From patchwork Thu Nov 10 00:38:38 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tom Lendacky X-Patchwork-Id: 9420455 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 51E1F6048E for ; Thu, 10 Nov 2016 00:54:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 426172939E for ; Thu, 10 Nov 2016 00:54:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 34EBE293D4; Thu, 10 Nov 2016 00:54:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B39532939E for ; Thu, 10 Nov 2016 00:54:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932181AbcKJAyL (ORCPT ); Wed, 9 Nov 2016 19:54:11 -0500 Received: from mail-cys01nam02on0069.outbound.protection.outlook.com ([104.47.37.69]:36634 "EHLO NAM02-CY1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752933AbcKJAyG (ORCPT ); Wed, 9 Nov 2016 19:54:06 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector1-amd-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=69b4z5CuV1zOALOsdn/T+M2YL8fW/aq1XQ2wSDGFVbQ=; b=X5dW3NAFQVl6ckDqmiGFN+7LVprLuRKAmP1m5ozOWPk04+FUqq8DzuvDxrJUQ3gjOHSPAxI23S5VYigKyWZS8MzFK9mI75Xc2EKySBlgEUeyRgymWmuQ8QQULNR3aCPNR9onMmgjy8NGVKQXPA4uYl//TLkCzIyJ2Y79gJcVRm0= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Lendacky@amd.com; Received: from tlendack-t1.amdoffice.net (165.204.77.1) by BN6PR12MB1138.namprd12.prod.outlook.com (10.168.226.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.707.6; Thu, 10 Nov 2016 00:38:41 +0000 From: Tom Lendacky Subject: [RFC PATCH v3 20/20] x86: Add support to make use of Secure Memory Encryption To: , , , , , , , , CC: Rik van Riel , Radim =?utf-8?b?S3LEjW3DocWZ?= , Arnd Bergmann , Jonathan Corbet , Matt Fleming , Joerg Roedel , Konrad Rzeszutek Wilk , "Paolo Bonzini" , Larry Woodman , "Ingo Molnar" , Borislav Petkov , Andy Lutomirski , "H. Peter Anvin" , Andrey Ryabinin , Alexander Potapenko , "Thomas Gleixner" , Dmitry Vyukov Date: Wed, 9 Nov 2016 18:38:38 -0600 Message-ID: <20161110003838.3280.23327.stgit@tlendack-t1.amdoffice.net> In-Reply-To: <20161110003426.3280.2999.stgit@tlendack-t1.amdoffice.net> References: <20161110003426.3280.2999.stgit@tlendack-t1.amdoffice.net> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: DM5PR20CA0010.namprd20.prod.outlook.com (10.173.136.148) To BN6PR12MB1138.namprd12.prod.outlook.com (10.168.226.140) X-MS-Office365-Filtering-Correlation-Id: 96277412-891d-419e-4231-08d40901ec89 X-Microsoft-Exchange-Diagnostics: 1; BN6PR12MB1138; 2:gLQ5rLr5R976njzrfmBUOfBg+LSn10EDAzALrocAg4Hu0MjffrV3/LqioCPyU/cqH1h2kI6MUYu4NRgRjJtuz6hTlvBIERlE6pLEEvwQh54ZyujFXO/UtOKsfbLpFLx8AhHc4seA2Y/YAMNPaUuweU6QFO0IMwavyMhdeoVRdfjBDLuGRY0hRn9gEqtz08tSEEH7CKg6jVPTFlmnhFLFZQ==; 3:21tLhY1PjPCLsJayTTa3zYKyeOeAFYV0Fte13hg0Lift7rPCtv8/IplYwPGXk5gKsyL3ezRAyjSImpBqjjyII5VIUJJj0ijO9mpKFxh0Rx5Z+Ffun48hdcyyoGtSy0l4XmXftWAduZ7qDJmrsjuq/g==; 25:ytRS6anfLhJD+L7mhPsPhQ44mRzDRBrVmIXWy8K9ZssKZdeHhk9nTc5wqLMLZ/IiPu0dsfMqsLFKjCGKcoPxhZEjoWNIDEFlCm0kIHVtwSp6kX4XLCXEbIzjNJXrbCq4xvPvO8566iETa2u10cAcI0psWuaeqsIef6gQ2kWoa+pnPW3wQYUiAty/pRrH44jEHioy/zHxkHRu2zKJ2adXCA0/UaxTXqSdd5Kmpt0U1uOznv/nGtig0yX1pBNF78mq7BnWZin4SBnqA00UWCb36ULhaYLnwZAVajGjZ9kSFPcB2B18iYXbhkJ5ynWm64/yC0dL9r+DHKbKyAN2TGasy36HCi1qhJxJv5ciPiwjMDY7PE8J5xFsYkvKjzRyXEWfnoiLECajxS6x6DKZ63gXg+jZk8D6l2b5SX5521VFyfDmmBHkH+Q+xBKymSJpP6BI X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN6PR12MB1138; X-Microsoft-Exchange-Diagnostics: 1; BN6PR12MB1138; 31:BKuGhgXdd3ycb98nF6k2sH/9GfhEjy5A7JQDXmSwMxrcEjoZnKahUbZMo32xKPrAVZTqOaO8udHsbv3FY1BEcZ+2s0sMvcFHuwacImYsABjf+J92+d8W4cznXdrT3mQMNhMMbd1p9kF1BNPo+qjU6PyqN2vBz7vo7H2L7ytQl9F+NXiCJt0k8Ok/sxJHr8T5dtGlVHHb1SYKgOK9h3diR1mUdI2skafo/i8vYDkAJZvI7LEztL/ZjgR7kg7nMyoBTqkQzPodWZVuWaOiFNCQVg==; 20:J0XSTB9QDVlybRkKpM6T3rlN8Yyjp2ylmMKt03c63jxfZSURqGD2nbG72KB7h/iECDwT/Snqf7ZGuxDxwDolvYTEV6+NGBkuLtEBGG51QYvUzrwxQ9h1fkEU+eXrxP2WqjETPfs7lmC/CEJ9dZtWJCOMKyd1CEE6BKORlFlN9GtYH05OEYEOM4ONeXt/5eVeeJZVQ4l2whE6zJ3LgjartSQzHjtLCDKdR2ndDi060l1bRyP4H4aao4zbCFkIz3NVybIwZxKWnHiFdd2Cdq0yHrf61eOlP+4gDbRJjsosGvC6ZPAxySaeQzZ93wxM1zUuOxA0mMKqkcsI9dE1TzsbPqLN4npHm1X7aLynqBEw9e3PHN2dqxgiMs1jT7GWXIof6lPRCq7LVM9wyDtc0Yj2z/gdwEm5JZF8YSl6Dyziudw101Yam/CIQxXEwraRaO5epbAElQt0XlU8zaQt/AMERxIyBE1LAKo22dvtsWcTSe8br2B45xLpUPLQ2DMeH/64 X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(767451399110); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026); SRVR:BN6PR12MB1138; BCL:0; PCL:0; RULEID:; SRVR:BN6PR12MB1138; X-Microsoft-Exchange-Diagnostics: 1; BN6PR12MB1138; 4:LtglvmXqQjaZKoK1IsxpEt6unDriQSTZbSqlTeTLk4mJn0vWVBCKyLzsuDp+EVMUMS8e43QuhHrfGo48IFb179jL7wzeJEtFIepf9rVgPPX5u0TPPVCOjEuewGffKIpu9/YMkV0P3xksWZhh39ON0I3SM0tMfHyoRvmY3GaXu5gqMNFphIbynIM9EHLeGGhxUSyXQGoC2qfSq3DYB/sqYSKvYbPVg+2ESsXJ4KpyF7hDYTkdiNISMxLMorNCmp+Uo810jApJbxyDM9zNfBLhjxsztZtx4tpmN0QGkxYahbZ/hL2M8cxwDgxKom7H/atOYb7XooT1sVABfCSlukan6/odKrhmkpV/M8ZzHyKIukwWyZc7+ZXMDQjywoTYZaZSiOV+brRuYYM5rdYzSqLoqDXobU+ICIYqeJwctb4Pkw/MJZQ0/+QM1B8/VZYmFLnM+AkmWBiO9HV7Ch+JzDWWfA== X-Forefront-PRVS: 01221E3973 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(4630300001)(6009001)(7916002)(189002)(199003)(3846002)(2906002)(9686002)(2950100002)(69596002)(81156014)(7416002)(4326007)(23676002)(230700001)(47776003)(103116003)(68736007)(33646002)(77096005)(5660300001)(7846002)(50466002)(66066001)(50986999)(54356999)(76176999)(305945005)(101416001)(8676002)(7736002)(6666003)(106356001)(586003)(105586002)(6116002)(53416004)(42186005)(86362001)(1076002)(92566002)(2201001)(5001770100001)(575784001)(97746001)(83506001)(97736004)(81166006)(189998001)(4001350100001)(71626007)(217873001); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR12MB1138; H:tlendack-t1.amdoffice.net; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; Received-SPF: None (protection.outlook.com: amd.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtCTjZQUjEyTUIxMTM4OzIzOmQ0cjh6bU1TSW1JajB6RGVndmMrTzhHY3pH?= =?utf-8?B?WnJlc0FhZ3RyWVB5WEdRWDZTZG4ySEtvcVlSMzRsMlc4emJDaGo4Wk9WNlMr?= =?utf-8?B?ZVZuMU1rRDlreXEvQTVhOWJqL2hCd2hQaklzMzhueGFtdGtQQXdTQ0JvUEIr?= =?utf-8?B?c09zWXB1NEhTcFRwcDVWVldBMkJlSnVwOGRmVFZBbTVxamFRZjJyMVZIbnVI?= =?utf-8?B?Ry93RTZyRXNvemU3Sm1FOG9CRTVvOVdwZk9GOFhteTdPc1lVWHdpREozR0Zr?= =?utf-8?B?aTh3QXQ2TDk2b0FJbzNEekhET0V6R1pSbWRIT3gvbzdwTjRpRGcwcnVFaGJU?= =?utf-8?B?VVUwTXFpZU96S3M2bVlZZit1MmltT0tBR3F2ZVppUFQ2ell3Zk1lV0psRFhk?= =?utf-8?B?Ukg5TjU4NXBnK0lYSHNoK3hkTnR2MjlxVUFuVUFiSjhlSG9HRU81RmdTSjZs?= =?utf-8?B?SmFDc1hOQnVaNlhrVnlpN1ZoajJPTXJoU3R3M3FiZ1I5TGYrQUxHL2NFNzU1?= =?utf-8?B?RW9KTnVrU2lSTXZ3c29ZSUE5S1VkQ1FhVU1FaVh1TzVhbEJqUXhsSTF0YmFJ?= =?utf-8?B?RGNJcVBDdllLVG5ZMEpKa3dFSytnVkMxL09BSHV0NFgrakJvQ3ZrN1BIc1VM?= =?utf-8?B?Tzg5WTlVTWxLdDZrVDNtV1N6NGRUYzZqQmQ4ZFdvczZCZmdDSmlQZ2pUUFNo?= =?utf-8?B?VituUXU1MG9GenZhSzdXNWloOUJqdTV2b3BCY2orYzlJbk16dllmM0MvUlFT?= =?utf-8?B?V2o2ZzNGdGNSa3JtVzlKU0ZmNndwYTQvM1BJUmVXQ0NaUDhFbU5HeUVtMkVQ?= =?utf-8?B?Zkl5RGcrQndvK28rVG9FaXJuR3JRR3ZCL0h2VkxqSGVKT09XTEFUNTc5TkQr?= =?utf-8?B?bjdIalYyY1Jua1F6REk5Tk91N2k2amlyMkwxQTd0R0N4Z2t2T1JXdEVIN1k2?= =?utf-8?B?cW1wbWpDM0FZVUNPTnNHVEViWC9qQ0Q2WDZRdzhDaGtNK0tCN201dHl2YUpa?= =?utf-8?B?MkJCOUlHaFdwMzRxNldUMmZoQWp3Tm4yaTBnY2ZHbVQ5Y2s4VDA3M0lpRzVr?= =?utf-8?B?czFQeC9sbWV1NWlSR3p2K3BnM2IzTXpLcFMyUWxvK0pJb0hMSnNPSEVneWFU?= =?utf-8?B?a2Z2bEJWWDZHY2ZCeENOc3dEWU0yeFhoSHQwTlU4TlFHTUFRSDBDbkVma0tO?= =?utf-8?B?MmliY2I4S1RDMlQrMmh0UDd1Y2srOSt6T2FHQWRCTE1FN3dOdTA4aXJsNTJO?= =?utf-8?B?Y2dkdlljTDYwL3FPd1N6b3ZWWlhiRk0xTjdobU1kVTdzWDlGeHJxVklBMmVw?= =?utf-8?B?QzZvYnU2YXBlZlhJd2ZOOFcyei84M3RpOGhCTWpJR1pya25CRkJ1Y1VQRmxO?= =?utf-8?B?R0V4ckR5TWNBeVdVcUdOTHZ6dU9hSU9YZ0FBMlgxZjYrWUt3VGpjZEFIYkZR?= =?utf-8?B?TGl5eFpJTnBpREJPT0cxR0NRTFZRVmNEMXArZm1JU3JRcFl2TUwxcjZzZUsw?= =?utf-8?B?RVp4OWVPMmVzRGgyVnBCc0cwaTNIM2pBNUFCMkh0ZVNTdkdGbGVWcVRpYVpI?= =?utf-8?B?bmljaHhzMXdHbkFkeG50L01xbUNTakpHOXJXdlFCTmtWR3FWZUd4d2FkQldC?= =?utf-8?B?aGNlZVVNZldOQVl0dm5VeHV1WVNLZEdURis2aFk0ak8zY09SaTQxNFlCRnoz?= =?utf-8?Q?9uTIVVm9M1WMziTpF6vhWFHhcq8zm0Ql/N0ASZz?= X-Microsoft-Exchange-Diagnostics: 1; BN6PR12MB1138; 6:ygkiDyal57h1GEEl3T431wURnSPntRCBL6fjqsFmxkN2uiIIUM5R9lUJQtdy+Im+0metep7uhjNVfnaEbeIM8LII3MswGP3QOHdKFbMub5qIayhdXhkF76pjMZMZv8CeXFMqS/uzBpV5ntsCqNmPVcH6IzKMDToT6BSlI1yk4tHqlWihgfg1R65alOJsBJA3OWxHOEDhi5zOUf98v4OVBG9Dy9cGCtkZ6iFB49MQ9/u4u4AepnfmdAa0L7WccPNBrmf0pcqj938E7s7k2k8GIxUWZPO86gx+PGzckSKBoDknz9QPkjaffxuP59W7EgjMbOn5/Errffw7527CiT00g6STYUXoMlUmm71JwruTaDs=; 5:avt2OH7WV3E4+PapDasl62K6113FGGYnJvNhJ2QQLAA6z2YOMxu39kVjz1iyrR00KTmcxJsKQKKANsumsgcbe7Gj3zHS4HzbNx5SMg/lXYy1ienmvGLtRAewolQQ8y1Zzq/VJZDbgZG96f+J/ljRyw==; 24:XtKB8I9/REZxMF3e8o/AQgz9b6eMMQdbF+/g4lezVrH35zXZJKzs+Zzw+HoTLv2l/dB0uneNJXuAXPw0zx7AtCfXlR7cfexuvfHQJ/hzpwI= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; BN6PR12MB1138; 7:MmV4GmNM/gkiPy6I/JyBvQ8Urb5ex6OyaHwwbd/IF6+sx86DmXO+YbvSDBQYwHUm7kkwfEnpCZd35afX4YrJ/z/X6Sbk6EWjo1fuCUERXLsb3XKq8fbmDzRmUynrR+TeMt1zb7jTwtw8kV5Lm/TC7y1qAhNgct5MgasDdDVhiI7O+m8UbAldi2xAmkZ1m2k5pZIhRwugxXXP2wEfAu5hQxSDjeAKr8gix0mx0k1IQpe+h3lbS290Flbj4BJ7b5EJhkkbPCTruLI0/+5JZzRcoKCjBWXse4v3jB3GkGqaABq27iI1u96HUJTxu8oD1eAm/wUDXozNPHQHScv1SMvArSiahEtEDAC6jtXAtOqEHms=; 20:4Lm5qUjGZ8uWi3aAXUIuzvpwLZz3USUbDXCGNS3EdLbI+p2Hnh2U5B2eUT4qDUpLyzRsfCwhHHEmZGgtdlIusGqfmNwFKUmQ8GHkIrgIpJVZu4h1qiUb8je3D7MIcdPYezJHiN2PE5jnA/m3ZqMS1x7uD55FlDSV4VB3PHRtYa+2wL9bcLsNxLF5ba3coa+5PBhOqX7xLhohHlLAEqls8DXzzO/6Zw7U9ZcJm2UzyEvmBSQNc52CSDYQACxp46V2 X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Nov 2016 00:38:41.7444 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR12MB1138 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This patch adds the support to check if SME has been enabled and if the mem_encrypt=on command line option is set. If both of these conditions are true, then the encryption mask is set and the kernel is encrypted "in place." Signed-off-by: Tom Lendacky --- arch/x86/kernel/head_64.S | 1 + arch/x86/kernel/mem_encrypt_init.c | 60 +++++++++++++++++++++++++++++++++++- arch/x86/mm/mem_encrypt.c | 2 + 3 files changed, 62 insertions(+), 1 deletion(-) -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S index e8a7272..c225433 100644 --- a/arch/x86/kernel/head_64.S +++ b/arch/x86/kernel/head_64.S @@ -100,6 +100,7 @@ startup_64: * to include it in the page table fixups. */ push %rsi + movq %rsi, %rdi call sme_enable pop %rsi movq %rax, %r12 diff --git a/arch/x86/kernel/mem_encrypt_init.c b/arch/x86/kernel/mem_encrypt_init.c index 7bdd159..c94ceb8 100644 --- a/arch/x86/kernel/mem_encrypt_init.c +++ b/arch/x86/kernel/mem_encrypt_init.c @@ -16,9 +16,14 @@ #include #include +#include +#include +#include #ifdef CONFIG_AMD_MEM_ENCRYPT +static char sme_cmdline_arg[] __initdata = "mem_encrypt=on"; + extern void sme_encrypt_execute(unsigned long, unsigned long, unsigned long, void *, pgd_t *); @@ -219,7 +224,60 @@ unsigned long __init sme_get_me_mask(void) return sme_me_mask; } -unsigned long __init sme_enable(void) +unsigned long __init sme_enable(void *boot_data) { +#ifdef CONFIG_AMD_MEM_ENCRYPT + struct boot_params *bp = boot_data; + unsigned int eax, ebx, ecx, edx; + u64 msr; + unsigned long cmdline_ptr; + void *cmdline_arg; + + /* Check for an AMD processor */ + eax = 0; + ecx = 0; + native_cpuid(&eax, &ebx, &ecx, &edx); + if ((ebx != 0x68747541) || (edx != 0x69746e65) || (ecx != 0x444d4163)) + goto out; + + /* Check for the SME support leaf */ + eax = 0x80000000; + ecx = 0; + native_cpuid(&eax, &ebx, &ecx, &edx); + if (eax < 0x8000001f) + goto out; + + /* + * Check for the SME feature: + * CPUID Fn8000_001F[EAX] - Bit 0 + * Secure Memory Encryption support + * CPUID Fn8000_001F[EBX] - Bits 5:0 + * Pagetable bit position used to indicate encryption + */ + eax = 0x8000001f; + ecx = 0; + native_cpuid(&eax, &ebx, &ecx, &edx); + if (!(eax & 1)) + goto out; + + /* Check if SME is enabled */ + msr = native_read_msr(MSR_K8_SYSCFG); + if (!(msr & MSR_K8_SYSCFG_MEM_ENCRYPT)) + goto out; + + /* + * Fixups have not been to applied phys_base yet, so we must obtain + * the address to the SME command line option in the following way. + */ + asm ("lea sme_cmdline_arg(%%rip), %0" + : "=r" (cmdline_arg) + : "p" (sme_cmdline_arg)); + cmdline_ptr = bp->hdr.cmd_line_ptr | ((u64)bp->ext_cmd_line_ptr << 32); + if (cmdline_find_option_bool((char *)cmdline_ptr, cmdline_arg)) + sme_me_mask = 1UL << (ebx & 0x3f); + +out: +#endif /* CONFIG_AMD_MEM_ENCRYPT */ + return sme_me_mask; } diff --git a/arch/x86/mm/mem_encrypt.c b/arch/x86/mm/mem_encrypt.c index e351003..d0bc3f5 100644 --- a/arch/x86/mm/mem_encrypt.c +++ b/arch/x86/mm/mem_encrypt.c @@ -251,6 +251,8 @@ void __init mem_encrypt_init(void) /* Make SWIOTLB use an unencrypted DMA area */ swiotlb_clear_encryption(); + + pr_info("AMD Secure Memory Encryption active\n"); } void swiotlb_set_mem_unenc(void *vaddr, unsigned long size)