Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756839AbcKKQRm (ORCPT ); Fri, 11 Nov 2016 11:17:42 -0500 Received: from mail-by2nam01on0128.outbound.protection.outlook.com ([104.47.34.128]:23488 "EHLO NAM01-BY2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1756737AbcKKQRj (ORCPT ); Fri, 11 Nov 2016 11:17:39 -0500 X-Greylist: delayed 53448 seconds by postgrey-1.27 at vger.kernel.org; Fri, 11 Nov 2016 11:17:38 EST From: "Kani, Toshimitsu" To: "kvm@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-mm@kvack.org" , "kasan-dev@googlegroups.com" , "x86@kernel.org" , "iommu@lists.linux-foundation.org" , "linux-efi@vger.kernel.org" , "thomas.lendacky@amd.com" , "linux-arch@vger.kernel.org" , "linux-doc@vger.kernel.org" CC: "matt@codeblueprint.co.uk" , "corbet@lwn.net" , "tglx@linutronix.de" , "konrad.wilk@oracle.com" , "joro@8bytes.org" , "dvyukov@google.com" , "aryabinin@virtuozzo.com" , "riel@redhat.com" , "lwoodman@redhat.com" , "mingo@redhat.com" , "hpa@zytor.com" , "luto@kernel.org" , "pbonzini@redhat.com" , "bp@alien8.de" , "glider@google.com" , "rkrcmar@redhat.com" , "arnd@arndb.de" Subject: Re: [RFC PATCH v3 10/20] Add support to access boot related data in the clear Thread-Topic: [RFC PATCH v3 10/20] Add support to access boot related data in the clear Thread-Index: AQHSOuqpfUYWnLCn0km2yWxclgka7aDT982A Date: Fri, 11 Nov 2016 16:17:36 +0000 Message-ID: <1478880929.20881.148.camel@hpe.com> References: <20161110003426.3280.2999.stgit@tlendack-t1.amdoffice.net> <20161110003631.3280.73292.stgit@tlendack-t1.amdoffice.net> In-Reply-To: <20161110003631.3280.73292.stgit@tlendack-t1.amdoffice.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=toshi.kani@hpe.com; x-originating-ip: [15.219.163.9] x-microsoft-exchange-diagnostics: 1;CS1PR84MB0005;7:FviDbCAgWLYjLKA973l1y2YZxvH47FVwrSnQDdqbWBmJMaV9iv6Y9h8ROSsNm09O6Cmx53+BTHt1rar+yAkWCtmBWByi1dwe+Ht7xJaeyBANFqbf+3D8NTFtop81Prbbvt9auf6lBJttO+vJ7JliwzAuBhxyOQAoyhro7gxZl1eGM4UAAjaSrAItsmnYs3TB3FiSX3VpgjKoaI8GARYZZV+rkRk4tqopGswiw1RW3KgjAfJ4q4PI42UQI7ep681CBSsJSI3tEwj0ibOMCqpQzGLWTzbjSleR2i7CWLoyTMeZiZ+zS2vkrr5bQ7kur4QjnbPYCsJBPTkXeEDC88/axvO9c8Lu3WtJpGMp2rG1Izw= x-ms-office365-filtering-correlation-id: 6443c4e2-002a-4d6e-4f59-08d40a4e4057 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:CS1PR84MB0005; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(6040176)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026);SRVR:CS1PR84MB0005;BCL:0;PCL:0;RULEID:;SRVR:CS1PR84MB0005; x-forefront-prvs: 012349AD1C x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(6009001)(7916002)(189002)(377424004)(24454002)(199003)(77096005)(86362001)(586003)(2201001)(2906002)(68736007)(33646002)(99286002)(105586002)(3660700001)(122556002)(92566002)(87936001)(102836003)(3846002)(6116002)(2501003)(36756003)(2900100001)(66066001)(4326007)(229853002)(2950100002)(81166006)(81156014)(8676002)(8936002)(76176999)(54356999)(8666005)(101416001)(50986999)(5660300001)(7736002)(305945005)(7846002)(3280700002)(103116003)(7416002)(106356001)(189998001)(106116001)(5001770100001)(97736004)(7059030)(921003)(1121003)(217873001);DIR:OUT;SFP:1102;SCL:1;SRVR:CS1PR84MB0005;H:CS1PR84MB0005.NAMPRD84.PROD.OUTLOOK.COM;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="utf-8" Content-ID: MIME-Version: 1.0 X-OriginatorOrg: hpe.com X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Nov 2016 16:17:36.6670 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc X-MS-Exchange-Transport-CrossTenantHeadersStamped: CS1PR84MB0005 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by mail.home.local id uABGHld7031276 Content-Length: 1421 Lines: 45 On Wed, 2016-11-09 at 18:36 -0600, Tom Lendacky wrote: > Boot data (such as EFI related data) is not encrypted when the system > is booted and needs to be accessed unencrypted.  Add support to apply > the proper attributes to the EFI page tables and to the > early_memremap and memremap APIs to identify the type of data being > accessed so that the proper encryption attribute can be applied.  : > +static bool memremap_apply_encryption(resource_size_t phys_addr, > +       unsigned long size) > +{ > + /* SME is not active, just return true */ > + if (!sme_me_mask) > + return true; > + > + /* Check if the address is part of the setup data */ > + if (memremap_setup_data(phys_addr, size)) > + return false; > + > + /* Check if the address is part of EFI boot/runtime data */ > + switch (efi_mem_type(phys_addr)) { > + case EFI_BOOT_SERVICES_DATA: > + case EFI_RUNTIME_SERVICES_DATA: > + return false; > + } > + > + /* Check if the address is outside kernel usable area */ > + switch (e820_get_entry_type(phys_addr, phys_addr + size - > 1)) { > + case E820_RESERVED: > + case E820_ACPI: > + case E820_NVS: > + case E820_UNUSABLE: > + return false; > + } > + > + return true; > +} Are you supporting encryption for E820_PMEM ranges?  If so, this encryption will persist across a reboot and does not need to be encrypted again, right?  Also, how do you keep a same key across a reboot? Thanks, -Toshi