Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp2008810pxa; Mon, 24 Aug 2020 02:21:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzP+X4OgjufVeooYY4uxNXZNObogbsflsbM1ncIstHXSMAVrXOp2ja82jrfNfkCsC2XUqFF X-Received: by 2002:a17:906:a446:: with SMTP id cb6mr150276ejb.15.1598260860593; Mon, 24 Aug 2020 02:21:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598260860; cv=none; d=google.com; s=arc-20160816; b=Gm/J8FKf0RBIjp3QHuxzy3ueJUwV1ib5BB3OPuOOP9bxIEoYe54a6xuR0fUUw5CjCr a937PLH7LTV2aGzGcuxLNCtACwQWpRBXKnSXN/5Z8GZ9B8Xu+5n8RZNs9Xq3kOrhgHM/ 9RrGYl1JXeAKTsjxJus016UpIil75sMrLmRF7Gf2aOP6ulfyGsV/my502p2bm4HrlQE8 8hqi1CrZiyFw6CjLKvUjCaVS5xJtbQkHLO6YWm2b6oZ2l0ueUoOvU15RxwRXH8D+DGaB 7ru9YsXc1i30piv2XtF2gCVadkwpFdA897QDd8Aor9EnNdump66zxsPidp1p9NDzpWQw 8yCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=gIBo49nctF92T6LKpPkG+rRft14/Ddpu52+JMkD8ye0=; b=SMZkdjR9E+GPqjZ8VcMj/gyfcCVhx4NPP5DnsC52zojPYnTgHL6rYUw7aZ9vK9qwf5 NaTX1nw0DHkyP0zRNof4S1UISh3moYQnfzsV1QCoEOPZNiWl5MDxLpCxF9BJSxRv/sJ9 qfsGruX4eyCHJOR5h65DCOShWiktlJZVNk/mEUK+PQi5OzVWNE56Gn0n6c8firx6FDs9 Ev3SKtRA/0uYmrs0weRBs1RiNLvsDKYaat2AD2Vb3Tl9QTLiJZhJSe9V4PuIRD5RtJOz wiI3B1Ksh3/DfJP18g2qOgAtXvNz17TtmQNOjD26adIDdhW/NrC3ZSMonrHQKjXeSRZN 8slA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=8bytes.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dg17si593332edb.397.2020.08.24.02.20.37; Mon, 24 Aug 2020 02:21:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=8bytes.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730292AbgHXJUC (ORCPT + 99 others); Mon, 24 Aug 2020 05:20:02 -0400 Received: from 8bytes.org ([81.169.241.247]:36850 "EHLO theia.8bytes.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730164AbgHXIzv (ORCPT ); Mon, 24 Aug 2020 04:55:51 -0400 Received: from cap.home.8bytes.org (p4ff2bb8d.dip0.t-ipconnect.de [79.242.187.141]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by theia.8bytes.org (Postfix) with ESMTPSA id 2A0AA2DA; Mon, 24 Aug 2020 10:55:46 +0200 (CEST) From: Joerg Roedel To: x86@kernel.org Cc: Joerg Roedel , Joerg Roedel , hpa@zytor.com, Andy Lutomirski , Dave Hansen , Peter Zijlstra , Jiri Slaby , Dan Williams , Tom Lendacky , Juergen Gross , Kees Cook , David Rientjes , Cfir Cohen , Erdem Aktas , Masami Hiramatsu , Mike Stunes , Sean Christopherson , Martin Radev , linux-kernel@vger.kernel.org, kvm@vger.kernel.org, virtualization@lists.linux-foundation.org Subject: [PATCH v6 00/76] x86: SEV-ES Guest Support Date: Mon, 24 Aug 2020 10:53:55 +0200 Message-Id: <20200824085511.7553-1-joro@8bytes.org> X-Mailer: git-send-email 2.28.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Joerg Roedel Hi, here is the new version of the SEV-ES client enabling patch-set. It is based on the latest tip/master branch and contains the necessary changes. In particular those ar: - Enabling CR4.FSGSBASE early on supported processors so that early #VC exceptions on APs can be handled. - Add another patch (patch 1) to fix a KVM frame-size build warning on 32bit. The previous versions can be found as a linked-list starting here: https://lore.kernel.org/lkml/20200724160336.5435-1-joro@8bytes.org/ There you also find more detailed information about SEV-ES in general and its implications. Please review. Thanks, Joerg Borislav Petkov (1): KVM: SVM: Use __packed shorthand Doug Covelli (1): x86/vmware: Add VMware specific handling for VMMCALL under SEV-ES Joerg Roedel (54): KVM: SVM: nested: Don't allocate VMCB structures on stack KVM: SVM: Add GHCB Accessor functions x86/traps: Move pf error codes to x86/insn: Make inat-tables.c suitable for pre-decompression code x86/umip: Factor out instruction fetch x86/umip: Factor out instruction decoding x86/insn: Add insn_get_modrm_reg_off() x86/insn: Add insn_has_rep_prefix() helper x86/boot/compressed/64: Disable red-zone usage x86/boot/compressed/64: Add IDT Infrastructure x86/boot/compressed/64: Rename kaslr_64.c to ident_map_64.c x86/boot/compressed/64: Add page-fault handler x86/boot/compressed/64: Always switch to own page-table x86/boot/compressed/64: Don't pre-map memory in KASLR code x86/boot/compressed/64: Change add_identity_map() to take start and end x86/boot/compressed/64: Add stage1 #VC handler x86/boot/compressed/64: Call set_sev_encryption_mask earlier x86/boot/compressed/64: Check return value of kernel_ident_mapping_init() x86/boot/compressed/64: Add set_page_en/decrypted() helpers x86/boot/compressed/64: Setup GHCB Based VC Exception handler x86/boot/compressed/64: Unmap GHCB page before booting the kernel x86/fpu: Move xgetbv()/xsetbv() into separate header x86/idt: Move IDT to data segment x86/idt: Split idt_data setup out of set_intr_gate() x86/head/64: Install startup GDT x86/head/64: Setup MSR_GS_BASE before calling into C code x86/head/64: Load GDT after switch to virtual addresses x86/head/64: Load segment registers earlier x86/head/64: Switch to initial stack earlier x86/head/64: Make fixup_pointer() static inline x86/head/64: Load IDT earlier x86/head/64: Move early exception dispatch to C code x86/head/64: Set CR4.FSGSBASE early x86/sev-es: Add SEV-ES Feature Detection x86/sev-es: Print SEV-ES info into kernel log x86/sev-es: Compile early handler code into kernel image x86/sev-es: Setup early #VC handler x86/sev-es: Setup GHCB based boot #VC handler x86/sev-es: Allocate and Map IST stack for #VC handler x86/sev-es: Adjust #VC IST Stack on entering NMI handler x86/dumpstack/64: Add noinstr version of get_stack_info() x86/entry/64: Add entry code for #VC handler x86/sev-es: Wire up existing #VC exit-code handlers x86/sev-es: Handle instruction fetches from user-space x86/sev-es: Handle MMIO String Instructions x86/sev-es: Handle #AC Events x86/sev-es: Handle #DB Events x86/paravirt: Allow hypervisor specific VMMCALL handling under SEV-ES x86/realmode: Add SEV-ES specific trampoline entry point x86/smpboot: Setup TSS for starting AP x86/head/64: Don't call verify_cpu() on starting APs x86/head/64: Rename start_cpu0 x86/sev-es: Support CPU offline/online x86/sev-es: Handle NMI State Martin Radev (1): x86/sev-es: Check required CPU features for SEV-ES Tom Lendacky (19): KVM: SVM: Add GHCB definitions x86/cpufeatures: Add SEV-ES CPU feature x86/sev-es: Add support for handling IOIO exceptions x86/sev-es: Add CPUID handling to #VC handler x86/sev-es: Setup per-cpu GHCBs for the runtime handler x86/sev-es: Add Runtime #VC Exception Handler x86/sev-es: Handle MMIO events x86/sev-es: Handle MSR events x86/sev-es: Handle DR7 read/write events x86/sev-es: Handle WBINVD Events x86/sev-es: Handle RDTSC(P) Events x86/sev-es: Handle RDPMC Events x86/sev-es: Handle INVD Events x86/sev-es: Handle MONITOR/MONITORX Events x86/sev-es: Handle MWAIT/MWAITX Events x86/sev-es: Handle VMMCALL Events x86/kvm: Add KVM specific VMMCALL handling under SEV-ES x86/realmode: Setup AP jump table x86/efi: Add GHCB mappings when SEV-ES is active arch/x86/Kconfig | 1 + arch/x86/boot/compressed/Makefile | 9 +- arch/x86/boot/compressed/cpuflags.c | 4 - arch/x86/boot/compressed/head_64.S | 32 +- arch/x86/boot/compressed/ident_map_64.c | 349 +++++ arch/x86/boot/compressed/idt_64.c | 54 + arch/x86/boot/compressed/idt_handlers_64.S | 77 ++ arch/x86/boot/compressed/kaslr.c | 36 +- arch/x86/boot/compressed/kaslr_64.c | 153 --- arch/x86/boot/compressed/misc.c | 7 + arch/x86/boot/compressed/misc.h | 50 +- arch/x86/boot/compressed/sev-es.c | 214 +++ arch/x86/entry/entry_64.S | 78 ++ arch/x86/include/asm/cpu.h | 2 +- arch/x86/include/asm/cpu_entry_area.h | 33 +- arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/desc_defs.h | 3 + arch/x86/include/asm/fpu/internal.h | 30 +- arch/x86/include/asm/fpu/xcr.h | 34 + arch/x86/include/asm/idtentry.h | 50 + arch/x86/include/asm/insn-eval.h | 6 + arch/x86/include/asm/mem_encrypt.h | 5 + arch/x86/include/asm/msr-index.h | 3 + arch/x86/include/asm/page_64_types.h | 1 + arch/x86/include/asm/pgtable.h | 2 +- arch/x86/include/asm/processor.h | 7 + arch/x86/include/asm/proto.h | 1 + arch/x86/include/asm/realmode.h | 4 + arch/x86/include/asm/segment.h | 2 +- arch/x86/include/asm/setup.h | 20 +- arch/x86/include/asm/sev-es.h | 113 ++ arch/x86/include/asm/stacktrace.h | 2 + arch/x86/include/asm/svm.h | 100 +- arch/x86/include/asm/trap_pf.h | 24 + arch/x86/include/asm/trapnr.h | 1 + arch/x86/include/asm/traps.h | 20 +- arch/x86/include/asm/x86_init.h | 16 +- arch/x86/include/uapi/asm/svm.h | 11 + arch/x86/kernel/Makefile | 1 + arch/x86/kernel/cpu/amd.c | 3 +- arch/x86/kernel/cpu/common.c | 37 +- arch/x86/kernel/cpu/scattered.c | 1 + arch/x86/kernel/cpu/vmware.c | 50 +- arch/x86/kernel/dumpstack.c | 7 +- arch/x86/kernel/dumpstack_64.c | 47 +- arch/x86/kernel/head64.c | 85 +- arch/x86/kernel/head_32.S | 4 +- arch/x86/kernel/head_64.S | 159 ++- arch/x86/kernel/idt.c | 94 +- arch/x86/kernel/kvm.c | 35 +- arch/x86/kernel/nmi.c | 12 + arch/x86/kernel/sev-es-shared.c | 507 +++++++ arch/x86/kernel/sev-es.c | 1404 ++++++++++++++++++++ arch/x86/kernel/smpboot.c | 10 +- arch/x86/kernel/traps.c | 56 + arch/x86/kernel/umip.c | 49 +- arch/x86/kvm/svm/nested.c | 47 +- arch/x86/kvm/svm/svm.c | 2 + arch/x86/lib/insn-eval.c | 130 ++ arch/x86/mm/cpu_entry_area.c | 3 +- arch/x86/mm/extable.c | 1 + arch/x86/mm/mem_encrypt.c | 38 +- arch/x86/mm/mem_encrypt_identity.c | 3 + arch/x86/platform/efi/efi_64.c | 10 + arch/x86/realmode/init.c | 24 +- arch/x86/realmode/rm/header.S | 3 + arch/x86/realmode/rm/trampoline_64.S | 20 + arch/x86/tools/gen-insn-attr-x86.awk | 50 +- tools/arch/x86/tools/gen-insn-attr-x86.awk | 50 +- 69 files changed, 4041 insertions(+), 456 deletions(-) create mode 100644 arch/x86/boot/compressed/ident_map_64.c create mode 100644 arch/x86/boot/compressed/idt_64.c create mode 100644 arch/x86/boot/compressed/idt_handlers_64.S delete mode 100644 arch/x86/boot/compressed/kaslr_64.c create mode 100644 arch/x86/boot/compressed/sev-es.c create mode 100644 arch/x86/include/asm/fpu/xcr.h create mode 100644 arch/x86/include/asm/sev-es.h create mode 100644 arch/x86/include/asm/trap_pf.h create mode 100644 arch/x86/kernel/sev-es-shared.c create mode 100644 arch/x86/kernel/sev-es.c -- 2.28.0