Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1424295AbdDUS4q (ORCPT ); Fri, 21 Apr 2017 14:56:46 -0400 Received: from mail-bl2nam02on0082.outbound.protection.outlook.com ([104.47.38.82]:2635 "EHLO NAM02-BL2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1424143AbdDUS4i (ORCPT ); Fri, 21 Apr 2017 14:56:38 -0400 Authentication-Results: amd.com; dkim=none (message not signed) header.d=none;amd.com; dmarc=none action=none header.from=amd.com; Subject: Re: [PATCH v5 32/32] x86/mm: Add support to make use of Secure Memory Encryption To: , , , , , , , , , References: <20170418211612.10190.82788.stgit@tlendack-t1.amdoffice.net> <20170418212223.10190.85121.stgit@tlendack-t1.amdoffice.net> CC: Rik van Riel , =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= , Toshimitsu Kani , Arnd Bergmann , Jonathan Corbet , Matt Fleming , "Michael S. Tsirkin" , Joerg Roedel , Konrad Rzeszutek Wilk , Paolo Bonzini , Larry Woodman , Brijesh Singh , Ingo Molnar , Borislav Petkov , Andy Lutomirski , "H. Peter Anvin" , Andrey Ryabinin , Alexander Potapenko , Dave Young , Thomas Gleixner , Dmitry Vyukov From: Tom Lendacky Message-ID: Date: Fri, 21 Apr 2017 13:56:13 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <20170418212223.10190.85121.stgit@tlendack-t1.amdoffice.net> Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [165.204.78.1] X-ClientProxiedBy: DM5PR18CA0025.namprd18.prod.outlook.com (10.173.208.11) To MWHPR12MB1150.namprd12.prod.outlook.com (10.169.204.14) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: c9119612-43cb-4630-2734-08d488e81a95 X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(48565401081)(201703131423075)(201703031133081);SRVR:MWHPR12MB1150; X-Microsoft-Exchange-Diagnostics: 1;MWHPR12MB1150;3:xKQ84vYZDgHmwvLvLQLEH0FPO98H5JgWKaWtAt2jaZCd/N/lLUAhJSEDf3GUMe9m/CNzdLHjV6dy4IfUMp2D67v4QR0FHfg+cVeSea5tMHTEJtsyXl97gprXNX4estZj3zMaI2pl5IsRIx0cHbR1dR0evB5Hr9fdkrnat/OxXj6HSypFrcjWaa1RlZvpKfZxHYrAAG/WPP7K2VGigYlYDPT4KDPYiYd7ZseUsHO7Ikt9Aa0trXCPNB0shjKYZDLqw0aefmZz6SPqF6myd7quMM+/UAKnvxkB/ErEgrobVRUuOUFSgdDT7usynYQeElcKQV1NDnyDrVsaR0B4grarM7eK/kEZRu1KSI/kOLMR0AI=;25:83/E93O+fBT7KpWyHCTHD4qI6ebuyiTO4FDwAmhqqDf33a018aL4BFvJAW/jSe9GJMUUmYPzYgMCbyoKq1qrg5ihZunoezLldQnJLs1vC5ynIBggQBtI6w3Pr96fl0iH/BWQ1yNYjl2RtUnTFNcpEpnxNCzX1gTN8WyuqDIzpQDC3SOXW1i+F33fUIMRciDiQgEEMLTyCS6YV2s7+3bWFRj5v2b8ibbfaKZ3WTDvfpiO9ag2BKY8zwfMIZn0k5apiZ8n/TA+Xrwus+eSGUcUnTORUtesR2CK12oDx2wwNeRTcY8+0wMKqnL8b3/tZj7yTRREFz7j59F74D21s83F2m71QKupyKuuvTzKgkDaR/+nJGhfLZ2E2EoYVk30LxwjXAh+XFmfTQ1rhR6d2moBRklhQGlDViExXm5OrXvpId0/QlvEuxDwYXjpu6a0pQ1cchJQ2Q7C296owehR0eNzVg== X-Microsoft-Exchange-Diagnostics: 1;MWHPR12MB1150;31:hykOeYqUy0etapNspruSA2yrXSTAb8olg0sESzbN1w/J8ch1ePvE8hCKgbEIP8o6+q+XE01uLb6zK3dP2pgKFdJRomgUgKsFLMQxgyL4KZmAodBC5zywQt43y/vMlLN8ofwerYewCPbIo8x+FPaGaIFWgtTF5vd5lLW4+p36RdcrbNx54LrZe7O5NTwBUyYV25+1n7nlwDuyDfHVv5ETFmre55cgREBr6VQ4/iOgTpqZjG8JQObHvLOXx6SWI0BC;20:85UUh8vuaDdraoFxPLcDSd8hU64EHWoiorbVRHXn6mFGII+ZyqWpngIzrN5W+Cpi7XmGcaC7GMlWhRwkXTG61Y/ABvwGiVvxlVYXJiC467xgoho+Wkspv4qmqAqP45ejlAAhN2PUFhlVNiqYK1vdvilYQVrezerhRYzKwAEb4XBP1hfLLD0AfmBYbhcmbc1P9SQz4hylTdP3H4mcZl/z026Lc9zE5BLsTy/+Tix7Yt+1m8bRcj68xJ6Tt0XNrq/W119SFa/eSuD+70g44Ud7eKvhpzsQHKUn4Qg39Riya1akWOwWDjS4b5FrU7mG/QJfWx4FTJgDKcCStMHOhNe+LmQ6rCrORmpexa1/+uWdoFZKGFDOI0PJiOkONIdK7pPRdwpubJ5Jh8zqe9iKjG5odNRVKXBgQdf3K6Y82LW1Jl+RBOGFKl2k/g0HFzBq5o2Iz2MJlqq/dtSRuqWzcWKS/SMuczXlKsQan9KrqHmZ1qgWaYIl5Yg7yvtBVIvRLP3s X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(767451399110); X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040450)(601004)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3002001)(6055026)(6041248)(20161123564025)(20161123560025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(20161123562025)(6072148);SRVR:MWHPR12MB1150;BCL:0;PCL:0;RULEID:;SRVR:MWHPR12MB1150; X-Microsoft-Exchange-Diagnostics: 1;MWHPR12MB1150;4:tvquiYl/C9YD+/pTrsUaTvzvSFQTQWO/mvIFpNU3eyo0fa1dy0+QRJ88kQUCh4jJOiqOYW/VLBvn+QxA9MA2Lo9YP8ucHaoALFB+C9zAjh6eNhzmPnXuanIp0Zq+jWR2xRc7NkxbPd6DUDdhSL94h57gMFrk0535ufh8igPwwTmwoTW4g47QyPlWELA75JaE9rkDL6LkvyxKr7k/V4wiRHlrISoQNaMZgw0m1Yw9P7Eq0N0uHJAEy2AfkllWU7aloEhCF/T8M8PgdqMpS6xR6iPg8/x4S+z0Imhk3+pCial+ALetml5GiUqJKLHw83t0R7/7bt5+PU1qV+Ar0Xik7w5DbELOkCUjuoM29gBgpFJ7o9fSgsAoVasSSAF8OF/Av51cRkW1EUvB3cXnfJ1LcE4RnM5+vqE016mvfFj1epeR5463B83v1eIbDcYHxBhdKc0M3lnqvGT/bU5HRPUFVojt8to8AXTnc2hOqC4Twn2gmbd1Y2vowgaqXtXiDTHzxmlIyVttN4ZihZD/WljBcCTCln3MULiTBLrjWcMtjp9eObNtyyIX/mykrYyj1jKIMbn9kOxP6VRFHSFBI9+e+4oNOnHtVQspuZJoN4pjn5wuC+0sPBpG1EK6EpBgQrRkfyGmePjHdN/S4LskkDrFFluAIVF0hyRZ7Bw41prAh5SO4NirU/65UHb3zYeAPqybrb+tf/A8UbSlpwARJF2iWq2arwmK66iCRM8PgW7VAnY71eXxfLB4kyqO5TG8MyjaM1WvZdo9AnI/DWb7tfIttQ== X-Forefront-PRVS: 02843AA9E0 X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(4630300001)(6009001)(6049001)(39410400002)(39840400002)(39860400002)(39400400002)(39450400003)(39850400002)(24454002)(377454003)(33646002)(31686004)(42186005)(64126003)(8676002)(36756003)(23676002)(38730400002)(53546009)(3260700006)(81166006)(66066001)(25786009)(4001350100001)(47776003)(4326008)(229853002)(305945005)(7736002)(5660300001)(7416002)(189998001)(7406005)(6246003)(54906002)(2950100002)(6666003)(230700001)(2906002)(90366009)(53936002)(6116002)(6486002)(3846002)(77096006)(54356999)(50986999)(2201001)(76176999)(86362001)(83506001)(31696002)(921003)(1121003);DIR:OUT;SFP:1101;SCL:1;SRVR:MWHPR12MB1150;H:[10.236.64.250];FPR:;SPF:None;MLV:sfv;LANG:en; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtNV0hQUjEyTUIxMTUwOzIzOlFhRXVwakx4c09OUFc4czZuUGZzZ0oyb3A3?= =?utf-8?B?S3E3OUEwa2pMNDh5NTArVTVPQXBIT2c5Ykp3TEJHcnNJZjhuQlorNmNnRDFj?= =?utf-8?B?NFB0Z1ROUFkwano3anhwZmR4YW1ZNUk0UTFpVnQ1eUFXdGhzWDJ6YlpPTm9F?= =?utf-8?B?eEdTV1p4Y3pCR09jaWlFK0h2SHdMaEw0aFVFR3FZUDV2N2JSazM0L1Zub1lJ?= =?utf-8?B?a1hRUEtwa1pLRmNqVU9lZW03OFliWXlIek11dVk5WklONW1ORERodmp6MFFo?= =?utf-8?B?YW5GZWNUam5ZMFNYaTNzS3JyaEsySTR3Sms5WTNmUU03YkVZNXhBUFJYN2Q0?= =?utf-8?B?OG9meHlRRWNZYU1ZZGEyQ1E2T3YxckJONWxYZjJXV1lmRmNKMjZPVCtWUndF?= =?utf-8?B?V2h0UklEamRkZkJXVjlFQTI0dnNOUzluTW5ycmlZd3pFbW5iUUpQc0ZwREF0?= =?utf-8?B?ejAydGwxVlU0WlBmbS94TlFncGh5aStuT0RheS9HVHBCSkErNzRROUQ5WlEz?= =?utf-8?B?YThKNER6V1FWd053Y1pjdTZSbWhKcWdsVlQ1UHdZenJtODhWUDNidGc3QmNx?= =?utf-8?B?bFEwMHBPK0tHMFNYS25jY1hJQ1B0aDQvRkNnZ1pOdEJqZGtlYUtPS3h2NURw?= =?utf-8?B?K0dQbWpML0laeWZtSE9Ya3pvR0prd244VUJwRG1BTnBEU0lCTldua25KNklI?= =?utf-8?B?T1MvYUxiR0FBNEtIYU5jYzRtZk94cHdYVHl6b1NwZWhYWWdkK2N5R2N5ejJr?= =?utf-8?B?aTBCZkRyNGFZVjd2Y3FqUkRNaDUvSFUrU0Z5dmZwd0MrekhBa3JQaHRNOWpK?= =?utf-8?B?eWJ6dXlkemxLM0pHbG5FTldPeFdpOFI2d3oxWnpybkszRVVpSGhJZ3RHL3Z5?= =?utf-8?B?cXVxWS9aRkNlZnpGbVBReGl3ZW80VGhDTWlPcEtid0VxdjBPWkJZLzlwdURR?= =?utf-8?B?NlU0aG5oSDN5am84R2lDTFkvZkZrUG1FL0VOOS9WMTdlM29XdVdRd0FvRU1K?= =?utf-8?B?bnZndWszNk91TEJDVTBwUWw0a0YvZ01VbnhBUmhEcy9IRGtEaEpSa0J6TG5p?= =?utf-8?B?Y1FpeENLaEJyUm4rMEdSeFhDZmlLdTN0L2ozdGQ2Y205ODFzcjFGZkVKSHFQ?= =?utf-8?B?VGpnSzh4WG1pbDk5UXBHc0hMelBOWEowaEhBSDVtUHVCOVBsaytCcTFhbDBs?= =?utf-8?B?dFM3eFdhZGN1Z0N4QmtzQ0l0cXVFd1dscGNVdzJzbzFpL2h0WlhWMWt1dWsr?= =?utf-8?B?aGlKNXRjS2dwNTVHQTZ3bkJUVDIrbDRBaFAySWt0eFA3RVRLbWhZS3kwQWpB?= =?utf-8?B?SkNuSFZNc0VBMlRRSDZQelNZNGQvbzgrcFJZUVVQczRlR1plOTVvV2Y1cE5o?= =?utf-8?B?enhQNnZxMDcvVUcxMXdjZlRtc05pcE5YVVNiQVpMcUNlZ0pxc0FwMU5vekNR?= =?utf-8?B?UkZ5c2FvVFk5azFoRVdHb0dEWnErK3JaRDd3SzQ0azRkSStDUWRGbUNGbW9n?= =?utf-8?B?dnl5WTBQcmdaT29OOWZEY3pLNGR1K3BXZjRMMnZkK2NxK2tCSmRZVDVCU1Bn?= =?utf-8?B?MW9WNVZHTjJhR2tBSTdjLzQ0Z1gwVzFTR2JqRjJnYkl0b1VyWG1tb05kZlMz?= =?utf-8?B?T2w1ZU9QcXJVWTc5dUk1N3E2cXVBV2V2VzIwK0RHUStBUE5FNUNueGpCUnNF?= =?utf-8?B?UHA1WmdLcHE3TU1YeVduTENiZys0VFYwSW1iUFJMWlhTc2NBUzB3ZUNEd2Yr?= =?utf-8?B?RVdrYklwbG9GNlFiSTBaZUQ0amtTaUczUTcxZmJSMEpQQmpFbTJzRXhjTkd3?= =?utf-8?Q?ZD5GqxSiv/4Pu?= X-Microsoft-Exchange-Diagnostics: 1;MWHPR12MB1150;6:jV9VFfBiMJNJUGFwWJNR7YbU335nfj+qwoFALGTWCOXcqkgI8aKtaqCcjfs4YuRKrXXuNuNkik50pBoLs3aCqOhJ4vuKIVi319UJlYXo13fCJRq0+Pc5DXej1HpteRehMzYhCDsBfiEXZNCQTbY+nJEIq019jaYL2oTDBaboIuBfBTaokOJiJz+F+8lg0oPl46mo5Jqzxy+Qrc89Yt3+/8eef5eckeuYTxndJm/9B4rWKuPreYdU2OGvW+g9SrgeMC4ZKPCM7dPBSrHeXsiEJNNtBC5RzwLwPm49libqVY4vwzY++a1fH9IcZqr4tOrG0fvUaAmRwOZaDlBZBmTvrgAc/rOgB+ycEfn+sX4TpGESZJmpdU0J4Wf3qqpWB1f7cnRUzeRydXLQvYfTdkgeMoBiwe+L4uMv+O/u+ffwLQBZ6vhImk/AQ1D/2bWPQinXULZ0XdulKTHIiKFdLZDFVnzfRLhhGClsFZLvPKYJQLEnL+sMP3P+BH/ufKfgbaDI2kqg9SwX1EGoUM//lCSGf+ctS8prAYsjbRJMlO0tVfQ=;5:ya7x7syc37KJjrEQP4hpZZqmZNfQKi2/sz+iKEsHrxiBqgDY0FcYYo1WdYZ05zTTsiSSqaew3Sy+CI//RUGKs+ZwdZoMe62CssvBd7P75k++zCte8VGuGFZ0KFUM9iAXn2vh6CPp66mLer+yJDAEOw==;24:wAkk2xBJJNtJftEsGsmDZ8r36P0rtTtkXswkafHgzvhq3+B+OJ6T/UtH04pLnoDqrXbyHZ8CbTnOieYpR7wlGUEmhXGeK6ya+rWxcss/Wfk= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;MWHPR12MB1150;7:0YTBDDX2GM/hPAKyZDf7EuPI8bO0iyf0jxvy8LJ5NeFEMMe4E64G3Yb8yWbmaDthMiVXHu5KoeMhbKLXLTgJKoc0M2MoH7F1UIbQSVZBrsH9pjcdn7pTWhqw0+nRG473W0hs0WIGqs+RxWFwnWix1le/a2f2TbfumEgxHGxfOg0SESEFTFDeuEiOZyYdEMHuIzOXxExLRPbMHdBi4UHAOJYMFd9A9miJK6mDv0aD6+GK91Y6ajIaxBnJGYZ/1U4lbsw4MvU+KF1x81eHyDadbEfZEC8Tf6ucoDDApYDE8wSHtXit+jmwXef2WH3VkxPJ1RlRqpOQbrfqLnsQ/bEqSg==;20:GACG3I9lvTfFYcEO6K/YF6VTOXpbiQSvzc4bfVDhJX3L9IuNplDXtgtD7vNjkgIlEu3Nl8N3wuYe5Ovi+35GI7cfiFPD/XrLxSrn55rgLEkT4Pf1fgi7WJJmQVx+g7RgB49ERYYzfUyVh12TUVBXzuC2Z9aPtgrQsYhfgJb67A5aKLkVeGBAZu4Hc8uzwhUfeSb92iaUVX20s0Jhvw1z1g61hzd+7RItKOBPJyWIdzqgZbu03jVDRhkHfKedVJ1t X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Apr 2017 18:56:17.7474 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR12MB1150 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3623 Lines: 118 On 4/18/2017 4:22 PM, Tom Lendacky wrote: > Add support to check if SME has been enabled and if memory encryption > should be activated (checking of command line option based on the > configuration of the default state). If memory encryption is to be > activated, then the encryption mask is set and the kernel is encrypted > "in place." > > Signed-off-by: Tom Lendacky > --- > arch/x86/kernel/head_64.S | 1 + > arch/x86/mm/mem_encrypt.c | 83 +++++++++++++++++++++++++++++++++++++++++++-- > 2 files changed, 80 insertions(+), 4 deletions(-) > ... > > -unsigned long __init sme_enable(void) > +unsigned long __init sme_enable(struct boot_params *bp) > { > + const char *cmdline_ptr, *cmdline_arg, *cmdline_on, *cmdline_off; > + unsigned int eax, ebx, ecx, edx; > + unsigned long me_mask; > + bool active_by_default; > + char buffer[16]; So it turns out that when KASLR is enabled (CONFIG_RAMDOMIZE_BASE=y) the stack-protector support causes issues with this function because it is called so early. I can get past it by adding: CFLAGS_mem_encrypt.o := $(nostackp) in the arch/x86/mm/Makefile, but that obviously eliminates the support for the whole file. Would it be better to split out the sme_enable() and other boot routines into a separate file or just apply the $(nostackp) to the whole file? Thanks, Tom > + u64 msr; > + > + /* Check for the SME support leaf */ > + eax = 0x80000000; > + ecx = 0; > + native_cpuid(&eax, &ebx, &ecx, &edx); > + if (eax < 0x8000001f) > + goto out; > + > + /* > + * Check for the SME feature: > + * CPUID Fn8000_001F[EAX] - Bit 0 > + * Secure Memory Encryption support > + * CPUID Fn8000_001F[EBX] - Bits 5:0 > + * Pagetable bit position used to indicate encryption > + */ > + eax = 0x8000001f; > + ecx = 0; > + native_cpuid(&eax, &ebx, &ecx, &edx); > + if (!(eax & 1)) > + goto out; > + me_mask = 1UL << (ebx & 0x3f); > + > + /* Check if SME is enabled */ > + msr = __rdmsr(MSR_K8_SYSCFG); > + if (!(msr & MSR_K8_SYSCFG_MEM_ENCRYPT)) > + goto out; > + > + /* > + * Fixups have not been applied to phys_base yet, so we must obtain > + * the address to the SME command line option data in the following > + * way. > + */ > + asm ("lea sme_cmdline_arg(%%rip), %0" > + : "=r" (cmdline_arg) > + : "p" (sme_cmdline_arg)); > + asm ("lea sme_cmdline_on(%%rip), %0" > + : "=r" (cmdline_on) > + : "p" (sme_cmdline_on)); > + asm ("lea sme_cmdline_off(%%rip), %0" > + : "=r" (cmdline_off) > + : "p" (sme_cmdline_off)); > + > + if (IS_ENABLED(CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT)) > + active_by_default = true; > + else > + active_by_default = false; > + > + cmdline_ptr = (const char *)((u64)bp->hdr.cmd_line_ptr | > + ((u64)bp->ext_cmd_line_ptr << 32)); > + > + cmdline_find_option(cmdline_ptr, cmdline_arg, buffer, sizeof(buffer)); > + > + if (strncmp(buffer, cmdline_on, sizeof(buffer)) == 0) > + sme_me_mask = me_mask; > + else if (strncmp(buffer, cmdline_off, sizeof(buffer)) == 0) > + sme_me_mask = 0; > + else > + sme_me_mask = active_by_default ? me_mask : 0; > + > +out: > return sme_me_mask; > } > > @@ -543,9 +618,9 @@ unsigned long sme_get_me_mask(void) > > #else /* !CONFIG_AMD_MEM_ENCRYPT */ > > -void __init sme_encrypt_kernel(void) { } > -unsigned long __init sme_enable(void) { return 0; } > +void __init sme_encrypt_kernel(void) { } > +unsigned long __init sme_enable(struct boot_params *bp) { return 0; } > > -unsigned long sme_get_me_mask(void) { return 0; } > +unsigned long sme_get_me_mask(void) { return 0; } > > #endif /* CONFIG_AMD_MEM_ENCRYPT */ >