Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753198AbcK2Ssi (ORCPT ); Tue, 29 Nov 2016 13:48:38 -0500 Received: from mail-by2nam01on0076.outbound.protection.outlook.com ([104.47.34.76]:57066 "EHLO NAM01-BY2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751566AbcK2Ss1 (ORCPT ); Tue, 29 Nov 2016 13:48:27 -0500 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Lendacky@amd.com; Subject: Re: [RFC PATCH v3 20/20] x86: Add support to make use of Secure Memory Encryption To: Borislav Petkov References: <20161110003426.3280.2999.stgit@tlendack-t1.amdoffice.net> <20161110003838.3280.23327.stgit@tlendack-t1.amdoffice.net> <20161126204703.wlcd6cw7dxzvpxyc@pd.tnic> CC: , , , , , , , , , Rik van Riel , =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= , Arnd Bergmann , Jonathan Corbet , Matt Fleming , Joerg Roedel , Konrad Rzeszutek Wilk , Paolo Bonzini , Larry Woodman , Ingo Molnar , Andy Lutomirski , "H. Peter Anvin" , Andrey Ryabinin , Alexander Potapenko , Thomas Gleixner , Dmitry Vyukov From: Tom Lendacky Message-ID: <4cffdd71-dcc6-35e9-2654-e39067a525a8@amd.com> Date: Tue, 29 Nov 2016 12:48:17 -0600 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: <20161126204703.wlcd6cw7dxzvpxyc@pd.tnic> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: BN6PR07CA0011.namprd07.prod.outlook.com (10.173.33.149) To DM5PR12MB1148.namprd12.prod.outlook.com (10.168.236.143) X-MS-Office365-Filtering-Correlation-Id: 3922b1da-5c01-4ead-c0f3-08d418884be1 X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:DM5PR12MB1148; X-Microsoft-Exchange-Diagnostics: 1;DM5PR12MB1148;3:YVmQJoRgGjxWh1PMTp9MfwxoLQthQM4HZHBdOiO18kpoRafxPpY1cgHlwmPHl3f45ruZKKw6fnR7vtVD7T5n7PYDMlB+6oBw7UP6fmhohnyCPnNuL2PuUYq4ktewFbY+QQ63l9jBt3WFtp38w44vNuq0NWUgRIaIvQvBUxlQTwuDyitcM3MuROII+wY5MonZEZbklcD/zYaSPgTdgRuhV6CeTLe9baeu2eBeJ6qIbGLTnOHZwuY7MXVsD5wdMlvLjbJ4NQefzUI8Aa9sAWTmzA==;25:CcoffvNeTgA2nHxd4AuNR9/sGQoY6BWrbGlCkhzvi7Mk/gI8jOL6qM0y7su5HLRgqq6W5XVPhJAai9ZLUQuGtj5pkT4cWUd5UFWgavP0TZt3riVaAGNKYGTaeySR74qyxoas96/IXSmXYI+dHU5wE1LET+POHbw/7zPKz2wJdEZmbkC6F3EVIeiax+7c/oR0zL44/MOyE5TzpxWg7+97LlNvpchHaRIgE+2akmxETb9u8mrnGJ0nraMlNWVQLW8v8foirfeaIRuzO6OcEnyki1LL5jCvBST9dZr9lNm/dXPIsBGWSu3w4C+yTr8qqjpY4xQ9Osmy9GHPtJ2W6r/vRYVCY31EsJzkl/XrHS/tWLh0o940J1iq3Ycc7qwmqHwpE85qZRzn+J8NmLJloWfDrRGmuJPR5bqDbdLL2qgDTex7p2DgjQlxykEiYvicXTClVrUWakgXcVia++9tAlQEAg== X-Microsoft-Exchange-Diagnostics: 1;DM5PR12MB1148;31:4QpilWmSoYd6sSyysUhMzTNwoNnG6Bb6USRlY4rUUcG9Gr98Wseh245k4WTKE2P2Nlk1XoDOgrTWhtyyIjpdNRIqCN7IGbGg7SZpWr3znMBnmYSt4Fnt0b9UhqE5l3vFbhG5UaeV/tsVIYZEmoYY6ck65ZZoEy5nxMCbcWnp2ADYVQCckTO1kTqHTn0nM8J9IgI8q3e7/f/MIgxTrn4XFD1s3E8W2F0NW1JmtnBG7B23rq6Q5gN0hmwlhpOsT/2D7c6bQLELEYBNPg00s1ZESg==;20:0AbNlh6b9m93Mzuuf0js1p8XdTyeLmpMQ0QCTYyrZDfAV0HZfwSSHdFx2MSGdIhlW8CMMxxV8vxbg2hvWxtSwiJE+O0/FiMyHIdYY115V+bnyVHkF8Da9fucPy2Kh6tq+8IKxww99IbjjqAJtYeWQKLXE0PRCmptfhZeYVqu3XIqr5KfYBIFKpocWDsn/86BdpfxQW+ZnMHTTLoRpJ0DR9mkls4zotTn89S5j24+hxoiaASpaI7FOYsYwOC9mBUY4ypfCLK3oMoq8YQ8SYV/CTrm0nsVXNNzvTrXILnJGM4AugZmvCdVwKqIabCzlifiqjA8tsT3AZQDZebNBQ29Y9u0OTU7RAw05AXtWsqwAPn/knnXPQQHZPn4a3PnMsndV/p9HsF4+CAi/RnBQsR+Nms1qljxWvztMwHrGIQOZ/HYfzdk06/nxZK6KvfsuBSR8MXmhQ4yTsFNzJ1ECXDf1z254C9j8qaTPNrPx9AIqWmq91x3Y9IqMYDUVq01STcf X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(767451399110); X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6060326)(6040361)(6045199)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(6061324)(6041248)(20161123560025)(20161123558021)(20161123555025)(20161123562025)(20161123564025);SRVR:DM5PR12MB1148;BCL:0;PCL:0;RULEID:;SRVR:DM5PR12MB1148; X-Microsoft-Exchange-Diagnostics: 1;DM5PR12MB1148;4:+Es2lHj8tVtRJw8fdYjewpHQLmFQjRdWWHSiSNLF55EbC4GLgTBhJtq1Qc8s2PVMrxLHYrakhpdZIfGvcBc98b5sfBKzsWzAlQSQ6Y67UZBKHoILzIMSCVTXfnGZY5fjmJIh10HUBHMO97hnKLH23pWmsbNImDtNtv0HgGXwsV9J8rtBhT4Nct3tyg206YIhW+JsxfJRSgD3YGHihEci/jkTknfg6y0ZhMMKc2igvn2wR5VpuSdXclaLofWvLBrvgr3u0MqtPGkiAMx/siX11CYa9SM2Xd67vFjuV26QGwKLl05FTx/7lQpaYrSE8vVYKwF/1VRmkORGquIbQw918PsrLDTyLAHqbfxVCSLD/P+rX++mn84MBuCo0J83Q+oFMSyKhXzuwTQEZaAksC5YnZj6+6P0inz0bLuniZ7gd6fu0b3OSBehLPhXxZ/ErILeIg908xBFoUGA1WxxCccubZJ2mwbLeoqZCRJKxbZ+dKUCwkzC93IzpTZz5phNWhOSoXCiEE/gmHsg8kfieU9AyiYSqNTkJWaoRT6lewhMDhamChYTtEFC3A0VVHICaoAFrPQcs7yHIidod/L98i//ZpI5dOjP3yiaQopCM5UmVjiVpkKDVHFSvtLaA5UfeH4yZMscuh31RR4kmyETcW+zGtMLV0nLuioDgYfSkxSb0KBrLUqMs99t/wKd2NG/5EwudGjy9dsyEoU/DOrQEqmyPA== X-Forefront-PRVS: 01415BB535 X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(4630300001)(6049001)(6009001)(7916002)(377454003)(24454002)(189002)(199003)(6916009)(50466002)(39400400001)(105586002)(47776003)(6486002)(39380400001)(39450400002)(7736002)(733004)(86362001)(230700001)(66066001)(65956001)(77096006)(305945005)(83506001)(38730400001)(33646002)(23676002)(31696002)(39410400001)(229853002)(3846002)(6116002)(5660300001)(81166006)(2906002)(101416001)(81156014)(31686004)(7846002)(92566002)(64126003)(2950100002)(65826007)(7416002)(68736007)(4326007)(110136003)(189998001)(106356001)(36756003)(42186005)(76176999)(50986999)(6666003)(65806001)(8676002)(54356999)(4001350100001)(97736004)(217873001);DIR:OUT;SFP:1101;SCL:1;SRVR:DM5PR12MB1148;H:[10.236.64.222];FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtETTVQUjEyTUIxMTQ4OzIzOi9QUlBsNTE1OXI2UlF3WnZ0MjNQV1FqdVVP?= =?utf-8?B?THVIamRpeU41R0xXOVVaMzI2MUxQalR3Slc3Zk9INkpOOG5yWlJFNWF3ckRZ?= =?utf-8?B?VnBUWHpPQVlHNnBoaUtDRFNDcU1meWorYTQ4NFJqVjZmVnZUQUlWdVFGT2Jk?= =?utf-8?B?bDZCZ2F0NjR5TG53bmRjTi9tRysyVTEzVzExNi9NWVpURWN5b1d5N0VuUDBt?= =?utf-8?B?QTZVWXhJclRiNWVkeXFxZEFBRGZFWkdMcDlLcnN5QnhWcHFZRW1PZlk2STIx?= =?utf-8?B?bGdsbzB0eUlDb0JEcEkxM1I0dytlQ3RDWXBrclg5N0M3amZrY3VZWUFGZnAy?= =?utf-8?B?dHBTOW5GVVJIemdTYlE5TTBSczBLWVkwdFVRdVZodi8vZmVaQ2VrcHdQQ0xn?= =?utf-8?B?UjROVHJKczE4dERVQ0J6NXBKTU9zTTZUelZackdESmt1QzhwTzZIV01aRlk1?= =?utf-8?B?QjA0aDZ1OWs2MHhqVWFLU0E1NFRab2ZsMTdUbVBvNVlYVUtYUWU5dUJGOTc3?= =?utf-8?B?a3pSanYwYzR0QmRDbHgvckU0cUhKaGw5Rml1WFNBMkhHUWJ2WXNPRmI5c0Yx?= =?utf-8?B?Snh6aXVEa28rN200WGkwUWdlTURrNVdBWDFSZExTZlppMVd4Y2d6cFlOL2NC?= =?utf-8?B?NEM0N3RZZHpadWJYeFB3NlBBckt0WUhPZGJlbk1qcExkRVpSUHBJeFhKaUtv?= =?utf-8?B?K1hnWVREdXRrbkJaRHkwVm5IM21JdGNlZ1dQczdwYXpYeFhmK1FIRU5TQ0ZE?= =?utf-8?B?YW1hUCt1TGdFY1VIV0J5NkVDZWFnZGdzM1hCOWdKemt1TWwwcGI2TzRCd2Jm?= =?utf-8?B?N1lndkNmTUdNMFE2ZHUycDYxODNTQnM1MjhwRk5RSlpNZkdOcUR4cFFNSEth?= =?utf-8?B?SDUvZUc2ekRUaTF3aDBybGtJWWxCUW5kU054RmlGTjJEVWIwMmM1TzBTeEVu?= =?utf-8?B?TEZ6Vm5DemwvcnJGa3pEd3BJUVQ4L3p0N2Z2SGgxMERJeWxNVUFsR2NicjVN?= =?utf-8?B?ZEZ5Unh6WGpidDZrWGduZUs1czNNOTQ3QXR4bDlUeGRtdk9GNnNMY1g4QS9Y?= =?utf-8?B?Mmg0bEhNTy9vZjJrR3dNZ3BFNmprTHRkVm9pZ2JEMFRnRlBnQjNnQ21ZNjFG?= =?utf-8?B?Q0FDRGtGR0NUbjhFcHdZNVVrbHZnMWdULzVuajQrdnNYTG1xUWJESDVXNnVn?= =?utf-8?B?OHdRcmNWTTJDdzZFdytrSjIrTWFjUURNS3pwTDh3RjFWekNQY1k3OVdEWk54?= =?utf-8?B?UEVDZFpXMnpTK05mQ2pOL2lERlg0RW5XVnZPZy90ckp6dE51VXBEVTZYREY3?= =?utf-8?B?UHNSajVCek9rRWpFT2l3N290dG12NCtRZGxLSjVBcVRGM0srb1NKTTJaek5l?= =?utf-8?B?b0VXWXZLVmlWUytnZGc2emRjdWxzWmtqOWltQWpZcWdONDZVdXlPY01TVEU4?= =?utf-8?B?L3BFS3lIMHZrT1NiTm5sM0pEVTNnODU0dVFNUUYxNFBKczZybS9zSHEwK2RW?= =?utf-8?B?SVFyTThZaEpkcFNIR1VNRk9lM1picUVCUWlERTBBNHdELzRlRDROZWdMajNP?= =?utf-8?B?Y203WWYrblFSb2ZQZzY5dFBRZGppVmVkK1ZVQXZLQVY1OWhYZENjRUdqeFpD?= =?utf-8?B?NjJ6NW05RUNKRVgydjBFUVU4WkgwZktLU2xpNXlKQ2V0czhUUkZRWXl6MTBj?= =?utf-8?B?S0JHNVBuQWZPVEdWekN3bU00TDVLTTA0Qkw5UURyY3NyZDZuMHBpakc5Rlda?= =?utf-8?B?N0FXbDBqOUNkZGZyaVJqaW5FUHRra0pxNjlraURIMWlydUJ4VFRJaTdPOC80?= =?utf-8?B?RkRVNkI5NjIyR3BvUzQvbkpQeUFlenp6NzZqT1MyNW8xTFNiVEpWYjhXUVE2?= =?utf-8?B?RUdmV1M1WUsyaUs0QTNYc21oVWtzWTU2WlppY09uK3UySm1PV0xaZnlidVJn?= =?utf-8?B?NEk3ekpsNkdkWkxXR2FYZVZQdUZkQXBlakZJQUdadHluSk5CWmJWU1lrb1Y0?= =?utf-8?Q?TFI3Lt?= X-Microsoft-Exchange-Diagnostics: 1;DM5PR12MB1148;6:JDhrIDshdfr5pHZe7i3vQVsz0rV9hhSVp9cg3VLdiT261ctFUPWDay8mxxrZH/8ulKL0xoc2qrN2djIZXpm2PG4yKDlCpEoZ9Uwrzb1yyFg+W+0/6eeDn8Pl0tPdIubD0MRRMVPv1/N8l9/oNtYwsAHzdq96LGWMeO3OBor6Oa40p2PKA0TrOIx8VdVU7j2+zW9TvoqzVHnaDj6sH5y5xdM/7xjBrCWgMpLLEWCbu4ffL+V+eWKJV32fFthmTLhC8jFY6hHwXbwJ8oLhJnD0idI+mxbFSikN7M7YtsIwAzmwbp5ZWIWfNiFh5PMtmeefezGUrarFMb7YxooQ0UpsDkERqJq3A9RpBVznPWOZWY9kipqLDOXsi9h5trZjK/FhcCNgDK09bsKRGfPXth+wp3wX0oiJ5icQHEfnjC5ajJl38IatRvI1Gh1VtQSZC80hi9dZP8r9XaDraC4zDIyH040MdLVmXXPsaHyqzso8auEUy5kBSfQkiksCcFJ6U8wC;5:hONt77GFXo1IoxfUGgc57VIF02y7q8FoAJMtmbvwwkKCW5u/9R1Y6I0mW5kM+NPzm0KgqNBDqiq5KTWqA9bG4c/06oSRAtkP1PGCIvgvmIgWBUJn/H4e6DjYDIAjz+TR0qn/5CHdAoni/FcyKzcLRqnVpiAHwnsB+EdugZCnWX8=;24:VADY4gHwbSC0AFANNDuwfRjmZnfJ6DKMJxZ/j/ZVRV78t3sHuBQmUdy6lN1EnEKuMXiBhnkJF6qr6AicqG3WpW5SN/fGl7zHxfAXelwNvRA= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;DM5PR12MB1148;7:ycBkiyaN+mvMKvR6iQXiQg/kWGkGVxIRHv9tuAJC/rnwYDUUSEK6W+jx7Cg8VPnsdrGuqcHXxmxLD8JEFmgDT6FEs3MQeUnhc3zdLLx59ZxMhDK//66ZlmKZDf9bFLwJ5Zw2e/GMdzpUY6kbOLSWUAALVMyguuPe3HMdpRK6asIe9ncNMbIuaFdTfMoRLn0G/pBUWXmkp/FXil12Ra3afbeMylxoSAanqPutlxt7xx5O0Wu8s3knMjuLCjwjOSMPRSCQM4AY/X47IHgyiZ1tmIqFEq2BNvqYyrykzzn0GfLFUjNuhELBFST0072Nur8DzsC+LSbGKg9NaB86v9behbtc4BTLrcIVPnlGtVIqw4FzT73M0OhamBMG58hqP/EqSoZodVyud+Blmy6IwvhzxP9HENMAKYKalbs5nOqCJiPnb8Jb+L604HqpRCPXAbU4UWOxA1HnlxH0olmVLXIV+Q==;20:/DqlmOfV08YlhFq2oKHZfsEaALPNRXctdGZuw6JcMq59FsLsvp7Shml2e26k4tlPMRdilDhsIXH3sUpW7vlmaHOo7qnpoq+1Ay/vwpFp4dBJ83fDldGSxg/i6BiqbNWa9rBNMAcoeIYzbWf5uPj9EzV5LBwmkXdwTE4N/djVPi3za9avOqIZmDdtf1W5HcMqCnpQ2IbRmDWvotUssFjwlm6HvTQ3Zj8OvriukTQz3SYFbNUvQ/Ir7jjUi47uR/LL X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Nov 2016 18:48:21.1929 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR12MB1148 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2065 Lines: 58 On 11/26/2016 2:47 PM, Borislav Petkov wrote: > On Wed, Nov 09, 2016 at 06:38:38PM -0600, Tom Lendacky wrote: >> This patch adds the support to check if SME has been enabled and if the >> mem_encrypt=on command line option is set. If both of these conditions >> are true, then the encryption mask is set and the kernel is encrypted >> "in place." >> >> Signed-off-by: Tom Lendacky >> --- >> arch/x86/kernel/head_64.S | 1 + >> arch/x86/kernel/mem_encrypt_init.c | 60 +++++++++++++++++++++++++++++++++++- >> arch/x86/mm/mem_encrypt.c | 2 + >> 3 files changed, 62 insertions(+), 1 deletion(-) >> >> diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S >> index e8a7272..c225433 100644 >> --- a/arch/x86/kernel/head_64.S >> +++ b/arch/x86/kernel/head_64.S >> @@ -100,6 +100,7 @@ startup_64: >> * to include it in the page table fixups. >> */ >> push %rsi >> + movq %rsi, %rdi >> call sme_enable >> pop %rsi >> movq %rax, %r12 >> diff --git a/arch/x86/kernel/mem_encrypt_init.c b/arch/x86/kernel/mem_encrypt_init.c >> index 7bdd159..c94ceb8 100644 >> --- a/arch/x86/kernel/mem_encrypt_init.c >> +++ b/arch/x86/kernel/mem_encrypt_init.c >> @@ -16,9 +16,14 @@ >> #include >> >> #include >> +#include >> +#include >> +#include >> >> #ifdef CONFIG_AMD_MEM_ENCRYPT >> >> +static char sme_cmdline_arg[] __initdata = "mem_encrypt=on"; > > One more thing: just like we're adding an =on switch, we'd need an =off > switch in case something's wrong with the SME code. IOW, if a user > supplies "mem_encrypt=off", we do not encrypt. Well, we can document "off", but if the exact string "mem_encrypt=on" isn't specified on the command line then the encryption won't occur. The cmdline_find_option_bool() function looks for the exact string and isn't interpreting the value on the right side of the equal sign. So omitting mem_encrypt=on or using mem_encrypt=off is the same. Thanks, Tom > > Thanks. >