From patchwork Fri Sep 29 23:06:52 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Brijesh Singh <brijesh.singh@amd.com>
X-Patchwork-Id: 9978811
Return-Path: <kvm-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	4BB7A60329 for <patchwork-kvm@patchwork.kernel.org>;
	Fri, 29 Sep 2017 23:07:30 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3EC42298CC
	for <patchwork-kvm@patchwork.kernel.org>;
	Fri, 29 Sep 2017 23:07:30 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 33614298D2; Fri, 29 Sep 2017 23:07:30 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 702F1298CC
	for <patchwork-kvm@patchwork.kernel.org>;
	Fri, 29 Sep 2017 23:07:29 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752526AbdI2XHQ (ORCPT
	<rfc822;patchwork-kvm@patchwork.kernel.org>);
	Fri, 29 Sep 2017 19:07:16 -0400
Received: from mail-bn3nam01on0040.outbound.protection.outlook.com
	([104.47.33.40]:59915
	"EHLO NAM01-BN3-obe.outbound.protection.outlook.com"
	rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
	id S1752380AbdI2XHO (ORCPT <rfc822;kvm@vger.kernel.org>);
	Fri, 29 Sep 2017 19:07:14 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=amdcloud.onmicrosoft.com; s=selector1-amd-com;
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
	bh=Jvo6B1wmUIddR9EjO1HsvdfJOdlD+UyvlZi63O4mK8w=;
	b=dRlzqV+RZqERQnzPds04ukQXOjTNzOqXnBWWHrPzUhXDtNrCOjUk3w7Pap/XR2AGughA5Rs98Z0pnIt7+SSEdANCSjkmsrAwVzPUhQbQ1rSrUkEjaNXmd28eNNv/pnh9L4PN25GCGcDIFn2GBBLTYHDoYpABsmXq5T00Bcv0U98=
Authentication-Results: spf=none (sender IP is )
	smtp.mailfrom=brijesh.singh@amd.com;
Received: from ubuntu-010236106000.amd.com (165.204.78.1) by
	CY1PR12MB0150.namprd12.prod.outlook.com (10.161.173.20) with
	Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
	15.20.77.7; Fri, 29 Sep 2017 23:07:09 +0000
From: Brijesh Singh <brijesh.singh@amd.com>
To: bp@suse.de
Cc: Brijesh Singh <brijesh.singh@amd.com>,
	Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>,
	"H. Peter Anvin" <hpa@zytor.com>, Paolo Bonzini <pbonzini@redhat.com>,
	=?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>,
	kvm@vger.kernel.org, x86@kernel.org, linux-kernel@vger.kernel.org,
	Tom Lendacky <thomas.lendacky@amd.com>
Subject: [Part1 PATCH v5 18/18] x86/mm: add 'sme' argument in mem_encrypt=
Date: Fri, 29 Sep 2017 18:06:52 -0500
Message-Id: <20170929230652.37821-1-brijesh.singh@amd.com>
X-Mailer: git-send-email 2.9.5
In-Reply-To: <20170928090242.ber7gynwaldinafa@pd.tnic>
References: <20170928090242.ber7gynwaldinafa@pd.tnic>
MIME-Version: 1.0
X-Originating-IP: [165.204.78.1]
X-ClientProxiedBy: BN6PR21CA0001.namprd21.prod.outlook.com (10.173.197.11) To
	CY1PR12MB0150.namprd12.prod.outlook.com (10.161.173.20)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 40c13acd-7595-4512-c94d-08d5078ed088
X-MS-Office365-Filtering-HT: Tenant
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0;
	RULEID:(22001)(2017030254152)(48565401081)(2017052603199)(201703131423075)(201703031133081)(201702281549075);
	SRVR:CY1PR12MB0150;
X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0150;
	3:AjQfPHlbz6jSwKbJDJqkd4SVzyEo0Za38CpXW5B9lOIDIK3NPqNQuCO/bbgUvfXaO6foYVS4z35TL+SkX5hOKrdKEx2Ykjd5gCqoAAEfGyQbS8OPYuDrH7VXGJiP1Ka69X/Z8ijAEK9/6VPkr42T7UaFQenOWC2E8QDxUh3FOP/fDVEO/j5tTDYASIOeTyc3IKl0+Y6YKX8FJ+B8DNq20MDye/KfLOqQ82kzv6O1L5Hcnlte08KSmjjDus5Jo8i/;
	25:nbMn2NyAl5Rru8+Pp3h5esFYi9yOIbEQwMNsxsQks5CUT8GbOqEF5yA+aCkdmwE2GLq/xJAOmlAA3Zfs7NUfrkR1g9Ba2f7vE7sadGuD8t6ZctjLHz1OxAZSzcvAR+C9JOkqIfztnY0xEfs6PL0ZJgRko6P61fgcsuQyzE/4JBF98BcPlWWA+p83S5D6t0Ls/5GIaVBgnoaMJSDZXDwp6727DZSo2PzYhHGkAMP49jjCfZwUdjfcBcnmhMSl+U+T8Hz1w18gmBq5MxBbIK38tue3AwV+IIvTvooLJje+j/lKU586eZUR778jMamZ6qz5nqJlj+TgtxNpJ45C72twyA==;
	31:MdMjfYBibuhfP10nweaSidrfS5gVBVCnUATLppxK0GmB7Rn+x91sZshCPF2YNYfh26r16V0mcA8uwTtGlWgD3NoW1LUKF8RSjoGatCWgTgCR+VFvSjRg+ER8oEAGwG8jdAotvXpgvp6echau7qOwKyE8mLoODYwQEvXJa+9nNDNw0R9lWIHj+XykWUEaG/Yf88u1v1GiZC3BwEDur2dVIQLh1Wmp+/lEUc+8+rNwzD8=
X-MS-TrafficTypeDiagnostic: CY1PR12MB0150:
X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0150;
	20:qGg7qismq4OmuvBwaf58ymkvRVQXTCSTUthDhadvKF2goHFpASUJa/aG8uZPrtTDlAQywZVChuQbHVUXXcSNRYOAJkw3X5Dpbfud2zgpdTXdpE37AUiez89IAgxGEL1pcXyiH9x7/fEHuiBoYk4dLt+UFEwQ1tgmrkOhoPveLAw2sUIvIt8Mk/ibrMPZV5CLBZhGPJ7UcGUxLnCjJOcnzsej2I8eDrxi7mwrfyoS31N9N+HqJV0n53CCj/3NNea3eVG2WnqmDadQteH0i7ZkWIuOt+Vz/qxQqT3lr6rdUTY2cjbP4QKRpVuk8IziNbO0gazTdX52MUN6Rvyhk/8pBvuFFIDG4eh0ZJqoQtZRfK2mSAwbZatNO69EaW7X2HxkgnQACEA5NNMnjnUhvy7vXEu/s7SCa1ceKSopGOXvTHrHFd3kZvqKySq1chEaGUiWzLnYXgvKpRBkol2fZJnsOWcT3Dey6QKJaV+Q20X7vvv4dUmvS8wUpEppsdPa1aH9;
	4:tz4Ioc6NhGPx3O9mXWb2bHoPjVvW7HBKdAdS607NYMcLSts0dMPTNWX819hweyhbsKMUJ+ztc+RyZwy+apJSrJn9vGx7II2w8l/20UBADtmNLruhhmeUJDdLDVjegvRELUrTxNQzVs0Pv6f2P6/0+hniKsQ+0k5mE8D5uog7KSn67SM5G3MaV4sVLI9cVrM0sRbzCpPk837kAsbLHsZKcoUMjZxeOYik61gBgXRF+lVcUVRqPO8bLnq2v600fmBl9UUWxu+c6uf7n4pHk5DQCpJ5QQdLDTLtSaYvIT3HuyaInDQSP7xAqn+jm7YwM9ZFHN2Z7AkL0IZeZQ0K8gvWHw==
X-Exchange-Antispam-Report-Test: UriScan:(9452136761055)(767451399110);
X-Microsoft-Antispam-PRVS: 
 <CY1PR12MB015040F234C0E0DAA37137E2E57E0@CY1PR12MB0150.namprd12.prod.outlook.com>
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0;
	RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(100000703101)(100105400095)(3002001)(10201501046)(93006095)(93001095)(6055026)(6041248)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123555025)(20161123564025)(20161123560025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);
	SRVR:CY1PR12MB0150; BCL:0; PCL:0;
	RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);
	SRVR:CY1PR12MB0150;
X-Forefront-PRVS: 0445A82F82
X-Forefront-Antispam-Report: SFV:NSPM;
	SFS:(10009020)(6009001)(39860400002)(376002)(346002)(199003)(189002)(6486002)(16526017)(50986999)(478600001)(4326008)(189998001)(5660300001)(76176999)(2361001)(86362001)(47776003)(1076002)(575784001)(68736007)(25786009)(6306002)(6116002)(2906002)(3846002)(53936002)(8936002)(33646002)(23676002)(81156014)(54906003)(2870700001)(316002)(36756003)(50226002)(966005)(2351001)(66066001)(105586002)(6666003)(97736004)(8676002)(81166006)(53416004)(101416001)(305945005)(106356001)(6916009)(7736002)(50466002)(2950100002);
	DIR:OUT; SFP:1101; SCL:1; SRVR:CY1PR12MB0150;
	H:ubuntu-010236106000.amd.com; FPR:; SPF:None;
	PTR:InfoNoRecords; A:1; MX:1; LANG:en;
Received-SPF: None (protection.outlook.com: amd.com does not designate
	permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 
 =?utf-8?B?MTtDWTFQUjEyTUIwMTUwOzIzOiszbjBrVHl4S3ZNMXowa0d6NW41Mi8vSHZX?=
	=?utf-8?B?RDlTZ2IveEtoWUxxUUtDaFFuVWQzQU5KUGswTStnMVE3bkVRZFErQzNWbFNE?=
	=?utf-8?B?WXFobW1TZXdNYjBrV0xPTkNySVRuKy9WMm9DNHVkaHpDSWxma0RkemI4bi9M?=
	=?utf-8?B?bThJeThIRHpEcUUveFZnTEVqczNTcWd4WjkrSnEwbzhxaTRMcHFlT1psdFFv?=
	=?utf-8?B?cjd2b1oyY1NFM3g4aGtESmxiRXJDdmJGMlp5ajBJdnh5ZzVVTG1JbzZFV01l?=
	=?utf-8?B?c0ozVlRYMzJ6NUJ2U3d0Q2ExL1U3RFVoZk1IZ3RneUpCd0llZ0ZzOVhIenJX?=
	=?utf-8?B?a0grWFpQbFAvWXRYaGhFY3FUcGRNaFhlUGxJbXI1T2Q2NW9rYXl0VmIzbW5F?=
	=?utf-8?B?N2J6b3VOWWs5QzFLSWdhcmVmWDd6aXlKLzZkWSsvK29vYXRvVzl6U3d4N21h?=
	=?utf-8?B?SmRmcTVkdlYxeVkzMk5CN3Ixc013WGIvd25BNDBBdW1vQXpqcXpGM2s1akZ6?=
	=?utf-8?B?SDhpYkI0cmdYcDlGV25TTWgvWmxRUnNQclllUVdOdEtDRTNIVEdHUEkvbXN2?=
	=?utf-8?B?UDNUMEphZVhjQnU1VVhKZFViVWhGMWVJSktPQkJmN0QwTmRhVzVjbzl3TGt6?=
	=?utf-8?B?djY1YWlEMjd5dWlDc2xBdzhUK3Q4YnprSjNjcWdKUzNYK2hKUTZLT1prSHhu?=
	=?utf-8?B?dW10WTAxbUN1aThsRFI2REJGK1dMcWRPc1AyYzJkVnRLb0R5Y3ZJZUhEejlu?=
	=?utf-8?B?ZFN1bFZsdDhzTnEzNVoxZ2hPRlBZcnFXeERZSm9LRkE4MTF6WjhVU3dFS0pV?=
	=?utf-8?B?MjJrQjhmQlkxMEFSeGZZT2Vwc0ZKNVdjcFRHS3ZZd09rRjFNdnpsVFlMSmxn?=
	=?utf-8?B?Z1ZnNDVxaHF0NUF2NStCeFgyekVXM3lBbG90SU1OVHZyTy9abWlaaVUrTFlE?=
	=?utf-8?B?aWRMc3BYN05GQ3AzYUVyMTQxSmdaemp2WTlFbEk0cG95NkNDZ1RoMnd3b0ph?=
	=?utf-8?B?dFk5N3grTFMvbkJ1QXdQckhkQ3dDbVNydW53QlRhblk1R0todHRSREk1SlBw?=
	=?utf-8?B?L0hwMkVBOG50U0NpU0twNXBaMGpQOUIxZXZTLzA0bzRXUGxQeTI2UkQwdHUr?=
	=?utf-8?B?Z0FKZG9lU04wUHZHT2N4MlZpZ1g5bDlVN2YxNFRQMU9ySk9lSytDbE9vWC85?=
	=?utf-8?B?eE5PNmlrTGo4aVdOZHBoVTV2RFRNM3U1Zys0L2xlZERmTG1WdWw0RWN3NjhF?=
	=?utf-8?B?UElteHhsdVVpYi9NQ21MMnZqajlkUm1sNU81ejlJRkkvNlVkclQ5SW1pNkM2?=
	=?utf-8?B?SjRyMFR0eTRPdWgzVkY2M1o0L0F3RHhFMTlFNGFuem9aM3k0TVFNSS9STVZ0?=
	=?utf-8?B?K1d0K1FaODZqNXRHbEx6QlowTzJnU3E3cGx2azFpcUZ3d3dhSHExQlRSd1g1?=
	=?utf-8?B?emNRa0pyd2UvdWh2RitzTk1ydTd6QmxrejFGS1F1eWVmV3ROVm1SMEl5L2do?=
	=?utf-8?B?SG9wcUVmK3BSRW1PbGdNdE1HQ3IvQzNIMyt5SlBQcEVJR2ZoZEJ4aGZoSGxT?=
	=?utf-8?Q?2IWUDta1XQ0D2dXSIqx15fZvGrHYreLqZ5iRTosu9gWk=3D?=
X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0150;
	6:aeo8F9hgX1gONfLJ7DsW3km7ZC8Tw+ss1ngs9wDKLLr9+Qx8TZsAuU02gf/ks5Xg9CaiJNyQua5Fjq4vHnAdbQYAyo1NqIVaSrsSRk5erOhqvJmg36G0Caq47nnZzhljZ3K2vBldufWpbQ38XqjMbWXLKt68mQQoPdyo9zYCN7rysBkbEpbWOlkKIXjxOTzjJig5UzqtFUpZiLOEQIEvXxvhuHQjoNsAFo1piwMZPcK3KdSNhAFxCrcFwMcyccmsVPmY3SGQjJtYbtwcNLGI8V3WBaW2Sp4dCHeU5yIVHgkskjrjvL6ys83PewoEOfDzx7DUuBUdberPDvcPNsL+xA==;
	5:mK3HR3V9bQt+DNPGToTmfsE77iBNRKbS8tYdtLkxJbP17/u1TLpU8t/XEpFQyC3LExblIQvNiSimWrko5U4htHlLgEYN66jjZfc1ehqGTNvnBjGekrvVVzVqaw9LX+ZFOutDXp5GXdDvLO1+qTObsA==;
	24:aBkX77bJOWHIJ3JZu965NjheJbVwFzRxVYMahChjWhcEUH+F6Txs5ZLFMkjncEOK0VimLfY8XGytzF25/L69uq+MnWox5fnqXAN24JA9MjE=;
	7:h3hFuEJLMWn2TzAcRLqpjo21jq+JRqgWtXz54x99p/BkOi79FWVWd9kAaP+o6V3nV0guuCJlACbrZiWgnrmNsiJt7qugLAjivW7L+6iAsiOce9i/o2nWUOU982RX34SrEoPzh0SCtB8za5V2kAJhXzEb+JlKoiRmsJd3x7KdzRHtEwkfLWwqpLVGSpwIfDyvIZo3FxS8xHGTksODd3GnHeP1if1hFHccBCAYnXfCBfg=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0150;
	20:Udy38bJsH8C3JKzWP+sb6wHd+W6chg4+JiVCa2uKgkMGzbMzc6rlsdO4Nps/RLfNAybB4Z/70pbGR+CnmevH8JCcuwtXHL3KzzvXmxKU6wfPTT2RJtDglFC8M5ul1TaxcfDa0MOhkrpcVRcXOTfkyyT+RqPGvi2cNJS3JeB6bTPmXU3jRmIKPnEYWx1s0H9p7mQKWxOh7WfhCvKf/LpSCNQIJB+YSVPBuXCMiH7XyIGl9h6TGiuD+o6vjtp2x/kD
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Sep 2017 23:07:09.6294
	(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR12MB0150
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The mem_encrypt=on activates both SME and SEV. Add a new argument to disable
the SEV and allow SME. The argument can be useful when SEV has issues and
we want to disable it.

early_detect_mem_encrypt() [cpu/amd.com] will need to know the state of
the mem_encrypt= argument. Since early_detect_mem_encrypt() is not defined
as __init hence we are not able to use the 'boot_command_line' variable to
parse the cmdline argument. We introduce a new function me_cmdline_state()
to get the cmdline state from mem_encrypt.c.

Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Radim Krčmář" <rkrcmar@redhat.com>
Cc: Borislav Petkov <bp@suse.de>
Cc: kvm@vger.kernel.org
Cc: x86@kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
Boris,

The patch depends on "x86/CPU/AMD: Add the SEV CPU feature" from Part2 [1].

[1] https://patchwork.kernel.org/patch/9960315/

 Documentation/admin-guide/kernel-parameters.txt |  5 +++--
 arch/x86/include/asm/mem_encrypt.h              |  2 ++
 arch/x86/kernel/cpu/amd.c                       | 10 +++++++++
 arch/x86/mm/mem_encrypt.c                       | 27 +++++++++++++++++++++----
 include/linux/mem_encrypt.h                     |  7 +++++++
 5 files changed, 45 insertions(+), 6 deletions(-)

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 05496622b4ef..811e0aca1c0b 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2238,8 +2238,9 @@
 			Default (depends on kernel configuration option):
 			  on  (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=y)
 			  off (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=n)
-			mem_encrypt=on:		Activate SME
-			mem_encrypt=off:	Do not activate SME
+			mem_encrypt=on:		Activate SME and SEV
+			mem_encrypt=off:	Do not activate SME and SEV
+			mem_encrypt=sme:	Activate SME only
 
 			Refer to Documentation/x86/amd-memory-encryption.txt
 			for details on when memory encryption can be activated.
diff --git a/arch/x86/include/asm/mem_encrypt.h b/arch/x86/include/asm/mem_encrypt.h
index 3ba68c92be1b..0f012ff9691d 100644
--- a/arch/x86/include/asm/mem_encrypt.h
+++ b/arch/x86/include/asm/mem_encrypt.h
@@ -52,6 +52,7 @@ void swiotlb_set_mem_attributes(void *vaddr, unsigned long size);
 
 bool sme_active(void);
 bool sev_active(void);
+unsigned int me_cmdline_state(void);
 
 #else	/* !CONFIG_AMD_MEM_ENCRYPT */
 
@@ -72,6 +73,7 @@ static inline void __init sme_enable(struct boot_params *bp) { }
 
 static inline bool sme_active(void) { return false; }
 static inline bool sev_active(void) { return false; }
+static inline unsigned int me_cmdline_state(void) { return ME_CMDLINE_OFF; }
 
 static inline int __init
 early_set_memory_decrypted(resource_size_t paddr, unsigned long size) { return 0; }
diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index c1234aa0550c..10dfa7f1f34d 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -592,6 +592,16 @@ static void early_detect_mem_encrypt(struct cpuinfo_x86 *c)
 		if (!(msr & MSR_K7_HWCR_SMMLOCK))
 			goto clear_sev;
 
+		/* Check for the mem_encrypt cmdline parameter and act accordingly. */
+		switch (me_cmdline_state()) {
+		case ME_CMDLINE_OFF:
+			goto clear_all;
+		case ME_CMDLINE_SME:
+			goto clear_sev;
+		default:
+			break;
+		}
+
 		return;
 
 clear_all:
diff --git a/arch/x86/mm/mem_encrypt.c b/arch/x86/mm/mem_encrypt.c
index 057417a3d9b4..183cd481a55f 100644
--- a/arch/x86/mm/mem_encrypt.c
+++ b/arch/x86/mm/mem_encrypt.c
@@ -33,6 +33,7 @@
 static char sme_cmdline_arg[] __initdata = "mem_encrypt";
 static char sme_cmdline_on[]  __initdata = "on";
 static char sme_cmdline_off[] __initdata = "off";
+static char sme_cmdline_sme[] __initdata = "sme";
 
 /*
  * Since SME related variables are set early in the boot process they must
@@ -45,6 +46,7 @@ DEFINE_STATIC_KEY_FALSE(__sev);
 EXPORT_SYMBOL_GPL(__sev);
 
 static bool sev_enabled __section(.data) = false;
+static unsigned int cmdline_state __section(.data) = ME_CMDLINE_OFF;
 
 /* Buffer used for early in-place encryption by BSP, no locking needed */
 static char sme_early_buffer[PAGE_SIZE] __aligned(PAGE_SIZE);
@@ -403,6 +405,11 @@ bool sev_active(void)
 }
 EXPORT_SYMBOL_GPL(sev_active);
 
+unsigned int me_cmdline_state(void)
+{
+	return cmdline_state;
+}
+
 static const struct dma_map_ops sev_dma_ops = {
 	.alloc                  = sev_alloc,
 	.free                   = sev_free,
@@ -768,7 +775,7 @@ void __init sme_encrypt_kernel(void)
 
 void __init __nostackprotector sme_enable(struct boot_params *bp)
 {
-	const char *cmdline_ptr, *cmdline_arg, *cmdline_on, *cmdline_off;
+	const char *cmdline_ptr, *cmdline_arg, *cmdline_on, *cmdline_off, *cmdline_sme;
 	unsigned int eax, ebx, ecx, edx;
 	unsigned long feature_mask;
 	bool active_by_default;
@@ -842,6 +849,9 @@ void __init __nostackprotector sme_enable(struct boot_params *bp)
 	asm ("lea sme_cmdline_off(%%rip), %0"
 	     : "=r" (cmdline_off)
 	     : "p" (sme_cmdline_off));
+	asm ("lea sme_cmdline_sme(%%rip), %0"
+	     : "=r" (cmdline_sme)
+	     : "p" (sme_cmdline_sme));
 
 	if (IS_ENABLED(CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT))
 		active_by_default = true;
@@ -853,10 +863,19 @@ void __init __nostackprotector sme_enable(struct boot_params *bp)
 
 	cmdline_find_option(cmdline_ptr, cmdline_arg, buffer, sizeof(buffer));
 
-	if (!strncmp(buffer, cmdline_on, sizeof(buffer)))
+	if (!strncmp(buffer, cmdline_on, sizeof(buffer))) {
 		sme_me_mask = me_mask;
-	else if (!strncmp(buffer, cmdline_off, sizeof(buffer)))
+		cmdline_state = ME_CMDLINE_ON;
+	} else if (!strncmp(buffer, cmdline_off, sizeof(buffer))) {
 		sme_me_mask = 0;
-	else
+		cmdline_state = ME_CMDLINE_OFF;
+	} else if (!strncmp(buffer, cmdline_sme, sizeof(buffer))) {
+		sme_me_mask = me_mask;
+		cmdline_state = ME_CMDLINE_SME;
+	} else {
 		sme_me_mask = active_by_default ? me_mask : 0;
+		if (active_by_default)
+			cmdline_state = ME_CMDLINE_ON;
+	}
+
 }
diff --git a/include/linux/mem_encrypt.h b/include/linux/mem_encrypt.h
index b310a9c18113..7863cf2137e0 100644
--- a/include/linux/mem_encrypt.h
+++ b/include/linux/mem_encrypt.h
@@ -15,6 +15,12 @@
 
 #ifndef __ASSEMBLY__
 
+enum {
+	ME_CMDLINE_OFF,
+	ME_CMDLINE_ON,
+	ME_CMDLINE_SME
+};
+
 #ifdef CONFIG_ARCH_HAS_MEM_ENCRYPT
 
 #include <asm/mem_encrypt.h>
@@ -25,6 +31,7 @@
 
 static inline bool sme_active(void) { return false; }
 static inline bool sev_active(void) { return false; }
+static unsigned int me_cmdline_state(void) { return ME_CMDLINE_OFF; }
 
 #endif	/* CONFIG_ARCH_HAS_MEM_ENCRYPT */