Received: by 2002:a05:7412:798b:b0:fc:a2b0:25d7 with SMTP id fb11csp524883rdb; Thu, 22 Feb 2024 10:45:30 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCVEBEN5+IOA1yEEvwsiFkCrn1R9Ro2nvZKeQQMtp+dYkhRyXHkZjeviqyQBXtMRTftLccyEDH2RmFs4g2XWGpNIa3A1izIgwyJfmIZucw== X-Google-Smtp-Source: AGHT+IFc6g4XLQOqTan/R/zczDOHvjrkrQE+lgaE5EC+QLPF3KD/tI34U6hubH49/HlmTAa6xcN8 X-Received: by 2002:a17:906:b316:b0:a3e:6036:3e45 with SMTP id n22-20020a170906b31600b00a3e60363e45mr9256698ejz.30.1708627530505; Thu, 22 Feb 2024 10:45:30 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708627530; cv=pass; d=google.com; s=arc-20160816; b=srjX5t3ta0f8nbsJZYDNEClSQdWttdY/6BuarMLWFWfyNDaEzf1HlKm+g3vdLQhXR8 VXNbEYWMIiArPxqUsMKz0GHlfl5aseeFpCXt8PlSqDBd7W2yLLNdwjWFUQxJQag8RfvH 2hRuM//uVjRJZ2oEsBM/K5Qj9GnqFVoNies6mlUm5GMT6hOy/tNh6Ok1BH9u0FyGzD7s ZjtkLuFZqXf3jxEMg4/03SKzinMYScbPhcXNcwxBE809wYEu2c0z0DHJSTlFvj2/VQvm W9K3xrF2BglbkTrkF10XCi5CvwcoSF062iN8h2W0smJkM/wgKmUQaGdmtOFZ8zPO0wey wXQA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-id:precedence:message-id :in-reply-to:references:date:from:cc:to:subject:dkim-signature; bh=kyjegd26nBFTlzN9xDSHgU7irv0o8uKISl3Apocww9M=; fh=HUgOPOMLUPcroonsK10/uEWpbBCP57e0QFUoVmMwghQ=; b=KmAgoShDvAoSsyKBBGHscy4RC6wcsiWzxz06nSQS9Ps2ldfPQelSpGOmBVwybsd7/2 YOlm+BXAodWe431r5KjewwxQkx6oq4G3qcci83Ez6+Tdd94fYbT2nqROrQ2pe/tm7E/m n1+3M7xgY0VD2xVmwwBXdlbjK64+tqlpUZ2Dh/3ks7SIj5uFIPAzxhMLyZAdPb9SLREM I9IRIDSSZgYLp3s7dub5oR8YPpEhRPDW5MTThPzMUePk8NXkhgYYU74Nc3jKEiG3TEiz nFDbbXdxzYMWtBwjm3jxGEKoWp8FC86UO1OlTcUsdKmtA/rtAtWrmIClVIRIve9BTbI/ xIZQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=BqgdZSss; arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass fromdomain=linux.intel.com); spf=pass (google.com: domain of linux-kernel+bounces-77165-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-77165-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id do22-20020a170906c11600b00a3eff8df311si2603967ejc.584.2024.02.22.10.45.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Feb 2024 10:45:30 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-77165-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=BqgdZSss; arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass fromdomain=linux.intel.com); spf=pass (google.com: domain of linux-kernel+bounces-77165-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-77165-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 1B9781F28C94 for ; Thu, 22 Feb 2024 18:45:30 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A0BE412D200; Thu, 22 Feb 2024 18:39:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="BqgdZSss" Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E1BB573F1D for ; Thu, 22 Feb 2024 18:39:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.16 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708627183; cv=none; b=rn2PcW9aPL5qF8sxyGVMTKaqYYUVNm8/GOyXmeAF/GXPDUwzDTtMfRWES5arqP6FHC175LsH0FxNtmUGDBKS3/Z8DMlQJmRtlGk1T4FktBgXfnj7VLXre0AyQ8gpOSxSfFp+iIQcQmlTsnrgh8kdKmJ378Ezh+Tol7xfpgyF78U= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708627183; c=relaxed/simple; bh=h76VDu0EROS/tTcoE66OS4rO/lFWal4QuWjQ1nU8EXg=; h=Subject:To:Cc:From:Date:References:In-Reply-To:Message-Id; b=n00zM+Ke8KAd2W/djeOR7hpf2bmi6JsnjRf9UK9iRdFcTDwjAyreQ6GnsZyqguE+JFQWZYPd27dsPTSroPEhlSJ9upxL12c/wqaS0CYkU01xMyp+Inuio81EXuSKpF6XNJXT2kNCc7HNfXyFfaq2LN0NC42RLvbSemKduVV4rho= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=none smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=BqgdZSss; arc=none smtp.client-ip=198.175.65.16 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1708627182; x=1740163182; h=subject:to:cc:from:date:references:in-reply-to: message-id; bh=h76VDu0EROS/tTcoE66OS4rO/lFWal4QuWjQ1nU8EXg=; b=BqgdZSssjo8NRgp7GKU4Z5tsL2FqiXpsrb9DYzPJeVWdQwirNSOfnJrP vKHwPP1MMNd4kXbeOTPJiG5LODCPiBo7GafhDqQZqWdZf3yaYAW/yKNXM rKhRRbbmIw5OQv6Sxzs6I8LQ7twzHmkcHZBHOy0mj3yMB8moS06khJufg 2/yFzE87FntB8zr7EAoifwyQysDFxN73ESVTD6ZMVachcZBBX8m996ynu cCI97TtK59GN+4swqkldRIPD2gIJjHbeVmUVfxcV06gx8COSP3gRDc0Ge J9oEvNyMxBmZ7f9aGYve+xord5WKaq6FQRphK95b5ouuYrpB4W4S3sDmX A==; X-IronPort-AV: E=McAfee;i="6600,9927,10992"; a="3031768" X-IronPort-AV: E=Sophos;i="6.06,179,1705392000"; d="scan'208";a="3031768" Received: from orviesa008.jf.intel.com ([10.64.159.148]) by orvoesa108.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Feb 2024 10:39:42 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.06,179,1705392000"; d="scan'208";a="5975484" Received: from davehans-spike.ostc.intel.com (HELO localhost.localdomain) ([10.165.164.11]) by orviesa008.jf.intel.com with ESMTP; 22 Feb 2024 10:39:42 -0800 Subject: [RFC][PATCH 11/34] x86/cpu/intel: Prepare MKTME for "address configuration" infrastructure To: linux-kernel@vger.kernel.org Cc: kirill.shutemov@linux.intel.com,pbonzini@redhat.com,tglx@linutronix.de,x86@kernel.org,bp@alien8.de,Dave Hansen From: Dave Hansen Date: Thu, 22 Feb 2024 10:39:41 -0800 References: <20240222183926.517AFCD2@davehans-spike.ostc.intel.com> In-Reply-To: <20240222183926.517AFCD2@davehans-spike.ostc.intel.com> Message-Id: <20240222183941.7CB634A5@davehans-spike.ostc.intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: From: Dave Hansen Intel also does memory encryption and also fiddles with the physical address bits. This is currently called for *each* CPU, but practically only done on the boot CPU because of 'mktme_status'. Move it from the "each CPU" ->c_init() function to ->c_bsp_init() where the whole thing only gets called once ever. This also necessitates moving detect_tme() and its entourage around in the file. Signed-off-by: Dave Hansen --- b/arch/x86/kernel/cpu/intel.c | 174 +++++++++++++++++++++--------------------- 1 file changed, 87 insertions(+), 87 deletions(-) diff -puN arch/x86/kernel/cpu/intel.c~intel-move-TME-detection arch/x86/kernel/cpu/intel.c --- a/arch/x86/kernel/cpu/intel.c~intel-move-TME-detection 2024-02-22 10:08:53.820663775 -0800 +++ b/arch/x86/kernel/cpu/intel.c 2024-02-22 10:08:53.824663932 -0800 @@ -324,9 +324,96 @@ static void early_init_intel(struct cpui detect_ht_early(c); } +#define MSR_IA32_TME_ACTIVATE 0x982 + +/* Helpers to access TME_ACTIVATE MSR */ +#define TME_ACTIVATE_LOCKED(x) (x & 0x1) +#define TME_ACTIVATE_ENABLED(x) (x & 0x2) + +#define TME_ACTIVATE_POLICY(x) ((x >> 4) & 0xf) /* Bits 7:4 */ +#define TME_ACTIVATE_POLICY_AES_XTS_128 0 + +#define TME_ACTIVATE_KEYID_BITS(x) ((x >> 32) & 0xf) /* Bits 35:32 */ + +#define TME_ACTIVATE_CRYPTO_ALGS(x) ((x >> 48) & 0xffff) /* Bits 63:48 */ +#define TME_ACTIVATE_CRYPTO_AES_XTS_128 1 + +/* Values for mktme_status (SW only construct) */ +#define MKTME_ENABLED 0 +#define MKTME_DISABLED 1 +#define MKTME_UNINITIALIZED 2 +static int mktme_status = MKTME_UNINITIALIZED; + +static void detect_tme(struct cpuinfo_x86 *c) +{ + u64 tme_activate, tme_policy, tme_crypto_algs; + int keyid_bits = 0, nr_keyids = 0; + static u64 tme_activate_cpu0 = 0; + + rdmsrl(MSR_IA32_TME_ACTIVATE, tme_activate); + + if (mktme_status != MKTME_UNINITIALIZED) { + if (tme_activate != tme_activate_cpu0) { + /* Broken BIOS? */ + pr_err_once("x86/tme: configuration is inconsistent between CPUs\n"); + pr_err_once("x86/tme: MKTME is not usable\n"); + mktme_status = MKTME_DISABLED; + + /* Proceed. We may need to exclude bits from x86_phys_bits. */ + } + } else { + tme_activate_cpu0 = tme_activate; + } + + if (!TME_ACTIVATE_LOCKED(tme_activate) || !TME_ACTIVATE_ENABLED(tme_activate)) { + pr_info_once("x86/tme: not enabled by BIOS\n"); + mktme_status = MKTME_DISABLED; + return; + } + + if (mktme_status != MKTME_UNINITIALIZED) + goto detect_keyid_bits; + + pr_info("x86/tme: enabled by BIOS\n"); + + tme_policy = TME_ACTIVATE_POLICY(tme_activate); + if (tme_policy != TME_ACTIVATE_POLICY_AES_XTS_128) + pr_warn("x86/tme: Unknown policy is active: %#llx\n", tme_policy); + + tme_crypto_algs = TME_ACTIVATE_CRYPTO_ALGS(tme_activate); + if (!(tme_crypto_algs & TME_ACTIVATE_CRYPTO_AES_XTS_128)) { + pr_err("x86/mktme: No known encryption algorithm is supported: %#llx\n", + tme_crypto_algs); + mktme_status = MKTME_DISABLED; + } +detect_keyid_bits: + keyid_bits = TME_ACTIVATE_KEYID_BITS(tme_activate); + nr_keyids = (1UL << keyid_bits) - 1; + if (nr_keyids) { + pr_info_once("x86/mktme: enabled by BIOS\n"); + pr_info_once("x86/mktme: %d KeyIDs available\n", nr_keyids); + } else { + pr_info_once("x86/mktme: disabled by BIOS\n"); + } + + if (mktme_status == MKTME_UNINITIALIZED) { + /* MKTME is usable */ + mktme_status = MKTME_ENABLED; + } + + /* + * KeyID bits effectively lower the number of physical address + * bits. Update cpuinfo_x86::x86_phys_bits accordingly. + */ + c->x86_phys_bits -= keyid_bits; +} + static void bsp_init_intel(struct cpuinfo_x86 *c) { resctrl_cpu_detect(c); + + if (cpu_has(c, X86_FEATURE_TME)) + detect_tme(c); } #ifdef CONFIG_X86_32 @@ -482,90 +569,6 @@ static void srat_detect_node(struct cpui #endif } -#define MSR_IA32_TME_ACTIVATE 0x982 - -/* Helpers to access TME_ACTIVATE MSR */ -#define TME_ACTIVATE_LOCKED(x) (x & 0x1) -#define TME_ACTIVATE_ENABLED(x) (x & 0x2) - -#define TME_ACTIVATE_POLICY(x) ((x >> 4) & 0xf) /* Bits 7:4 */ -#define TME_ACTIVATE_POLICY_AES_XTS_128 0 - -#define TME_ACTIVATE_KEYID_BITS(x) ((x >> 32) & 0xf) /* Bits 35:32 */ - -#define TME_ACTIVATE_CRYPTO_ALGS(x) ((x >> 48) & 0xffff) /* Bits 63:48 */ -#define TME_ACTIVATE_CRYPTO_AES_XTS_128 1 - -/* Values for mktme_status (SW only construct) */ -#define MKTME_ENABLED 0 -#define MKTME_DISABLED 1 -#define MKTME_UNINITIALIZED 2 -static int mktme_status = MKTME_UNINITIALIZED; - -static void detect_tme(struct cpuinfo_x86 *c) -{ - u64 tme_activate, tme_policy, tme_crypto_algs; - int keyid_bits = 0, nr_keyids = 0; - static u64 tme_activate_cpu0 = 0; - - rdmsrl(MSR_IA32_TME_ACTIVATE, tme_activate); - - if (mktme_status != MKTME_UNINITIALIZED) { - if (tme_activate != tme_activate_cpu0) { - /* Broken BIOS? */ - pr_err_once("x86/tme: configuration is inconsistent between CPUs\n"); - pr_err_once("x86/tme: MKTME is not usable\n"); - mktme_status = MKTME_DISABLED; - - /* Proceed. We may need to exclude bits from x86_phys_bits. */ - } - } else { - tme_activate_cpu0 = tme_activate; - } - - if (!TME_ACTIVATE_LOCKED(tme_activate) || !TME_ACTIVATE_ENABLED(tme_activate)) { - pr_info_once("x86/tme: not enabled by BIOS\n"); - mktme_status = MKTME_DISABLED; - return; - } - - if (mktme_status != MKTME_UNINITIALIZED) - goto detect_keyid_bits; - - pr_info("x86/tme: enabled by BIOS\n"); - - tme_policy = TME_ACTIVATE_POLICY(tme_activate); - if (tme_policy != TME_ACTIVATE_POLICY_AES_XTS_128) - pr_warn("x86/tme: Unknown policy is active: %#llx\n", tme_policy); - - tme_crypto_algs = TME_ACTIVATE_CRYPTO_ALGS(tme_activate); - if (!(tme_crypto_algs & TME_ACTIVATE_CRYPTO_AES_XTS_128)) { - pr_err("x86/mktme: No known encryption algorithm is supported: %#llx\n", - tme_crypto_algs); - mktme_status = MKTME_DISABLED; - } -detect_keyid_bits: - keyid_bits = TME_ACTIVATE_KEYID_BITS(tme_activate); - nr_keyids = (1UL << keyid_bits) - 1; - if (nr_keyids) { - pr_info_once("x86/mktme: enabled by BIOS\n"); - pr_info_once("x86/mktme: %d KeyIDs available\n", nr_keyids); - } else { - pr_info_once("x86/mktme: disabled by BIOS\n"); - } - - if (mktme_status == MKTME_UNINITIALIZED) { - /* MKTME is usable */ - mktme_status = MKTME_ENABLED; - } - - /* - * KeyID bits effectively lower the number of physical address - * bits. Update cpuinfo_x86::x86_phys_bits accordingly. - */ - c->x86_phys_bits -= keyid_bits; -} - static void init_cpuid_fault(struct cpuinfo_x86 *c) { u64 msr; @@ -702,9 +705,6 @@ static void init_intel(struct cpuinfo_x8 init_ia32_feat_ctl(c); - if (cpu_has(c, X86_FEATURE_TME)) - detect_tme(c); - init_intel_misc_features(c); split_lock_init(); _