Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932398AbcKJAyM (ORCPT <rfc822;w@1wt.eu>);
        Wed, 9 Nov 2016 19:54:12 -0500
Received: from mail-cys01nam02on0069.outbound.protection.outlook.com ([104.47.37.69]:36634
        "EHLO NAM02-CY1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1752933AbcKJAyG (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 9 Nov 2016 19:54:06 -0500
Authentication-Results: spf=none (sender IP is )
 smtp.mailfrom=Thomas.Lendacky@amd.com; 
From: Tom Lendacky <thomas.lendacky@amd.com>
Subject: [RFC PATCH v3 20/20] x86: Add support to make use of Secure Memory
 Encryption
To: <linux-arch@vger.kernel.org>, <linux-efi@vger.kernel.org>,
        <kvm@vger.kernel.org>, <linux-doc@vger.kernel.org>, <x86@kernel.org>,
        <linux-kernel@vger.kernel.org>, <kasan-dev@googlegroups.com>,
        <linux-mm@kvack.org>, <iommu@lists.linux-foundation.org>
CC: Rik van Riel <riel@redhat.com>,
        Radim =?utf-8?b?S3LEjW3DocWZ?= <rkrcmar@redhat.com>,
        Arnd Bergmann <arnd@arndb.de>, Jonathan Corbet <corbet@lwn.net>,
        Matt Fleming <matt@codeblueprint.co.uk>,
        Joerg Roedel <joro@8bytes.org>,
        Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
        "Paolo Bonzini" <pbonzini@redhat.com>,
        Larry Woodman <lwoodman@redhat.com>, "Ingo Molnar" <mingo@redhat.com>,
        Borislav Petkov <bp@alien8.de>, Andy Lutomirski <luto@kernel.org>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Andrey Ryabinin <aryabinin@virtuozzo.com>,
        Alexander Potapenko <glider@google.com>,
        "Thomas Gleixner" <tglx@linutronix.de>,
        Dmitry Vyukov <dvyukov@google.com>
Date: Wed, 9 Nov 2016 18:38:38 -0600
Message-ID: <20161110003838.3280.23327.stgit@tlendack-t1.amdoffice.net>
In-Reply-To: <20161110003426.3280.2999.stgit@tlendack-t1.amdoffice.net>
References: <20161110003426.3280.2999.stgit@tlendack-t1.amdoffice.net>
User-Agent: StGit/0.17.1-dirty
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [165.204.77.1]
X-ClientProxiedBy: DM5PR20CA0010.namprd20.prod.outlook.com (10.173.136.148) To
 BN6PR12MB1138.namprd12.prod.outlook.com (10.168.226.140)
X-MS-Office365-Filtering-Correlation-Id: 96277412-891d-419e-4231-08d40901ec89
X-Microsoft-Exchange-Diagnostics: 1;BN6PR12MB1138;2:gLQ5rLr5R976njzrfmBUOfBg+LSn10EDAzALrocAg4Hu0MjffrV3/LqioCPyU/cqH1h2kI6MUYu4NRgRjJtuz6hTlvBIERlE6pLEEvwQh54ZyujFXO/UtOKsfbLpFLx8AhHc4seA2Y/YAMNPaUuweU6QFO0IMwavyMhdeoVRdfjBDLuGRY0hRn9gEqtz08tSEEH7CKg6jVPTFlmnhFLFZQ==;3:21tLhY1PjPCLsJayTTa3zYKyeOeAFYV0Fte13hg0Lift7rPCtv8/IplYwPGXk5gKsyL3ezRAyjSImpBqjjyII5VIUJJj0ijO9mpKFxh0Rx5Z+Ffun48hdcyyoGtSy0l4XmXftWAduZ7qDJmrsjuq/g==;25:ytRS6anfLhJD+L7mhPsPhQ44mRzDRBrVmIXWy8K9ZssKZdeHhk9nTc5wqLMLZ/IiPu0dsfMqsLFKjCGKcoPxhZEjoWNIDEFlCm0kIHVtwSp6kX4XLCXEbIzjNJXrbCq4xvPvO8566iETa2u10cAcI0psWuaeqsIef6gQ2kWoa+pnPW3wQYUiAty/pRrH44jEHioy/zHxkHRu2zKJ2adXCA0/UaxTXqSdd5Kmpt0U1uOznv/nGtig0yX1pBNF78mq7BnWZin4SBnqA00UWCb36ULhaYLnwZAVajGjZ9kSFPcB2B18iYXbhkJ5ynWm64/yC0dL9r+DHKbKyAN2TGasy36HCi1qhJxJv5ciPiwjMDY7PE8J5xFsYkvKjzRyXEWfnoiLECajxS6x6DKZ63gXg+jZk8D6l2b5SX5521VFyfDmmBHkH+Q+xBKymSJpP6BI
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN6PR12MB1138;
X-Microsoft-Exchange-Diagnostics: 1;BN6PR12MB1138;31:BKuGhgXdd3ycb98nF6k2sH/9GfhEjy5A7JQDXmSwMxrcEjoZnKahUbZMo32xKPrAVZTqOaO8udHsbv3FY1BEcZ+2s0sMvcFHuwacImYsABjf+J92+d8W4cznXdrT3mQMNhMMbd1p9kF1BNPo+qjU6PyqN2vBz7vo7H2L7ytQl9F+NXiCJt0k8Ok/sxJHr8T5dtGlVHHb1SYKgOK9h3diR1mUdI2skafo/i8vYDkAJZvI7LEztL/ZjgR7kg7nMyoBTqkQzPodWZVuWaOiFNCQVg==;20:J0XSTB9QDVlybRkKpM6T3rlN8Yyjp2ylmMKt03c63jxfZSURqGD2nbG72KB7h/iECDwT/Snqf7ZGuxDxwDolvYTEV6+NGBkuLtEBGG51QYvUzrwxQ9h1fkEU+eXrxP2WqjETPfs7lmC/CEJ9dZtWJCOMKyd1CEE6BKORlFlN9GtYH05OEYEOM4ONeXt/5eVeeJZVQ4l2whE6zJ3LgjartSQzHjtLCDKdR2ndDi060l1bRyP4H4aao4zbCFkIz3NVybIwZxKWnHiFdd2Cdq0yHrf61eOlP+4gDbRJjsosGvC6ZPAxySaeQzZ93wxM1zUuOxA0mMKqkcsI9dE1TzsbPqLN4npHm1X7aLynqBEw9e3PHN2dqxgiMs1jT7GWXIof6lPRCq7LVM9wyDtc0Yj2z/gdwEm5JZF8YSl6Dyziudw101Yam/CIQxXEwraRaO5epbAElQt0XlU8zaQt/AMERxIyBE1LAKo22dvtsWcTSe8br2B45xLpUPLQ2DMeH/64
X-Microsoft-Antispam-PRVS: <BN6PR12MB1138F0446365BD31AB20D1ACECB80@BN6PR12MB1138.namprd12.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(767451399110);
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040176)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026);SRVR:BN6PR12MB1138;BCL:0;PCL:0;RULEID:;SRVR:BN6PR12MB1138;
X-Microsoft-Exchange-Diagnostics: 1;BN6PR12MB1138;4:LtglvmXqQjaZKoK1IsxpEt6unDriQSTZbSqlTeTLk4mJn0vWVBCKyLzsuDp+EVMUMS8e43QuhHrfGo48IFb179jL7wzeJEtFIepf9rVgPPX5u0TPPVCOjEuewGffKIpu9/YMkV0P3xksWZhh39ON0I3SM0tMfHyoRvmY3GaXu5gqMNFphIbynIM9EHLeGGhxUSyXQGoC2qfSq3DYB/sqYSKvYbPVg+2ESsXJ4KpyF7hDYTkdiNISMxLMorNCmp+Uo810jApJbxyDM9zNfBLhjxsztZtx4tpmN0QGkxYahbZ/hL2M8cxwDgxKom7H/atOYb7XooT1sVABfCSlukan6/odKrhmkpV/M8ZzHyKIukwWyZc7+ZXMDQjywoTYZaZSiOV+brRuYYM5rdYzSqLoqDXobU+ICIYqeJwctb4Pkw/MJZQ0/+QM1B8/VZYmFLnM+AkmWBiO9HV7Ch+JzDWWfA==
X-Forefront-PRVS: 01221E3973
X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(4630300001)(6009001)(7916002)(189002)(199003)(3846002)(2906002)(9686002)(2950100002)(69596002)(81156014)(7416002)(4326007)(23676002)(230700001)(47776003)(103116003)(68736007)(33646002)(77096005)(5660300001)(7846002)(50466002)(66066001)(50986999)(54356999)(76176999)(305945005)(101416001)(8676002)(7736002)(6666003)(106356001)(586003)(105586002)(6116002)(53416004)(42186005)(86362001)(1076002)(92566002)(2201001)(5001770100001)(575784001)(97746001)(83506001)(97736004)(81166006)(189998001)(4001350100001)(71626007)(217873001);DIR:OUT;SFP:1101;SCL:1;SRVR:BN6PR12MB1138;H:tlendack-t1.amdoffice.net;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en;
X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtCTjZQUjEyTUIxMTM4OzIzOmQ0cjh6bU1TSW1JajB6RGVndmMrTzhHY3pH?=
 =?utf-8?B?WnJlc0FhZ3RyWVB5WEdRWDZTZG4ySEtvcVlSMzRsMlc4emJDaGo4Wk9WNlMr?=
 =?utf-8?B?ZVZuMU1rRDlreXEvQTVhOWJqL2hCd2hQaklzMzhueGFtdGtQQXdTQ0JvUEIr?=
 =?utf-8?B?c09zWXB1NEhTcFRwcDVWVldBMkJlSnVwOGRmVFZBbTVxamFRZjJyMVZIbnVI?=
 =?utf-8?B?Ry93RTZyRXNvemU3Sm1FOG9CRTVvOVdwZk9GOFhteTdPc1lVWHdpREozR0Zr?=
 =?utf-8?B?aTh3QXQ2TDk2b0FJbzNEekhET0V6R1pSbWRIT3gvbzdwTjRpRGcwcnVFaGJU?=
 =?utf-8?B?VVUwTXFpZU96S3M2bVlZZit1MmltT0tBR3F2ZVppUFQ2ell3Zk1lV0psRFhk?=
 =?utf-8?B?Ukg5TjU4NXBnK0lYSHNoK3hkTnR2MjlxVUFuVUFiSjhlSG9HRU81RmdTSjZs?=
 =?utf-8?B?SmFDc1hOQnVaNlhrVnlpN1ZoajJPTXJoU3R3M3FiZ1I5TGYrQUxHL2NFNzU1?=
 =?utf-8?B?RW9KTnVrU2lSTXZ3c29ZSUE5S1VkQ1FhVU1FaVh1TzVhbEJqUXhsSTF0YmFJ?=
 =?utf-8?B?RGNJcVBDdllLVG5ZMEpKa3dFSytnVkMxL09BSHV0NFgrakJvQ3ZrN1BIc1VM?=
 =?utf-8?B?Tzg5WTlVTWxLdDZrVDNtV1N6NGRUYzZqQmQ4ZFdvczZCZmdDSmlQZ2pUUFNo?=
 =?utf-8?B?VituUXU1MG9GenZhSzdXNWloOUJqdTV2b3BCY2orYzlJbk16dllmM0MvUlFT?=
 =?utf-8?B?V2o2ZzNGdGNSa3JtVzlKU0ZmNndwYTQvM1BJUmVXQ0NaUDhFbU5HeUVtMkVQ?=
 =?utf-8?B?Zkl5RGcrQndvK28rVG9FaXJuR3JRR3ZCL0h2VkxqSGVKT09XTEFUNTc5TkQr?=
 =?utf-8?B?bjdIalYyY1Jua1F6REk5Tk91N2k2amlyMkwxQTd0R0N4Z2t2T1JXdEVIN1k2?=
 =?utf-8?B?cW1wbWpDM0FZVUNPTnNHVEViWC9qQ0Q2WDZRdzhDaGtNK0tCN201dHl2YUpa?=
 =?utf-8?B?MkJCOUlHaFdwMzRxNldUMmZoQWp3Tm4yaTBnY2ZHbVQ5Y2s4VDA3M0lpRzVr?=
 =?utf-8?B?czFQeC9sbWV1NWlSR3p2K3BnM2IzTXpLcFMyUWxvK0pJb0hMSnNPSEVneWFU?=
 =?utf-8?B?a2Z2bEJWWDZHY2ZCeENOc3dEWU0yeFhoSHQwTlU4TlFHTUFRSDBDbkVma0tO?=
 =?utf-8?B?MmliY2I4S1RDMlQrMmh0UDd1Y2srOSt6T2FHQWRCTE1FN3dOdTA4aXJsNTJO?=
 =?utf-8?B?Y2dkdlljTDYwL3FPd1N6b3ZWWlhiRk0xTjdobU1kVTdzWDlGeHJxVklBMmVw?=
 =?utf-8?B?QzZvYnU2YXBlZlhJd2ZOOFcyei84M3RpOGhCTWpJR1pya25CRkJ1Y1VQRmxO?=
 =?utf-8?B?R0V4ckR5TWNBeVdVcUdOTHZ6dU9hSU9YZ0FBMlgxZjYrWUt3VGpjZEFIYkZR?=
 =?utf-8?B?TGl5eFpJTnBpREJPT0cxR0NRTFZRVmNEMXArZm1JU3JRcFl2TUwxcjZzZUsw?=
 =?utf-8?B?RVp4OWVPMmVzRGgyVnBCc0cwaTNIM2pBNUFCMkh0ZVNTdkdGbGVWcVRpYVpI?=
 =?utf-8?B?bmljaHhzMXdHbkFkeG50L01xbUNTakpHOXJXdlFCTmtWR3FWZUd4d2FkQldC?=
 =?utf-8?B?aGNlZVVNZldOQVl0dm5VeHV1WVNLZEdURis2aFk0ak8zY09SaTQxNFlCRnoz?=
 =?utf-8?Q?9uTIVVm9M1WMziTpF6vhWFHhcq8zm0Ql/N0ASZz?=
X-Microsoft-Exchange-Diagnostics: 1;BN6PR12MB1138;6:ygkiDyal57h1GEEl3T431wURnSPntRCBL6fjqsFmxkN2uiIIUM5R9lUJQtdy+Im+0metep7uhjNVfnaEbeIM8LII3MswGP3QOHdKFbMub5qIayhdXhkF76pjMZMZv8CeXFMqS/uzBpV5ntsCqNmPVcH6IzKMDToT6BSlI1yk4tHqlWihgfg1R65alOJsBJA3OWxHOEDhi5zOUf98v4OVBG9Dy9cGCtkZ6iFB49MQ9/u4u4AepnfmdAa0L7WccPNBrmf0pcqj938E7s7k2k8GIxUWZPO86gx+PGzckSKBoDknz9QPkjaffxuP59W7EgjMbOn5/Errffw7527CiT00g6STYUXoMlUmm71JwruTaDs=;5:avt2OH7WV3E4+PapDasl62K6113FGGYnJvNhJ2QQLAA6z2YOMxu39kVjz1iyrR00KTmcxJsKQKKANsumsgcbe7Gj3zHS4HzbNx5SMg/lXYy1ienmvGLtRAewolQQ8y1Zzq/VJZDbgZG96f+J/ljRyw==;24:XtKB8I9/REZxMF3e8o/AQgz9b6eMMQdbF+/g4lezVrH35zXZJKzs+Zzw+HoTLv2l/dB0uneNJXuAXPw0zx7AtCfXlR7cfexuvfHQJ/hzpwI=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1;BN6PR12MB1138;7:MmV4GmNM/gkiPy6I/JyBvQ8Urb5ex6OyaHwwbd/IF6+sx86DmXO+YbvSDBQYwHUm7kkwfEnpCZd35afX4YrJ/z/X6Sbk6EWjo1fuCUERXLsb3XKq8fbmDzRmUynrR+TeMt1zb7jTwtw8kV5Lm/TC7y1qAhNgct5MgasDdDVhiI7O+m8UbAldi2xAmkZ1m2k5pZIhRwugxXXP2wEfAu5hQxSDjeAKr8gix0mx0k1IQpe+h3lbS290Flbj4BJ7b5EJhkkbPCTruLI0/+5JZzRcoKCjBWXse4v3jB3GkGqaABq27iI1u96HUJTxu8oD1eAm/wUDXozNPHQHScv1SMvArSiahEtEDAC6jtXAtOqEHms=;20:4Lm5qUjGZ8uWi3aAXUIuzvpwLZz3USUbDXCGNS3EdLbI+p2Hnh2U5B2eUT4qDUpLyzRsfCwhHHEmZGgtdlIusGqfmNwFKUmQ8GHkIrgIpJVZu4h1qiUb8je3D7MIcdPYezJHiN2PE5jnA/m3ZqMS1x7uD55FlDSV4VB3PHRtYa+2wL9bcLsNxLF5ba3coa+5PBhOqX7xLhohHlLAEqls8DXzzO/6Zw7U9ZcJm2UzyEvmBSQNc52CSDYQACxp46V2
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Nov 2016 00:38:41.7444
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR12MB1138
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 3438
Lines: 118

This patch adds the support to check if SME has been enabled and if the
mem_encrypt=on command line option is set. If both of these conditions
are true, then the encryption mask is set and the kernel is encrypted
"in place."

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
---
 arch/x86/kernel/head_64.S          |    1 +
 arch/x86/kernel/mem_encrypt_init.c |   60 +++++++++++++++++++++++++++++++++++-
 arch/x86/mm/mem_encrypt.c          |    2 +
 3 files changed, 62 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
index e8a7272..c225433 100644
--- a/arch/x86/kernel/head_64.S
+++ b/arch/x86/kernel/head_64.S
@@ -100,6 +100,7 @@ startup_64:
 	 * to include it in the page table fixups.
 	 */
 	push	%rsi
+	movq	%rsi, %rdi
 	call	sme_enable
 	pop	%rsi
 	movq	%rax, %r12
diff --git a/arch/x86/kernel/mem_encrypt_init.c b/arch/x86/kernel/mem_encrypt_init.c
index 7bdd159..c94ceb8 100644
--- a/arch/x86/kernel/mem_encrypt_init.c
+++ b/arch/x86/kernel/mem_encrypt_init.c
@@ -16,9 +16,14 @@
 #include <linux/mm.h>
 
 #include <asm/sections.h>
+#include <asm/processor-flags.h>
+#include <asm/msr.h>
+#include <asm/cmdline.h>
 
 #ifdef CONFIG_AMD_MEM_ENCRYPT
 
+static char sme_cmdline_arg[] __initdata = "mem_encrypt=on";
+
 extern void sme_encrypt_execute(unsigned long, unsigned long, unsigned long,
 				void *, pgd_t *);
 
@@ -219,7 +224,60 @@ unsigned long __init sme_get_me_mask(void)
 	return sme_me_mask;
 }
 
-unsigned long __init sme_enable(void)
+unsigned long __init sme_enable(void *boot_data)
 {
+#ifdef CONFIG_AMD_MEM_ENCRYPT
+	struct boot_params *bp = boot_data;
+	unsigned int eax, ebx, ecx, edx;
+	u64 msr;
+	unsigned long cmdline_ptr;
+	void *cmdline_arg;
+
+	/* Check for an AMD processor */
+	eax = 0;
+	ecx = 0;
+	native_cpuid(&eax, &ebx, &ecx, &edx);
+	if ((ebx != 0x68747541) || (edx != 0x69746e65) || (ecx != 0x444d4163))
+		goto out;
+
+	/* Check for the SME support leaf */
+	eax = 0x80000000;
+	ecx = 0;
+	native_cpuid(&eax, &ebx, &ecx, &edx);
+	if (eax < 0x8000001f)
+		goto out;
+
+	/*
+	 * Check for the SME feature:
+	 *   CPUID Fn8000_001F[EAX] - Bit 0
+	 *     Secure Memory Encryption support
+	 *   CPUID Fn8000_001F[EBX] - Bits 5:0
+	 *     Pagetable bit position used to indicate encryption
+	 */
+	eax = 0x8000001f;
+	ecx = 0;
+	native_cpuid(&eax, &ebx, &ecx, &edx);
+	if (!(eax & 1))
+		goto out;
+
+	/* Check if SME is enabled */
+	msr = native_read_msr(MSR_K8_SYSCFG);
+	if (!(msr & MSR_K8_SYSCFG_MEM_ENCRYPT))
+		goto out;
+
+	/*
+	 * Fixups have not been to applied phys_base yet, so we must obtain
+	 * the address to the SME command line option in the following way.
+	 */
+	asm ("lea sme_cmdline_arg(%%rip), %0"
+	     : "=r" (cmdline_arg)
+	     : "p" (sme_cmdline_arg));
+	cmdline_ptr = bp->hdr.cmd_line_ptr | ((u64)bp->ext_cmd_line_ptr << 32);
+	if (cmdline_find_option_bool((char *)cmdline_ptr, cmdline_arg))
+		sme_me_mask = 1UL << (ebx & 0x3f);
+
+out:
+#endif	/* CONFIG_AMD_MEM_ENCRYPT */
+
 	return sme_me_mask;
 }
diff --git a/arch/x86/mm/mem_encrypt.c b/arch/x86/mm/mem_encrypt.c
index e351003..d0bc3f5 100644
--- a/arch/x86/mm/mem_encrypt.c
+++ b/arch/x86/mm/mem_encrypt.c
@@ -251,6 +251,8 @@ void __init mem_encrypt_init(void)
 
 	/* Make SWIOTLB use an unencrypted DMA area */
 	swiotlb_clear_encryption();
+
+	pr_info("AMD Secure Memory Encryption active\n");
 }
 
 void swiotlb_set_mem_unenc(void *vaddr, unsigned long size)