Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753979AbcLIO1D (ORCPT <rfc822;w@1wt.eu>);
        Fri, 9 Dec 2016 09:27:03 -0500
Received: from mail-cys01nam02on0042.outbound.protection.outlook.com ([104.47.37.42]:7572
        "EHLO NAM02-CY1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1753191AbcLIO06 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 9 Dec 2016 09:26:58 -0500
Authentication-Results: spf=none (sender IP is )
 smtp.mailfrom=Thomas.Lendacky@amd.com; 
Subject: Re: [RFC PATCH v3 10/20] Add support to access boot related data in
 the clear
To: Matt Fleming <matt@codeblueprint.co.uk>
References: <20161110003426.3280.2999.stgit@tlendack-t1.amdoffice.net>
 <20161110003631.3280.73292.stgit@tlendack-t1.amdoffice.net>
 <20161207131903.GU20785@codeblueprint.co.uk>
CC: <linux-arch@vger.kernel.org>, <linux-efi@vger.kernel.org>,
        <kvm@vger.kernel.org>, <linux-doc@vger.kernel.org>, <x86@kernel.org>,
        <linux-kernel@vger.kernel.org>, <kasan-dev@googlegroups.com>,
        <linux-mm@kvack.org>, <iommu@lists.linux-foundation.org>,
        Rik van Riel <riel@redhat.com>,
        =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= <rkrcmar@redhat.com>,
        Arnd Bergmann <arnd@arndb.de>, Jonathan Corbet <corbet@lwn.net>,
        Joerg Roedel <joro@8bytes.org>,
        Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
        Paolo Bonzini <pbonzini@redhat.com>,
        Larry Woodman <lwoodman@redhat.com>, Ingo Molnar <mingo@redhat.com>,
        Borislav Petkov <bp@alien8.de>, Andy Lutomirski <luto@kernel.org>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Andrey Ryabinin <aryabinin@virtuozzo.com>,
        Alexander Potapenko <glider@google.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Dmitry Vyukov <dvyukov@google.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>
From: Tom Lendacky <thomas.lendacky@amd.com>
Message-ID: <8aebb166-12ae-64aa-bf1a-3f46fe8b52dd@amd.com>
Date: Fri, 9 Dec 2016 08:26:40 -0600
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.5.0
MIME-Version: 1.0
In-Reply-To: <20161207131903.GU20785@codeblueprint.co.uk>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [165.204.77.1]
X-ClientProxiedBy: BN6PR15CA0006.namprd15.prod.outlook.com (10.172.204.144) To
 CY4PR12MB1144.namprd12.prod.outlook.com (10.168.164.136)
X-MS-Office365-Filtering-Correlation-Id: 946e47e0-b66c-4ee0-c7f9-08d4203f6d26
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:CY4PR12MB1144;
X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1144;3:Ig8WASxwTqs2b7HfNqoh2nIFHmKqeie0WnBoXcX9ZWlxSyJdwGVXEC3Meu+4i11/9NKVddtRsCA+AO57yjn2vmzZRd7zxZRu1FXCz19+ZleeTkHLFA+iEVHrVqQzzIi6/61WYBp8NJp9x+sbNQ4F1zVy6JY8uJrJpKOIPk/s70UCXbtXUeL7eFlEcks9Q/FI5Lk1rJ68kCPoGcpUYU0LI/VRxGPoJlcEpCqrMheVHK8Pm/08M9GBR/Ay+w6sx+tZ6MHyoyX2s5ucFTyDHETffg==;25:E46jXyRkI5Ebrdp6lef8nhwLTJqA6+7Nk0og+70cgFZWswFhyR71ndlMiQVeHIqbxcj3FtPME7zFLLTtIwkG2N362sKqJ4rjLDCgb3bckKRINlTiTzTu6RNNQNGL6onFPTqTHTZmKWEOIoqx3sxaHyJET6klfsTRM/sySlaoDrfV1hivPPnKQ3eKVnrx1gQynA+8SMogckuWunLebnYiCwaYBYggiGtid+dddMD1ys2U76yjIO7vI0OumktWtebEeoVyrLhAM0oazAmsgMm8UFdE5V8eAC5RzM3TdFKtKw9saY+DfQH2IHcm978q4Q8QjaV6OZhJlvQIubXEGnn4S3W7MmFe55943YH58OiVQW0c1xOYHFxQrNQQDKqLcbwelba2J/+7WXkb8c92wMJ68zIx89O9pewSXcFCBXIwNo17dAUEKi3O6DEKJY/+pkUyzY2HXraa8Qy8QRP+F+TcRQ==
X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1144;31:06SVOT47TMnePFgRPHU9IV9+o/Z7bG3KC9ScDVCYXgWb0YYiN6+wDqSbxv/r2gqCaKzraG9BC39K35FWhxp8/iQuoLMz4J7jFVPiDCHfYc8XoFYKQAMkT5BCMyfpbatdOCw4TaGukkR7+74MzwmbDw5wG6ViGUKnUO+aujTirjF0yJSD2htvEBk+feXiLKucQ9lYZsJETHZSCiBXaM5KlDglltDfb07bzC0qu5AG2yqZo30wH9rGsbvIGgAzmBG2C9zmxNjA6go4RxLXxiar2XJW32mCRW/xy0t8DIJrEW0=;20:FHwMahqgI7mr8jOLsXCp2R0U5D9QDREAX/ckH88ulZe+IYPrkZXQjf6juc2jZuHeo8Yxn+J8PPa82Tuy7HQv93a0Irwd1By8mTqhOkvFaWTJh7VLbf4AhSRBv51uVBfCs4vknJAQ1kHIWZSc5JK6r2Fs2PNsrW5OQ+XiRGsMluVXu5wmW9x6tf7v/A1pahA9Zfs9f4NE5PuG0KA0Um1p2ZHU2bSfM5TP4U5CJRuwr/jKhVoMdDOmdrNN6yS5BNYLhSwX8JtW3SOoYBgLh/nKOYVXp1yDlHiDk81yLA/o9qnry4PFt9o6ZlI7yOPpwafwQqJkKAgdUVOdzCM4E5s11pfbwqeLHDhhhMxtWf3BPjWtMDTqz7cD2txheGnp6AuEKG/p4KN07k1yeWgm+/QFpFhV6TRD/0BEj7dmMTGEGJmJuc3XxxUjfLCaQ57Prsa+x8JgyOdb30i0IHhsygsjAb3MdZR75dr34sBsiQ9KDuyTSvkV6VYbPEyBSvEeAtvE
X-Microsoft-Antispam-PRVS: <CY4PR12MB1144280AFC8B2D286693FB93EC870@CY4PR12MB1144.namprd12.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(767451399110)(17755550239193);
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(6041248)(20161123560025)(20161123564025)(20161123562025)(20161123555025)(6072148);SRVR:CY4PR12MB1144;BCL:0;PCL:0;RULEID:;SRVR:CY4PR12MB1144;
X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1144;4:WBzu+u+l8e4ygjzfSiJNT93WW9XskrJSDvqnmhRZbRphFi8m8MbqqiKsEkK2OfN8UMRpTiKuXpYpC9iTCYtqxgtzmIPjR2FzkY1nuxhUg65UZRhwBmpj5pam+aLwcmDBmAxMvrdQi3JnIkrQQbRmwS7kPBnrINXxQesznafouaKI5VhJRAZEx2AnKJ426wKRcQ8YXWn+kj7dWf6OswsgWLkHA0SuJL0ieTgv1sL62nvhIWfFANC3jYT2nsnEQF4Ix4VeNEdCiD7cAkp/IJW3Virje5cTDMRgKmwnMPHwTghAgH1mHCTY59kOzfoP/uvSDwwGK7237Vi/sqJ8+sXHQtkGLtBKHDadxpxnvieAZwGKSaX2M7hn9jNI3r6G3c8mDUdANhbN+IpElLplLk09Nkfl+fnttwuF1sPx1UqQkElSmrI7pudhO2TGzYVhkAHBsCNaK1RcRjDp+bfk2/zGjRRD2hnHibmGZ7Yi7BoYKGmrODDiSOKU/rzFJzign+tenYzZ6GKyRhchySnMDljCOD/OYUPJkLUQHbvrn/BLhdzJxtQMl37LNDkaCF8+TPYDCB6Fbm9hWXUqT0lBTMSD0mGIxOm+dk7GTaJ7kEe7pDyF5KRelKII6Oo73G6oaOFTyok3eealKRiDiJleOdxJtQPbXg7lOrGZ2DAJQqTctB8=
X-Forefront-PRVS: 015114592F
X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(4630300001)(6049001)(6009001)(7916002)(39410400002)(39860400002)(39450400003)(39850400002)(39840400002)(189002)(377454003)(199003)(24454002)(7416002)(4001350100001)(31686004)(110136003)(92566002)(64126003)(3846002)(305945005)(7736002)(575784001)(77096006)(6666003)(2950100002)(83506001)(6916009)(8676002)(86362001)(229853002)(81156014)(6116002)(90366009)(81166006)(733004)(31696002)(5660300001)(6486002)(38730400001)(68736007)(230700001)(23746002)(36756003)(54356999)(33646002)(101416001)(42186005)(65826007)(50986999)(106356001)(97736004)(4326007)(76176999)(2906002)(189998001)(105586002)(65806001)(47776003)(66066001)(50466002)(65956001)(217873001);DIR:OUT;SFP:1101;SCL:1;SRVR:CY4PR12MB1144;H:[10.236.64.222];FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en;
X-Microsoft-Exchange-Diagnostics: =?Windows-1252?Q?1;CY4PR12MB1144;23:UUh1JuolwvdUwKgVvb11ZXV3wgSg7tdvLC5SR?=
 =?Windows-1252?Q?LXaSsRSG1XySsG+SRD9kVT2M669nkdbYBwGphQa1GgQ1bl6NwTmTARd1?=
 =?Windows-1252?Q?1K5gA9SSANwA3AHMOR8DtqIwAau/EmFKs5fcOFq8zpbhKFdX5yuuzKCa?=
 =?Windows-1252?Q?G7rNRYSuKVXVEmNX80TfuEkAnK1iXLR2o5EK3yf4LwPJIJ168V9npVw+?=
 =?Windows-1252?Q?w9A394xXvzvIEzA/Q0bGvEwpGYRXILDZGNU/93s+XXJDo3sm5lBYsWOv?=
 =?Windows-1252?Q?+YijpDVZ/bjlQcqtDQD69GyztFFRsg52Tq2NCz1NfQxeZGSj+0pKtURr?=
 =?Windows-1252?Q?euyOv08vIY8uBjiW7cZliKjJ5Zkoqk0CWnUpPKiCd8Hc03TgxXCdUV+n?=
 =?Windows-1252?Q?sDpL4XGsuXn7KBag3gbqOmLHotwKHr6QzT3SuBdAHbuuCcOw/m5WveK5?=
 =?Windows-1252?Q?7SClnFkK0wOe/J8gaUijP6x0aPtIAP2MSB32o1NAQZeTxndgDumd5jEf?=
 =?Windows-1252?Q?i3xZV7g2m1Rz5DXUWHl1gtbogoR4FV+kjjQ19BekG/eM2vTcrnZBr/l+?=
 =?Windows-1252?Q?BX8ZNqmk9BDcM1ZMkpJ3LwP9dEOj6N5FdbH1dgpitkcSkau+QUd1Pldp?=
 =?Windows-1252?Q?pWG3jBDcK3cvzR7hrORLYP/zgzKw3ZL90a8oMvbOKGI69oDguM39tHQw?=
 =?Windows-1252?Q?64Jd1lYrEyCSL+n6PQ6caI2/7XtU1FKVpqMsm187ISJfMlpbBOmZBSgJ?=
 =?Windows-1252?Q?Yb/IAKf7PQbmP8toEZWnOHYwv6kUu8LLHZRYtmnLuUTx5ZZHIzG7utf6?=
 =?Windows-1252?Q?9FvmWhUbj9JNr/bEij2qgp/W0bc+TmDq/CQO3yLpm8r4npv9Rio4Bslt?=
 =?Windows-1252?Q?/X9hVzQgVWOR+/ZurHAElC5PP4rdLX+1jvVvOcvdhg/whNDxRK4eEMdO?=
 =?Windows-1252?Q?hPZuZgYGHj5F+0ID2Ro6IiyjoLKFohWQErMs0SsqGY9XWGUL/PSWPtZA?=
 =?Windows-1252?Q?dNAEiiab3w851fFL69rqoj+AVZu+0NUlxAJrLA5HbOfxrTwsZjDbZY89?=
 =?Windows-1252?Q?dAihzoVJzeBuwL06dvfhuAu3New9vuXgmJ9840Nrye59q2nJpZVj3FwC?=
 =?Windows-1252?Q?QDonP7FS1lxNcdwyrjsqeDZARGpH0B3U5WFtvLXK5xZwBZvHZ7ngL2xz?=
 =?Windows-1252?Q?3Q+V/gIMGhB5s9DGDf3u2+DieX1Owj2S9AV+mXoigt7MPTJgJmzYTPZx?=
 =?Windows-1252?Q?xXDz0Tovbt+hg9OYLq0dSWf7vLO5vmi2Yb6D8/eHm2R9AIZiKBaQxYFM?=
 =?Windows-1252?Q?CkGI4+R1v2EGpDZzEbk7N/Fn+5hqCBOD3rxkjcW8rNDqFtWkbKIMIXGF?=
 =?Windows-1252?Q?eG8DTww5L5mXF74KXylGhU47eTbim0hVhtawu/arZFWiezDkjzBY1ZAr?=
 =?Windows-1252?Q?+Qpr8QIwN1TWc96BSPHR+yIHrI9/NNwjLwFkyL4VF+CUKYgkc+XJ64hc?=
 =?Windows-1252?Q?lH+Vb53wIEV4RR5vDuEMidNI0FWnqDrz6nVLd0+vGaAIgXM4W0QzsQSh?=
 =?Windows-1252?Q?oDtcgTySYQHn9Ry/aw9y8+NuRfzOW+V0wQZ4/PXB56GBN55xLnCoR8ty?=
 =?Windows-1252?Q?wWt0NJIHJ4LeB6sqPycch0=3D?=
X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1144;6:Fk+TrbNM1lg8gGSJeF8upIYH24jJBH7YB9+GKlhLKPE0ibdwK0MnbL2hqGcpKnQ573UR6owB+ynneTHX5rNENNCA813/I5XQoSITFtChYaxmMbECCzKgpZD6qzZ+/zgOFdzdEQszmB8nRrKAe0t3H3MWKO905ZkR4bQdvi3uvg+mpZFh/B0R3WjkDF9JZdZ4VCji7WgqTPdlBILsw1lNp9oDOpLHOX6cZDJ0J1zfBETgB8Tx3tn3VLrFXQCI5GS5EzYHn7NmY7tA/DzE1KGdrh/qZ5mOidMHP5gZ62qDl6Q587ALm3qe6gFmXJ1Mai5o4GhTfIjZyabQWH+nW6uO9NhSFixRUm6MeEzulYKHwx7KiT5QwOhsCtpaN6yLujnCOOOAtdjopGgqZCIHqSKoMJSe/VppxjaQ72P5yw8Mvt6ERZCzdDkmq11vdkg/9DFtWo6M1ejV7iWCtRSK8xP98w==;5:XymQrVvDG8oG/2eCTOw1Tpy7u+lg34y0/T5oqT5JThg7ewPYY2mojN3D9Vw6wapA46NKDbyEsgx8zY/fTP/OVkKHEV5Y2mwVlXdjf3pbordFs+fyf3zuGNdqIJoX11pXVLfhfJ8pf1iTrAhvyQTXPg==;24:zG7A4S35r383kkuObyM6S9zdqN3np35QoIhLN+d/K84Aa88igJxLRxaZilzEE0JsGmNwpGDIcK/JRihfGpqlfry0Yx9EEUTAbvLBRlU6pck=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1144;7:FvC/TtmuNujpxKViaaG6B6KCtp5PSiSbL62r7ZX2XijaNUoy4HkMV8RM6MXCk8pV2velJVGspq3cE7gVUIlRKNrG3j95CEiCgumaZ0RtLNEGicnesTQj/Wx0i7g9pBFR8g73ESGbRhEjI57dsADjlMoSBnkxrpzPupLOn8yJNfkltKnsmSF0SZNrWjbTNEaNcnnl3jSfx5qX7jf2Mhf9UO3CeqUgBFybOinxDEHIGFNBsavlaTy8ExrbwAS7FDa+fI0LZbdS9jo9Cr8ZlWhsiV72pZCEIYu1R3g9/xPskOtPNA4KNRfgiPUrSDpZdcOuu346IDJnBPuRGhS3vEcYzhBOnoAEuIixpa3546YaHQM5WIk8Xffu0ZGLKwVqLrNyOAMLhxnCSCzsBf+uJdK+s5HE9hunsxjrEXqOkS2TN3MLzqkOQ/tSCTKpv2isTM2S9fQvDglgMMZdZreAPRz0lQ==;20:diRe1/3ryzaqDLyphCUABpyMWUNtMiyPQBShSnegN+fY5CH5FGwz23nTF6Q6fc/eXyF30/IEDWNmgorNeF2iP0dtoc/WryzvfCdd74alqYzcvUZFkCeR2v1Ea7xz6RVEuZilL2odbz8TkVLlz/Kf8Hw7yyP7OKVTzoxC8FgEEHO3KiEwKFArZ/vBZbW3j1ivN6Lytga8cCI52vkRIZa0iqlGWU8LZ65W4+Xhnk/1mCDAjAtbBHSEvTNGnB+PoxmY
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Dec 2016 14:26:52.2023 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR12MB1144
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 4359
Lines: 135

On 12/7/2016 7:19 AM, Matt Fleming wrote:
> On Wed, 09 Nov, at 06:36:31PM, Tom Lendacky wrote:
>> Boot data (such as EFI related data) is not encrypted when the system is
>> booted and needs to be accessed unencrypted.  Add support to apply the
>> proper attributes to the EFI page tables and to the early_memremap and
>> memremap APIs to identify the type of data being accessed so that the
>> proper encryption attribute can be applied.
>>
>> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
>> ---
>>  arch/x86/include/asm/e820.h    |    1 
>>  arch/x86/kernel/e820.c         |   16 +++++++
>>  arch/x86/mm/ioremap.c          |   89 ++++++++++++++++++++++++++++++++++++++++
>>  arch/x86/platform/efi/efi_64.c |   12 ++++-
>>  drivers/firmware/efi/efi.c     |   33 +++++++++++++++
>>  include/linux/efi.h            |    2 +
>>  kernel/memremap.c              |    8 +++-
>>  mm/early_ioremap.c             |   18 +++++++-
>>  8 files changed, 172 insertions(+), 7 deletions(-)
>  
> FWIW, I think this version is an improvement over all the previous
> ones.
> 
> [...]
> 
>> diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
>> index ff542cd..ee347c2 100644
>> --- a/arch/x86/mm/ioremap.c
>> +++ b/arch/x86/mm/ioremap.c
>> @@ -20,6 +20,9 @@
>>  #include <asm/tlbflush.h>
>>  #include <asm/pgalloc.h>
>>  #include <asm/pat.h>
>> +#include <asm/e820.h>
>> +#include <asm/setup.h>
>> +#include <linux/efi.h>
>>  
>>  #include "physaddr.h"
>>  
>> @@ -418,6 +421,92 @@ void unxlate_dev_mem_ptr(phys_addr_t phys, void *addr)
>>  	iounmap((void __iomem *)((unsigned long)addr & PAGE_MASK));
>>  }
>>  
>> +static bool memremap_setup_data(resource_size_t phys_addr,
>> +				unsigned long size)
>> +{
>> +	u64 paddr;
>> +
>> +	if (phys_addr == boot_params.hdr.setup_data)
>> +		return true;
>> +
> 
> Why is the setup_data linked list not traversed when checking for
> matching addresses? Am I reading this incorrectly? I don't see how
> this can work.

Yeah, I caught that too after I sent this out. I think the best way to
handle this would be to create a list/array of setup data addresses in
the parse_setup_data() routine and then check the address against that
list in this routine.

> 
>> +	paddr = boot_params.efi_info.efi_memmap_hi;
>> +	paddr <<= 32;
>> +	paddr |= boot_params.efi_info.efi_memmap;
>> +	if (phys_addr == paddr)
>> +		return true;
>> +
>> +	paddr = boot_params.efi_info.efi_systab_hi;
>> +	paddr <<= 32;
>> +	paddr |= boot_params.efi_info.efi_systab;
>> +	if (phys_addr == paddr)
>> +		return true;
>> +
>> +	if (efi_table_address_match(phys_addr))
>> +		return true;
>> +
>> +	return false;
>> +}
>> +
>> +static bool memremap_apply_encryption(resource_size_t phys_addr,
>> +				      unsigned long size)
>> +{
>> +	/* SME is not active, just return true */
>> +	if (!sme_me_mask)
>> +		return true;
>> +
>> +	/* Check if the address is part of the setup data */
>> +	if (memremap_setup_data(phys_addr, size))
>> +		return false;
>> +
>> +	/* Check if the address is part of EFI boot/runtime data */
>> +	switch (efi_mem_type(phys_addr)) {
>> +	case EFI_BOOT_SERVICES_DATA:
>> +	case EFI_RUNTIME_SERVICES_DATA:
>> +		return false;
>> +	}
> 
> EFI_LOADER_DATA is notable by its absence.
> 
> We use that memory type for allocations inside of the EFI boot stub
> that are than used while the kernel is running. One use that comes to
> mind is for initrd files, see handle_cmdline_files().
> 
> Oh I see you handle that in PATCH 9, never mind.
> 
>> diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
>> index 58b0f80..3f89179 100644
>> --- a/arch/x86/platform/efi/efi_64.c
>> +++ b/arch/x86/platform/efi/efi_64.c
>> @@ -221,7 +221,13 @@ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages)
>>  	if (efi_enabled(EFI_OLD_MEMMAP))
>>  		return 0;
>>  
>> -	efi_scratch.efi_pgt = (pgd_t *)__pa(efi_pgd);
>> +	/*
>> +	 * Since the PGD is encrypted, set the encryption mask so that when
>> +	 * this value is loaded into cr3 the PGD will be decrypted during
>> +	 * the pagetable walk.
>> +	 */
>> +	efi_scratch.efi_pgt = (pgd_t *)__sme_pa(efi_pgd);
>> +
>>  	pgd = efi_pgd;
>>  
>>  	/*
> 
> Do all callers of __pa() in arch/x86 need fixing up like this?

No, currently this is only be needed when we're dealing with values that
will be used in the cr3 register.

Thanks,
Tom

>