Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753633AbdHXSzM (ORCPT ); Thu, 24 Aug 2017 14:55:12 -0400 Received: from mail-by2nam01on0052.outbound.protection.outlook.com ([104.47.34.52]:62561 "EHLO NAM01-BY2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752974AbdHXSzJ (ORCPT ); Thu, 24 Aug 2017 14:55:09 -0400 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Lendacky@amd.com; Subject: Re: [RFC Part1 PATCH v3 14/17] x86/boot: Add early boot support when running with SEV active To: Borislav Petkov , Brijesh Singh Cc: linux-kernel@vger.kernel.org, x86@kernel.org, linux-efi@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, kvm@vger.kernel.org, Thomas Gleixner , Ingo Molnar , "H . Peter Anvin" , Andy Lutomirski , Tony Luck , Piotr Luc , Fenghua Yu , Lu Baolu , Reza Arbab , David Howells , Matt Fleming , "Kirill A . Shutemov" , Laura Abbott , Ard Biesheuvel , Andrew Morton , Eric Biederman , Benjamin Herrenschmidt , Paul Mackerras , Konrad Rzeszutek Wilk , Jonathan Corbet , Dave Airlie , Kees Cook , Paolo Bonzini , =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= , Arnd Bergmann , Tejun Heo , Christoph Lameter References: <20170724190757.11278-1-brijesh.singh@amd.com> <20170724190757.11278-15-brijesh.singh@amd.com> <20170823153058.yli5qogrmjl74wkl@pd.tnic> From: Tom Lendacky Message-ID: <42cf82fc-03be-c4c7-eaab-b2306a049d20@amd.com> Date: Thu, 24 Aug 2017 13:54:57 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <20170823153058.yli5qogrmjl74wkl@pd.tnic> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [165.204.78.1] X-ClientProxiedBy: CY4PR02CA0045.namprd02.prod.outlook.com (10.175.57.159) To BN6PR12MB1139.namprd12.prod.outlook.com (10.168.226.141) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: d6405d1b-80f8-417e-aa86-08d4eb21a2be X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(48565401081)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:BN6PR12MB1139; X-Microsoft-Exchange-Diagnostics: 1;BN6PR12MB1139;3:QWXD4NUqIwRTrDwIG5szVp3/wQk/qbP3+O3vCx4mGss6ihLKmSvTDrsXNnDvVqCNHbpF3IBzMr1dgnHjaj5Ru7BalLS+7APSWJLBa1o157LhwGuE9Tsgl6g/NcEfVIS/I+edx5go2q9BwUGCTkJpi5U3R9HczD1G1uUAFRKNovdPVAhjBfcujof7G1DD9gqUv3e5IIfnCbqN4M4VZS3905LSEqDbNoPDL9yn0PZ149/GbQ/+LNNKyQj8ox0XtGZv;25:mPnIcHkqujiSMAxvw92BZj4Iv93JsN+Plsy1yz9xZW54d6rpj64Cr96u1V4W5YRg+nzmK/LWdGGwgO38YtNgSLUUkpFnWZGNbS3yxsd10oucpZPIDanN09Z1kLA+46m7FUztjTagNBSEZt9G0dEg+TcX4i6rjpk/42ZG+Xw4W8hCL8F5XZDDNX82csUafG+7IPQ6OeAaGMWmkQowaMYQYr9q1P+7Fau81HbhJaTm6y3cSpq0uLpgI5NP39uIbmUJvxtWKOOS8vT/XZjgc3sx8onfph8PqzAhW8FurLuEEwFl5n7gauT8hcyqsfuEJw4Yv0jcPpUrrf4cT7eZv3NxPg==;31:FKQ/IQ6YYa2FRJkf+h6ItgKsUhaFUi7vr7wphEW/s5KpHWByAtdVLopr33xVdCh38bp5eB4PkBO/i78Edo7dve+0TKSNECoCPFjfEw6FLHqfqMkz5K5SeBauwuFw7hMJtvBkX/Rn5b+S/b55dT3SzCeAuviP7+CrNHItvfH81l042d3QtqQUgoTFm2u3I7ZYqUIonX8cGji1Xp+lP0LRbP3sEVwRs2d81u5x2eeP3G0= X-MS-TrafficTypeDiagnostic: BN6PR12MB1139: X-Microsoft-Exchange-Diagnostics: 1;BN6PR12MB1139;20:EepUsDlCrAXBbQCgsjmAXNoR/aTOTR4WcDUojjyoPpo6JH3LR9Oeih+m1Ul9p3YAPciK1wJCBlafGikCednHKkz7MqCKUL6722H02Nb03VvaY14H38vOgKqEb4ZhbrbZQ0/qjbd4CHPiILzCxaQqWSubEZg81fNuMF8wc5UVPvDEgeNRJPpVRl7NgG9w+4sxJ9OqgbOypF7K9kAWyGJCPvEe3dPB5zwckwL1B9N9fo+d7GOOiQZM+U+wPUaAS8kPeXHosZvjTNd1uH5TccOL0oxDsqnGOCfZNpY1KYeFe4rKFC9h8EKnN4vNYp6lMKbYFCS83KdjZ5cAEh2jiM3tdf3YhTPYkTy4g5oRpDrjEahirnyKs3nFbLFTrFHV5JNN88H0vE9hIFIu7lsrCZ7izER99oHlabUHsJ3PFOk+EIXyy7gVsH1AzE+ivEm7pnKYqhiVyyOvC28p4b8DU/Dj5Aqe10AyGXu9CVePLBSyxW/iZzdZtTpFkt0og0UBKmH5;4:V2AgN+EhPpjkuqiUCBp3CAka8jOgbKitwrkfCPjMbkfXQhqiOdUSWi2r3YyksN5FJshJOSZWN9/HlIpq4S8B7coK2jT11ggwk+3n7qwezEugzbA1ROIkHp0XiMhGrl/KTDkHpIwT8exDKNNKQ7pP/8lSxTaH/5Am06Okyw3kvdweDwh4w4u1pMoCENxkYZrN36DPKwFRaql01JLww2F/z6H2H8I8Ke9l+3ugpeoxF5X7WePPEVoNI6L/TRArKnpvUYmJWVs2WbGJshoNLOIikhDlLsTO1ZO52q3fbigu6UTDd5cP+esinnGb6va0pxhZRosvyoFf6CRocNv/C2l6gA== X-Exchange-Antispam-Report-Test: UriScan:(767451399110)(17755550239193); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3002001)(100000703101)(100105400095)(6055026)(6041248)(20161123555025)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123564025)(20161123558100)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:BN6PR12MB1139;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:BN6PR12MB1139; X-Forefront-PRVS: 04097B7F7F X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(4630300001)(7370300001)(6009001)(6049001)(39860400002)(377454003)(189002)(24454002)(199003)(105586002)(77096006)(106356001)(65826007)(33646002)(66066001)(6486002)(65956001)(65806001)(5660300001)(6246003)(7406005)(72206003)(7416002)(68736007)(90366009)(3846002)(50466002)(42186005)(97736004)(47776003)(6116002)(189998001)(4001350100001)(2906002)(478600001)(229853002)(83506001)(230700001)(53546010)(6666003)(50986999)(6636002)(2950100002)(76176999)(54356999)(54906002)(31696002)(8676002)(81156014)(81166006)(101416001)(3260700006)(36756003)(25786009)(305945005)(7736002)(64126003)(31686004)(86362001)(4326008)(53936002)(23676002)(7350300001)(2004002);DIR:OUT;SFP:1101;SCL:1;SRVR:BN6PR12MB1139;H:[10.236.64.148];FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtCTjZQUjEyTUIxMTM5OzIzOnROeld5dHJjQ2hhaGxJZ0Z1ZEZLbTNTOXR5?= =?utf-8?B?ak9uNE4yZnNPM3JhYlZDbkhnd1JVMzRCOFhaY2hMUWpJc2Zsb0pWb3l5LytT?= =?utf-8?B?RDR6bUpnYXlZcktuVS9oMUZaWDdBQk56QjdVcFZVYnNZcitjcGNtaUY5ODFQ?= =?utf-8?B?aDFCRFhjOURRUytya2ZTOVVRWWZuNktvdWliTDI3THVsb09pNEtndHdYU0g2?= =?utf-8?B?RGNXVFpWa0Fqa1ZlUnlicngrYWhIUE1YS2NmMksrZHNVY2ZJSndaeERVUmhl?= =?utf-8?B?K1lzTSttZUxzL3l4clV6RXV0TTgzckJHc1NGOGNJTUFocXpaT2ZIL1YwVkhh?= =?utf-8?B?R2o4aHJxclkyOUFiaUxJU2IzSW9NMXdTRlJqQTArZG1STVF3dFI2czk3TXFK?= =?utf-8?B?Z1VVcWpaQTk1eFY0WmRUUGxLcERlVEJJOFJCMmhwRVNwUTk2NlNUSXp4clo2?= =?utf-8?B?NDFSVkMxNWVyUVNORnMveGJ2NFJmZ3dDSHAvekxoUVpQa3J4bkFkUExCSnZ0?= =?utf-8?B?ajZTMXphcVhDQld1Vm1QVGJQSFVJOHowdUVlaUFWd1hjTU1yZVN4RDJjVkJh?= =?utf-8?B?emQxdnZCZ3BYZU9ZYVZ4b24rUm1nWlNIQ2VzMTdTKytBcFhsSGprbFllQndM?= =?utf-8?B?d3FTckZpeEx1TlQ4M1hBdXJPVUJJWGRCMDhLTUVKRU43enh3SG9iSWFGQWxR?= =?utf-8?B?ZTBxNXkvcGlqRFJodHRqQ29kemFDeCtXMVlVOC80UWMya2lVYWJ4M1ErTWdH?= =?utf-8?B?UGVrelY0TnJweDdzNjE2YTFqblJLWUNLWEp1eTJTUmgyNmZoMFNJNUZhOStk?= =?utf-8?B?Nk5ZMnB1ZFpWdUd3UmJxSHoxU2wxWTFxT0VEdUw2QzRwNDEvK0RLZGM0dDg2?= =?utf-8?B?N0krdGpZaDhjenlOaU53dk5mc2NmcVZlNVoyaExERGhPOHBXRENwZm8yNUtz?= =?utf-8?B?ajNCQkdlaGtHVkpidmliWTl3cklqRWl5ZHhhU1JlV0c3MnVqNzRqVlFzV01K?= =?utf-8?B?dk9iK0pyeW1hcVBEc3hRZnpiMFg5T2ltVFl3MS94ZzgweElqcHhMRGhLOEEv?= =?utf-8?B?RzNaME1DdVBkT1hpOERzZFdpQ1RJZ21SZVNrM1czcUt1UmV3ODUxRGJQNTRL?= =?utf-8?B?b0kyUlBnTmlLbUk1cmJKb040cFdOYUJxZFY2WlIwQUd4bDM1UXlhSU1oQ1l4?= =?utf-8?B?RnRFOTBGa3AzSERyMlo0bUJwc1VzcmVuWlNTdVBHdmpFa0tLa3pSWWRuOUcw?= =?utf-8?B?TEdnb3RmcWMyWEJNRUJCREJmSnNVY0owQUtyb2NpMlJLeC96UHZsY2dwMlVm?= =?utf-8?B?N29admFuTGQrR0tld2FuamJpKzJ4YU1kQ05VK3ArSGt3TXhWSU96MzR1ZkN6?= =?utf-8?B?THZZTE00cXBrakJqWm9jcExwYnRMVWNDd0h2YjNKN215QXVaY3c5Z1FpRE51?= =?utf-8?B?T3hnWnB2VFo4YWV5dk5nbjlCNEhUUzh4RmMwSlNFNktjSVpwWUdHZkx4OFE1?= =?utf-8?B?anZWMjZyc3VES1MvVkFPNkdGenY3WGFnM1VsRi92d3JYL2c2YTVjOGNOQnFh?= =?utf-8?B?U09MdzByNGZPV3lDWmRPbkxmdHltdGVETnhXVkZ1Y0JqUWtqSHZZTWR3aTRN?= =?utf-8?B?VS93K1lWREkzaFJmZGJCT2dSTW44Mnk4cEtUZk9SMEJ2VDNVckg2b3J3Nk90?= =?utf-8?B?K0ZHWHkvZ1FTQzVaMGpSRUZmd0Y1aU4yZjZpVW9xc0ttbXNiMzNWNnEyTXcx?= =?utf-8?B?My9FOTR0UUdKR0VJVlJVcy9JWmxHKzR4aU9CMFVRZU9QbENrMXJkNEVGWDRC?= =?utf-8?B?M1hQZjVpc2RtQzh3djNtSjJldUpYTTVJdWdaQlJXR0pYQ2V0VFBUZXluZGRB?= =?utf-8?B?Y3BWZ2xEVyt6d0llb2g2dGVMSE8xTVJTRzJaNm1mdHJPNTFMdUduL0FBVzk1?= =?utf-8?B?YWdURi9PYjlQbFJ1UU1OWlVHOUZHY0Myc0JjSUlTYmNVaWFaWERXN245VUc3?= =?utf-8?B?S2VnV3FHTmlHZEpZT0dqVERIczVYQnd5VnRSMTFadEV0em1PN0dYcVF0dlV3?= =?utf-8?Q?KtUg=3D?= X-Microsoft-Exchange-Diagnostics: 1;BN6PR12MB1139;6:0We72Ti6X6LWUy6+/fxWBFbV7Yfc9F8f1yHYFfIc+DIVO6hfQnFDaPba6kN+nkm5zeawF6K1ACdBFKkNAmZzTEXKYXV7fzftEty54s3r0QhLfrpM64QAeQuMWzNXQ8ZhV5GsTtjz6V4CcoW1dDw17D9ckTr08BbvEanYGmmT92YTWaKf5kz5MzPLiMQeYrhgpj3eubd+NKuGHv1KhcejwPQ+LeUrJ20hK5zhECBeoEc4yZ9hFWhMTdrn/b2YQakZpSFyhCeWKwe8szpcYKCrlF2gNrAY0j4SRri1r9r1jHKVctLN6CqyqMyuORg0icUpOFiyDSF8UzkefvR2Nj6nfw==;5:qQuEPIjuAy40hs3RFM3tA2lEuM9WBiDs+0CUEIpPDB9iJtZgdPogi59hxkXQXvPawHTbKckdeik2T8XTJzzmlA6aZwryiAX+5Kym6AGTy1WRa6cOvFnzNnYsPdLOMa3njPU4xAxuiicf5gMXG8RwvQ==;24:SBZDbgrxVyGeO3Znzx9GKU3a2aknA3bI28CMiluH9Q9a+aHPxaXrikABKHeWxx9VB1iZ+CAhMJHbw1acCNASCU9IJ2s8pg4hICcDzmP6yuk=;7:PvA8uH4bdPOwYU1LJ5HvAOnAKBpdszU8MgFoiNGtCn4kcbtULAyc108pDfePc5i36eZGTN0swyOGJubpt5hwVKNNp6U+JEids3IMrgcUm3Jj2Ref/ru4gSY7XoHLx25Gl8qrNk7/3JzUiu0OE6lnuI35Z0BQQgAJRH/nMXNyZDS4Vl3bicvvF9ESx5o17MRZp9iOEghBPuH5Acj6fIQfuZGZCpRxAJIWajj02m3xr20= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;BN6PR12MB1139;20:IZaus6v2LSGF5QV/kdYf8Vsl8YLkAHMPJfLsXDPVa/0QwApCeTlvwXxhUr9Y8vst9rOtjdK4ZeI/98GAH4UngBfkqKe7A4Xcm1TIvz0MHSc/JUjcC2Py4z/vcsT946Hhvx+K5FgGIHxJPDmLGlsUJPFjtCg0J78jUuDDD9e8Was499W6UBzXNXLuMF0u+cuUlx0Y7WICPflp+tg14fucbmLPuEB4tpFEWzX0BXji+faFet4cncR3t0eSPeQ5zMGO X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Aug 2017 18:55:02.6367 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR12MB1139 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 10395 Lines: 341 On 8/23/2017 10:30 AM, Borislav Petkov wrote: > On Mon, Jul 24, 2017 at 02:07:54PM -0500, Brijesh Singh wrote: >> From: Tom Lendacky >> >> Early in the boot process, add checks to determine if the kernel is >> running with Secure Encrypted Virtualization (SEV) active. >> >> Checking for SEV requires checking that the kernel is running under a >> hypervisor (CPUID 0x00000001, bit 31), that the SEV feature is available >> (CPUID 0x8000001f, bit 1) and then check a non-interceptable SEV MSR >> (0xc0010131, bit 0). >> >> This check is required so that during early compressed kernel booting the >> pagetables (both the boot pagetables and KASLR pagetables (if enabled) are >> updated to include the encryption mask so that when the kernel is >> decompressed into encrypted memory. > > , it can boot properly. > > :) > Yup, kinda didn't complete that sentence. >> After the kernel is decompressed and continues booting the same logic is >> used to check if SEV is active and set a flag indicating so. This allows >> us to distinguish between SME and SEV, each of which have unique >> differences in how certain things are handled: e.g. DMA (always bounce >> buffered with SEV) or EFI tables (always access decrypted with SME). >> >> Signed-off-by: Tom Lendacky >> Signed-off-by: Brijesh Singh >> --- >> arch/x86/boot/compressed/Makefile | 2 + >> arch/x86/boot/compressed/head_64.S | 16 +++++ >> arch/x86/boot/compressed/mem_encrypt.S | 103 +++++++++++++++++++++++++++++++++ >> arch/x86/boot/compressed/misc.h | 2 + >> arch/x86/boot/compressed/pagetable.c | 8 ++- >> arch/x86/include/asm/mem_encrypt.h | 3 + >> arch/x86/include/asm/msr-index.h | 3 + >> arch/x86/include/uapi/asm/kvm_para.h | 1 - >> arch/x86/mm/mem_encrypt.c | 42 +++++++++++--- >> 9 files changed, 169 insertions(+), 11 deletions(-) >> create mode 100644 arch/x86/boot/compressed/mem_encrypt.S >> >> diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile >> index 2c860ad..d2fe901 100644 >> --- a/arch/x86/boot/compressed/Makefile >> +++ b/arch/x86/boot/compressed/Makefile >> @@ -72,6 +72,8 @@ vmlinux-objs-y := $(obj)/vmlinux.lds $(obj)/head_$(BITS).o $(obj)/misc.o \ >> $(obj)/string.o $(obj)/cmdline.o $(obj)/error.o \ >> $(obj)/piggy.o $(obj)/cpuflags.o >> >> +vmlinux-objs-$(CONFIG_X86_64) += $(obj)/mem_encrypt.o > > There's a > > ifdef CONFIG_X86_64 > > a couple of lines below. Just put it there. Will do. > > ... > >> +++ b/arch/x86/boot/compressed/mem_encrypt.S >> @@ -0,0 +1,103 @@ >> +/* >> + * AMD Memory Encryption Support >> + * >> + * Copyright (C) 2017 Advanced Micro Devices, Inc. >> + * >> + * Author: Tom Lendacky >> + * >> + * This program is free software; you can redistribute it and/or modify >> + * it under the terms of the GNU General Public License version 2 as >> + * published by the Free Software Foundation. >> + */ >> + >> +#include >> + >> +#include >> +#include >> +#include >> + >> + .text >> + .code32 >> +ENTRY(get_sev_encryption_bit) >> + xor %eax, %eax >> + >> +#ifdef CONFIG_AMD_MEM_ENCRYPT >> + push %ebx >> + push %ecx >> + push %edx >> + >> + /* Check if running under a hypervisor */ >> + movl $1, %eax >> + cpuid >> + bt $31, %ecx /* Check the hypervisor bit */ >> + jnc .Lno_sev >> + >> + movl $0x80000000, %eax /* CPUID to check the highest leaf */ >> + cpuid >> + cmpl $0x8000001f, %eax /* See if 0x8000001f is available */ >> + jb .Lno_sev >> + >> + /* >> + * Check for the SEV feature: >> + * CPUID Fn8000_001F[EAX] - Bit 1 >> + * CPUID Fn8000_001F[EBX] - Bits 5:0 >> + * Pagetable bit position used to indicate encryption >> + */ >> + movl $0x8000001f, %eax >> + cpuid >> + bt $1, %eax /* Check if SEV is available */ >> + jnc .Lno_sev >> + >> + movl $MSR_F17H_SEV, %ecx /* Read the SEV MSR */ >> + rdmsr >> + bt $MSR_F17H_SEV_ENABLED_BIT, %eax /* Check if SEV is active */ >> + jnc .Lno_sev >> + >> + /* >> + * Get memory encryption information: >> + */ > > The side-comment is enough. This one above can go. Done. > >> + movl %ebx, %eax >> + andl $0x3f, %eax /* Return the encryption bit location */ >> + jmp .Lsev_exit >> + >> +.Lno_sev: >> + xor %eax, %eax >> + >> +.Lsev_exit: >> + pop %edx >> + pop %ecx >> + pop %ebx >> + >> +#endif /* CONFIG_AMD_MEM_ENCRYPT */ >> + >> + ret >> +ENDPROC(get_sev_encryption_bit) >> + >> + .code64 >> +ENTRY(get_sev_encryption_mask) >> + xor %rax, %rax >> + >> +#ifdef CONFIG_AMD_MEM_ENCRYPT >> + push %rbp >> + push %rdx >> + >> + movq %rsp, %rbp /* Save current stack pointer */ >> + >> + call get_sev_encryption_bit /* Get the encryption bit position */ > > So we get to call get_sev_encryption_bit() here again and noodle through > the CPUID discovery and MSR access. We should instead cache that info > and return the encryption bit directly on a second call. (And initialize > it to -1 to denote that get_sev_encryption_bit() hasn't run yet). Ok, I'll look into that optimization. > > ... > >> diff --git a/arch/x86/include/asm/mem_encrypt.h b/arch/x86/include/asm/mem_encrypt.h >> index 9274ec7..9cb6472 100644 >> --- a/arch/x86/include/asm/mem_encrypt.h >> +++ b/arch/x86/include/asm/mem_encrypt.h >> @@ -19,6 +19,9 @@ >> >> #include >> >> +#define AMD_SME_FEATURE_BIT BIT(0) >> +#define AMD_SEV_FEATURE_BIT BIT(1) > > s/_FEATURE// > > AMD_SME_BIT and AMD_SEV_BIT is good enough :) > > And frankly, if you're going to use them only below in sme_enable() - I > need to check more thoroughly the remaining patches - but if you only > are going to use them there, just define them inside the function so > that they're close. Sounds good. I believe that is the only place they are/will be used so I'll make that change. > >> + >> #ifdef CONFIG_AMD_MEM_ENCRYPT >> >> extern unsigned long sme_me_mask; >> diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h >> index e399d68..530020f 100644 >> --- a/arch/x86/include/asm/msr-index.h >> +++ b/arch/x86/include/asm/msr-index.h >> @@ -326,6 +326,9 @@ >> >> /* Fam 17h MSRs */ >> #define MSR_F17H_IRPERF 0xc00000e9 >> +#define MSR_F17H_SEV 0xc0010131 > > If that MSR is going to be used later on - and I don't see why not - you > probably should make it an arch one: MSR_AMD64_SEV. Even if it isn't yet > officially. :-) > Will do. >> +#define MSR_F17H_SEV_ENABLED_BIT 0 >> +#define MSR_F17H_SEV_ENABLED BIT_ULL(MSR_F17H_SEV_ENABLED_BIT) >> >> /* Fam 16h MSRs */ >> #define MSR_F16H_L2I_PERF_CTL 0xc0010230 >> diff --git a/arch/x86/include/uapi/asm/kvm_para.h b/arch/x86/include/uapi/asm/kvm_para.h >> index a965e5b..c202ba3 100644 >> --- a/arch/x86/include/uapi/asm/kvm_para.h >> +++ b/arch/x86/include/uapi/asm/kvm_para.h >> @@ -109,5 +109,4 @@ struct kvm_vcpu_pv_apf_data { >> #define KVM_PV_EOI_ENABLED KVM_PV_EOI_MASK >> #define KVM_PV_EOI_DISABLED 0x0 >> >> - >> #endif /* _UAPI_ASM_X86_KVM_PARA_H */ >> diff --git a/arch/x86/mm/mem_encrypt.c b/arch/x86/mm/mem_encrypt.c >> index 5e5d460..ed8780e 100644 >> --- a/arch/x86/mm/mem_encrypt.c >> +++ b/arch/x86/mm/mem_encrypt.c >> @@ -288,7 +288,9 @@ void __init mem_encrypt_init(void) >> if (sev_active()) >> dma_ops = &sme_dma_ops; >> >> - pr_info("AMD Secure Memory Encryption (SME) active\n"); >> + pr_info("AMD %s active\n", >> + sev_active() ? "Secure Encrypted Virtualization (SEV)" >> + : "Secure Memory Encryption (SME)"); >> } >> >> void swiotlb_set_mem_attributes(void *vaddr, unsigned long size) >> @@ -616,12 +618,23 @@ void __init __nostackprotector sme_enable(struct boot_params *bp) >> { >> const char *cmdline_ptr, *cmdline_arg, *cmdline_on, *cmdline_off; >> unsigned int eax, ebx, ecx, edx; >> + unsigned long feature_mask; >> bool active_by_default; >> unsigned long me_mask; >> char buffer[16]; >> u64 msr; >> >> - /* Check for the SME support leaf */ >> + /* >> + * Set the feature mask (SME or SEV) based on whether we are >> + * running under a hypervisor. >> + */ >> + eax = 1; >> + ecx = 0; >> + native_cpuid(&eax, &ebx, &ecx, &edx); >> + feature_mask = (ecx & BIT(31)) ? AMD_SEV_FEATURE_BIT >> + : AMD_SME_FEATURE_BIT; > > Set that feature mask before using it... > >> + >> + /* Check for the SME/SEV support leaf */ > > ... because if that check exits due to no SME leaf, you're uselessly > doing all the above. Ok, I'll move that down after the leaf check. > >> eax = 0x80000000; >> ecx = 0; >> native_cpuid(&eax, &ebx, &ecx, &edx); >> @@ -629,24 +642,39 @@ void __init __nostackprotector sme_enable(struct boot_params *bp) >> return; >> >> /* >> - * Check for the SME feature: >> + * Check for the SME/SEV feature: >> * CPUID Fn8000_001F[EAX] - Bit 0 >> * Secure Memory Encryption support >> + * CPUID Fn8000_001F[EAX] - Bit 1 > > No need to repeat the CPUID leaf here - only Bit 1: > > * CPUID Fn8000_001F[EAX] > * - Bit 0: Secure Memory Encryption support > * - Bit 1: Secure Encrypted Virtualization support > Ok, I'll clean that up. Thanks, Tom > >> + * Secure Encrypted Virtualization support >> * CPUID Fn8000_001F[EBX] - Bits 5:0 >> * Pagetable bit position used to indicate encryption >> */ >> eax = 0x8000001f; >> ecx = 0; >> native_cpuid(&eax, &ebx, &ecx, &edx); >> - if (!(eax & 1)) >> + if (!(eax & feature_mask)) >> return; >> >> me_mask = 1UL << (ebx & 0x3f); >> >> - /* Check if SME is enabled */ >> - msr = __rdmsr(MSR_K8_SYSCFG); >> - if (!(msr & MSR_K8_SYSCFG_MEM_ENCRYPT)) >> + /* Check if memory encryption is enabled */ >> + if (feature_mask == AMD_SME_FEATURE_BIT) { >> + /* For SME, check the SYSCFG MSR */ >> + msr = __rdmsr(MSR_K8_SYSCFG); >> + if (!(msr & MSR_K8_SYSCFG_MEM_ENCRYPT)) >> + return; >> + } else { >> + /* For SEV, check the SEV MSR */ >> + msr = __rdmsr(MSR_F17H_SEV); >> + if (!(msr & MSR_F17H_SEV_ENABLED)) >> + return; >> + >> + /* SEV state cannot be controlled by a command line option */ >> + sme_me_mask = me_mask; >> + sev_enabled = 1; >> return; >> + } > > Nice. Two birds with one stone is always better. :) > >