLUBuLFxZ4DkghV5Vc6ie/ptyIuU6aUkcMIe6PF8+sx3aDgQ7Dzps84Stq1IGdKvTfiEtUg2Bn4tqOVC2IFTwXydnqDY++fQhZmYd0XM1ZOKl0CeqjQTN9kaC6SQBy8LnqlikYLlUEoQhOBV2tzxZxNM1IlqmrJuP85JOSRutPesok4yD729nFX0UDUIJ0YRv2UDHCNovSt/1OEleOUm764FOJb82bVyi9a7NpgLBpEc7aeCH5STx+2D3dyYcNt3N6vVF5aCNKqmlF9Vx+m9tpL+quzn+wO/XvG/r2xIIsfW2v0OuxEbfTG8w7j9G4SQWT8PLw6P1cl7NZ4PCSznqo0hGlAN+Pn0R7r289aBABRTtnQ X-MS-Office365-Filtering-Correlation-Id: 8580b580-8e00-4412-8530-08d40caab03c X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:CY4PR12MB1142; X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1142;31:zA7Ut3gc3ESyB/crg+Z6vLGkyqb6wqtGrMDbepCfE/5nuviiQKQM43QpGptroul/R/SqQDoOZxNFzSXTfZh4L3u3utJxQfxaRAzqbnfVGduIp438OPC2HG31fulHPUokWazf+Y1dayNCHNSfoviW2xPxFqtp0E65ccamMIUKJN6+tXKfoCjE1lXB7HAJNuSaryQwtYf1HRB1jdrVY2ziC/170fIQH2ME3V1qqpsQqsXbGnKUr5IvYzesFdph7awg;20:Jr727nXRbhk6q/tFxr5PODGQQ92eLwCOXjvzJubZzAB6SbRqwQDI9dmXN8A5aONGsXW8UMO3LL76ug2Rqu/2KOFuZr+VAU+BU9kznYQ5Ur6ntDcHKA/L21xJ0CutJUEZPlj9TO2WvfwHsl0qD+JEKmhQT5LnYg9tI//GlJk41Vy0GIFG62tsAo9z6H0xS2NiXSXTg61uqli8ly2cr+V877Hvtf75K1bO0FNDDoj7Nm6DWZDfi5O+tiJuSyh/7CQt3Cff8G/sbL0PqoVWGuWSlUpdD+GPrgLRoXZOtxL5rQAOhPic2C7PYJkEKGro0uycH6kFVwCtS/vldO1uH4Ug3tHo/XtSBcgI8wRpoTQw8kJXlSBBIix50zmaSWs6A043lkJFFvsOfM7/GICqtaDE6SgCO4swhKJ9HFxMmZtA2vIzc57LuhHsJiRH8I4K9UbcGtz0iiZa+GHAU4kwONWFHKBUeMb306AzGqIRmrbyMTSWqThfzagOsfxhClCLtVcF X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6060326)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(6061321);SRVR:CY4PR12MB1142;BCL:0;PCL:0;RULEID:;SRVR:CY4PR12MB1142; X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1142;4:nvePYi57GxGYgrYwsImD0QtM5CoAzllFfFacN79kZ6n3XlF3aNFVwwRzPaWeZQI3Utx+PyS7bCeKeMkVqqubroye/06r5V18KHex7A7Ra4ECAxQws2ol7+CnU8DdPMj4RbTNDrT8w2Cuk9C/jOAXPw2BwwQPzo7l86k481I9IAdjA6/t1w2OJaRCBzdy3Rcq2Cin4ahgvXpq6UuggvDfDZV/QYwWRIJ7UFOkh9pS+Ner2ec1H4JTNYujqzJ9EMs1r8Ug9r4a1OnKYUL8yEdffLNNKOzs8WUMaaAKdDg3A13UDTT2DqrJGp0EiIHLolTy90MDeszews4zOVe9q8/RvLo1SzHtWtutIM+ZuYyCbCkMo/Et6Twj/buf65bggC41uKnbG9H6JhvOl8jOLZkJwUR1NZ/E0J9Sy66/rpLvqn7cE8gWv+a/D9coe0Hd8Bwo X-Forefront-PRVS: 0126A32F74 X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(4630300001)(6009001)(6049001)(7916002)(24454002)(189002)(199003)(377454003)(377424004)(105586002)(106356001)(36756003)(230700001)(7416002)(42186005)(2950100002)(50466002)(3846002)(6116002)(76176999)(4001350100001)(189998001)(50986999)(5001770100001)(54356999)(101416001)(586003)(33646002)(65826007)(5660300001)(4326007)(86362001)(31696002)(2201001)(229853002)(64126003)(2906002)(81166006)(77096005)(81156014)(65806001)(7846002)(47776003)(7736002)(8676002)(23676002)(65956001)(92566002)(66066001)(2501003)(83506001)(31686004)(305945005)(97736004)(68736007)(6666003)(921003)(1121003)(217873001);DIR:OUT;SFP:1101;SCL:1;SRVR:CY4PR12MB1142;H:[10.236.18.82];FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtDWTRQUjEyTUIxMTQyOzIzOjVqVE5reVMrVGFETkNIOHhscnBQcitBSU90?= =?utf-8?B?Qk5HNWpYUHRHZ3ZxYlYzdGRDeGZCQ3cya3BUeDltYjBSaUxuOC9hVEp1dXNl?= =?utf-8?B?Um1nUkRQZDdpeWtMV2V5SE1pM0wyWUM4Vm1XTFB5cS8rVE91QXgzYURBeC90?= =?utf-8?B?QktiWGlNY3FDRUFiWG93Z0toeTVlOGtGeEh2ZWlwcHJ0M2ovSUl2NlRPREVx?= =?utf-8?B?a0FiblBOWXFTdkNSdDlna0hNWWMyVitIMGN1OVJFR0hTSFo0WUpjcng1QzR6?= =?utf-8?B?SWVIYnBLUGFSNC9rNFZneVl3TlN0empjUFVjcEE5NjJjS0F1R1BJejV3Vzgy?= =?utf-8?B?WXVZTFkwTnNzU0hTaTZMWk83aVlFdXBNLzN2Tm1ySVh1YjVJVjZTbmtxVlZt?= =?utf-8?B?enUvcUc1MkRndThJdTBZWkhiTExCSFpyUkp3SVlkY1I1ZWlhcWtIeHR0bUtE?= =?utf-8?B?VEhKSXJTQ2cvekZRNk5TUVhVenEwZnlWQWFpYUhVWmR1OFVYeHV0MzBGa2FD?= =?utf-8?B?aDBNR2U3VmU3THN5Z3RsQm50aDZHOG51dXBKVUEySTQwM2RxVmI2bDRWbHpl?= =?utf-8?B?Nzl0TXdDRENnNEtpd3Z1STNObXhCNk82QkRLUHJIa0NoUlFmMWk5OWFuaWNG?= =?utf-8?B?SStzU2I4WWE2NVZCRWFuaityY21LaGJVb0UyZDRTekRCb1ZGZFFuUDJ6WHU4?= =?utf-8?B?K1hUT0daSTcvM3R1MHBXbzlDcXFQMU8yQnJhWnhYME1nRzdsVEVkdTIzbEpR?= =?utf-8?B?Ni8wNGw2NXBYekZXNFNEdVFQcW5WbjVPQytJMmVyOFFtVCtybnJHdnNHVXMz?= =?utf-8?B?WHdaWUpSeHN1eTk2ZlZGNW1TbXFuN1FLcUJQTjQyS0EzbXJHUHBoaGEvaTdJ?= =?utf-8?B?Z2YwdFBuRXJ5K0Z6TVpNT3lYc1ZYTVdkY254c2luS2NpMU9OUWxvVVBTTWc3?= =?utf-8?B?S3F6Yit0bFNaazkrT1BKeFhQK1lrK2pmd1MwZkkzNFQzM1R2OW4wS0RWTnQy?= =?utf-8?B?dnROZEQ3WXkwbXkxcnJPeFVMTkxJY28xWTh3MVBEUGx5N0NCbzhJaTJZb3Vo?= =?utf-8?B?c0VEQVRMdzdtVUZzclVGaHlPUlpoVnJ5T20wUzFSamY3UHorZkNMeW85OExJ?= =?utf-8?B?V2xVR1BiMVpITmVEeTJ5RVdaUFYrTjFiaWZpdDFlaS9QSjFnaFd1aGhHQ3BY?= =?utf-8?B?U1d2ZlhuK0tIRmg4dlY5NndUUHcrNmhxYUd1cmI2cFhEQjRoQm4vV2JJUXNH?= =?utf-8?B?SlBHTW91WVZwb2tUNXdGbjFWeTc5TisrZ0RtWHpld2JybGxWREQxWWFjZ043?= =?utf-8?B?U3BtdEtOc2RxTVA1MUVIaUk2bGdCaFdPanI0ZXQzZkdtZUtuNSt5VGdpaFZ5?= =?utf-8?B?ZTJkTkJMaTJlOWRBL0htcGMwVVcrd09jc2FXeHVjdVQ5QVkxblNhQURRbVZJ?= =?utf-8?B?NGhZaE9ycmFlck9jcDloVHhKZFdPRGV6NkhhTTcyelBRTTZYeVdYUUIrSUlT?= =?utf-8?B?ZWpTaVFGQ1hvdVlBQmdCT3BXaTQwUEJmWEpCbFZ2c1ZubzJQbmgxbkJZemcx?= =?utf-8?B?S3NraVBzOEpUWVo2Q3hFQmY3WktKTUJtMUxZVWdIWUF4dXYvUncxNVY0dWxE?= =?utf-8?B?WW9uampUT3pVb1VSZWM5ZmdZMFB2ZHRwdExxcFZXaDcxU0pXNTZGSmVidDky?= =?utf-8?B?ZzhKZFNFNDZpNVhiZWpBa1E3NzREZW0zUE91REZqZG5HVndSMWFrL2hKZ1hV?= =?utf-8?B?UVZpaDRvbjFmN0ZMN0lCbjRKTVQ4TkNoakdtK2FiL0U2Zk40ZkVxcTVYVHBO?= =?utf-8?B?cnFXTEpOYUxqT0QxS0NZQ2ovS2toaDc4YUJnYVBna3pBckY1RXExalk2SFox?= =?utf-8?B?VEJIejY5aDN4cnpocVEyU3I1czk2QzRPQXBjc2lXaUd0NnlRRGtXOG5BaFFU?= =?utf-8?B?eHgyVnlPM3JnPT0=?= X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1142;6:XkLScJjEjakqiwG0MJr1ITvXPCgiqPxBD9RNLcdNYW0qK4d0XanGzU6k0QqGvnJWyWrt7G1H5662873Dzo6NGNDIxNIo6tw0xVWG4/ByWH25DtcB9mkfJyTiVvX6HiWoUYAFPeAqFKvybTrnp47FfamXMfeWVPe+esJazF8Ezmd7wZ2l+kI5Rg9Q1zNx+G/5uBQ3ozfXaIA/nu+pLy+JyB8SJ+HgVxIQN3Y4MZ+/Rm8s9my2octVr7LppP1ar/ehHNaRwuo+PT7zjNWMx7syQVw+15dM8IrFz1TuxUP/49tFcVQ7JRxOvLIY/bVyEVYZ3bzM+pZJQqoPRMYOmgdKPlsDf/G4AHsJniJcaFviR4ce3HvT4A8Xst1ibsg2CCjO;5:36i663x3TZNfACwzohO0q2TTt1W5Og74Hkg2EcPhLhkTd+AH0aOmBYQjvk+vjIk7O2rhEtncZ1/uPvUFlAxVfe4y3YinAl4HG3Wm8tWGxx5oFrGnblKLGcAvdfQ2OCLoEE/t85NNrDLaohQbUzlVTw==;24:SCUrm3iV2krPQtbJ9l83JXwYXSfie/AMyRul5qMmhcbA/ITXW4cuRsQQeDS/h8qR0I8Y1QaT1mHQkTXL3VjmOtU0S9q1l02hMBnrolYKmoI= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1142;7:AbVZuvyFUs7btocKJNLFcZpD6rPk3ooxK06HZTSJ37ZXVoKDgZL7rE2W0qvYbGX04jHeo7xH2IbVNccIKb7eHVDj9oJH4U87tl1qO5jRGVMhS8MFNYO3TfAoeMf1A6ZFlM909dNTSPvuBihoRG//+C8jQhmAIJGAM+yy7JE6y6ql8FjXGTZmmKt5gEEb+v93O2rCXIDAPgQXGh2flrSgJ2N+6pG+r+UVt0s8Etdb7cCD3kkE3d8M/Kyu+R7KW0aSrcdcy2j8Kc0OJXu0Mm0ZsgeGkxNC6UGwTgsKFzKlOA98yxqlhkfjtDwcW/RJ2hELlpALRBO2HIGOYsxidvbOgKTw6Yq4Mqfm0sNgEOKzib4=;20:l56P5elHqaPXPgCgUNbcD8PGW6j5lcIIz2ckLd+GWVTq3B3rtG17WUEJnvufJUAf9ASIEcyITkMx4fhm+6yA6kfUFtpVxgQ5amNLcqsxMgMGVyMW3S56j1BuFRmZlCaKJairx29A0xVWplG1Uu2JEejt8lQvXrbOV5/AzbmWOSt0dbUVqJD+T5TFSQLA4PV0gW/bwBAWls5tSi+6F+W1W4Ut5pyktLTojGXgDFUuFbl23rvixSBpKRwYAQmP/V3p X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Nov 2016 16:24:18.3963 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR12MB1142 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/11/2016 10:17 AM, Kani, Toshimitsu wrote: > On Wed, 2016-11-09 at 18:36 -0600, Tom Lendacky wrote: >> Boot data (such as EFI related data) is not encrypted when the system >> is booted and needs to be accessed unencrypted. Add support to apply >> the proper attributes to the EFI page tables and to the >> early_memremap and memremap APIs to identify the type of data being >> accessed so that the proper encryption attribute can be applied. > : >> +static bool memremap_apply_encryption(resource_size_t phys_addr, >> + unsigned long size) >> +{ >> + /* SME is not active, just return true */ >> + if (!sme_me_mask) >> + return true; >> + >> + /* Check if the address is part of the setup data */ >> + if (memremap_setup_data(phys_addr, size)) >> + return false; >> + >> + /* Check if the address is part of EFI boot/runtime data */ >> + switch (efi_mem_type(phys_addr)) { >> + case EFI_BOOT_SERVICES_DATA: >> + case EFI_RUNTIME_SERVICES_DATA: >> + return false; >> + } >> + >> + /* Check if the address is outside kernel usable area */ >> + switch (e820_get_entry_type(phys_addr, phys_addr + size - >> 1)) { >> + case E820_RESERVED: >> + case E820_ACPI: >> + case E820_NVS: >> + case E820_UNUSABLE: >> + return false; >> + } >> + >> + return true; >> +} > > Are you supporting encryption for E820_PMEM ranges? If so, this > encryption will persist across a reboot and does not need to be > encrypted again, right? Also, how do you keep a same key across a > reboot? The key will change across a reboot... so I need to look into this more for memory that isn't used as traditional system ram. Thanks, Tom > > Thanks, > -Toshi >