Message ID | 20210210102135.30667-1-joro@8bytes.org (mailing list archive) |
---|---|
Headers | show |
Series | x86/seves: Support 32-bit boot path and other updates | expand |
On Wed, Feb 10, 2021 at 11:21:28AM +0100, Joerg Roedel wrote: > From: Joerg Roedel <jroedel@suse.de> > > Hi, > > these patches add support for the 32-bit boot in the decompressor > code. This is needed to boot an SEV-ES guest on some firmware and grub > versions. The patches also add the necessary CPUID sanity checks and a Could you expand a bit please? What GRUB versions are we talking about (CC-ing Daniel Kiper, who owns GRUB). By 'some firmware' we talking SeaBIOS? > 32-bit version of the C-bit check. > > Other updates included here: > > 1. Add code to shut down exception handling in the > decompressor code before jumping to the real kernel. > Once in the real kernel it is not safe anymore to jump > back to the decompressor code via exceptions. > > 2. Replace open-coded hlt loops with proper calls to > sev_es_terminate(). > > Please review. > > Thanks, > > Joerg > > Joerg Roedel (7): > x86/boot/compressed/64: Cleanup exception handling before booting > kernel > x86/boot/compressed/64: Reload CS in startup_32 > x86/boot/compressed/64: Setup IDT in startup_32 boot path > x86/boot/compressed/64: Add 32-bit boot #VC handler > x86/boot/compressed/64: Add CPUID sanity check to 32-bit boot-path > x86/boot/compressed/64: Check SEV encryption in 32-bit boot-path > x86/sev-es: Replace open-coded hlt-loops with sev_es_terminate() > > arch/x86/boot/compressed/head_64.S | 168 ++++++++++++++++++++++++- > arch/x86/boot/compressed/idt_64.c | 14 +++ > arch/x86/boot/compressed/mem_encrypt.S | 114 ++++++++++++++++- > arch/x86/boot/compressed/misc.c | 7 +- > arch/x86/boot/compressed/misc.h | 6 + > arch/x86/boot/compressed/sev-es.c | 12 +- > arch/x86/kernel/sev-es-shared.c | 10 +- > 7 files changed, 307 insertions(+), 24 deletions(-) > > -- > 2.30.0 >
Hi Konrad, On Wed, Feb 10, 2021 at 09:58:35AM -0500, Konrad Rzeszutek Wilk wrote: > What GRUB versions are we talking about (CC-ing Daniel Kiper, who owns > GRUB). I think this was about 32-bit GRUB builds used by distributions. I personally tested it with a kernel which has EFI support disabled, in this case the OVMF firmware will also boot into the startup_32 boot path. > By 'some firmware' we talking SeaBIOS? No, SeaBIOS is not supported for SEV-ES, only OVMF has handling for #VC so far. Regards, Joerg
On Wed, Feb 10, 2021 at 04:12:25PM +0100, Joerg Roedel wrote: > Hi Konrad, > > On Wed, Feb 10, 2021 at 09:58:35AM -0500, Konrad Rzeszutek Wilk wrote: > > What GRUB versions are we talking about (CC-ing Daniel Kiper, who owns > > GRUB). > > I think this was about 32-bit GRUB builds used by distributions. I > personally tested it with a kernel which has EFI support disabled, in > this case the OVMF firmware will also boot into the startup_32 boot > path. I think I am missing something obvious here - but why would you want EFI support disabled? Or is the idea that "legacy" OSes can nicely run under AMD SEV? But since you are having a kernel patch that is not "legacy OS" anymore. > > > By 'some firmware' we talking SeaBIOS? > > No, SeaBIOS is not supported for SEV-ES, only OVMF has handling for #VC > so far. > > Regards, > > Joerg
On Wed, Feb 10, 2021 at 10:19:38AM -0500, Konrad Rzeszutek Wilk wrote: > I think I am missing something obvious here - but why would you want > EFI support disabled? I don't want EFI support disabled, this is just a way to trigger this boot-path. In real life it is triggered by 32-bit GRUB EFI builds. But I havn't had one of those for testing, so I used another way to trigger this path. Regards, Joerg
From: Joerg Roedel <jroedel@suse.de> Hi, these patches add support for the 32-bit boot in the decompressor code. This is needed to boot an SEV-ES guest on some firmware and grub versions. The patches also add the necessary CPUID sanity checks and a 32-bit version of the C-bit check. Other updates included here: 1. Add code to shut down exception handling in the decompressor code before jumping to the real kernel. Once in the real kernel it is not safe anymore to jump back to the decompressor code via exceptions. 2. Replace open-coded hlt loops with proper calls to sev_es_terminate(). Please review. Thanks, Joerg Joerg Roedel (7): x86/boot/compressed/64: Cleanup exception handling before booting kernel x86/boot/compressed/64: Reload CS in startup_32 x86/boot/compressed/64: Setup IDT in startup_32 boot path x86/boot/compressed/64: Add 32-bit boot #VC handler x86/boot/compressed/64: Add CPUID sanity check to 32-bit boot-path x86/boot/compressed/64: Check SEV encryption in 32-bit boot-path x86/sev-es: Replace open-coded hlt-loops with sev_es_terminate() arch/x86/boot/compressed/head_64.S | 168 ++++++++++++++++++++++++- arch/x86/boot/compressed/idt_64.c | 14 +++ arch/x86/boot/compressed/mem_encrypt.S | 114 ++++++++++++++++- arch/x86/boot/compressed/misc.c | 7 +- arch/x86/boot/compressed/misc.h | 6 + arch/x86/boot/compressed/sev-es.c | 12 +- arch/x86/kernel/sev-es-shared.c | 10 +- 7 files changed, 307 insertions(+), 24 deletions(-)