diff mbox series

[RFC,v7,13/64] x86/cpufeatures: Add SEV-SNP CPU feature

Message ID 20221214194056.161492-14-michael.roth@amd.com (mailing list archive)
State New, archived
Headers show
Series Add AMD Secure Nested Paging (SEV-SNP) Hypervisor Support | expand

Commit Message

Michael Roth Dec. 14, 2022, 7:40 p.m. UTC
From: Brijesh Singh <brijesh.singh@amd.com>

Add CPU feature detection for Secure Encrypted Virtualization with
Secure Nested Paging. This feature adds a strong memory integrity
protection to help prevent malicious hypervisor-based attacks like
data replay, memory re-mapping, and more.

Link: https://lore.kernel.org/all/YrGINaPc3cojG6%2F3@zn.tnic/
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Signed-off-by: Jarkko Sakkinen <jarkko@profian.com>
Signed-off-by: Ashish Kalra <Ashish.Kalra@amd.com>
Signed-off-by: Michael Roth <michael.roth@amd.com>
---
 arch/x86/include/asm/cpufeatures.h       | 1 +
 arch/x86/kernel/cpu/amd.c                | 5 +++--
 tools/arch/x86/include/asm/cpufeatures.h | 1 +
 3 files changed, 5 insertions(+), 2 deletions(-)

Comments

Borislav Petkov Feb. 1, 2023, 6:39 p.m. UTC | #1
On Wed, Dec 14, 2022 at 01:40:05PM -0600, Michael Roth wrote:
> From: Brijesh Singh <brijesh.singh@amd.com>
> 
> Add CPU feature detection for Secure Encrypted Virtualization with
> Secure Nested Paging. This feature adds a strong memory integrity
> protection to help prevent malicious hypervisor-based attacks like
> data replay, memory re-mapping, and more.
> 
> Link: https://lore.kernel.org/all/YrGINaPc3cojG6%2F3@zn.tnic/

That points to some review feedback I've given - dunno if it is
relevant.

> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
> Signed-off-by: Jarkko Sakkinen <jarkko@profian.com>

I read this as Jarkko has handled this patch too. Is that the case?

> Signed-off-by: Ashish Kalra <Ashish.Kalra@amd.com>
> Signed-off-by: Michael Roth <michael.roth@amd.com>

Those last two are ok - you took ovef from Ashish.

Thx.
Michael Roth Feb. 20, 2023, 4:26 p.m. UTC | #2
On Wed, Feb 01, 2023 at 07:39:32PM +0100, Borislav Petkov wrote:
> On Wed, Dec 14, 2022 at 01:40:05PM -0600, Michael Roth wrote:
> > From: Brijesh Singh <brijesh.singh@amd.com>
> > 
> > Add CPU feature detection for Secure Encrypted Virtualization with
> > Secure Nested Paging. This feature adds a strong memory integrity
> > protection to help prevent malicious hypervisor-based attacks like
> > data replay, memory re-mapping, and more.
> > 
> > Link: https://lore.kernel.org/all/YrGINaPc3cojG6%2F3@zn.tnic/
> 
> That points to some review feedback I've given - dunno if it is
> relevant.
> 
> > Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
> > Signed-off-by: Jarkko Sakkinen <jarkko@profian.com>
> 
> I read this as Jarkko has handled this patch too. Is that the case?

Yes we shared some patches via an internal tree at some stages.

-Mike

> 
> > Signed-off-by: Ashish Kalra <Ashish.Kalra@amd.com>
> > Signed-off-by: Michael Roth <michael.roth@amd.com>
> 
> Those last two are ok - you took ovef from Ashish.
> 
> Thx.
> 
> -- 
> Regards/Gruss,
>     Boris.
> 
> https://people.kernel.org/tglx/notes-about-netiquette
Borislav Petkov Feb. 20, 2023, 5:50 p.m. UTC | #3
On Mon, Feb 20, 2023 at 10:26:47AM -0600, Michael Roth wrote:
> On Wed, Feb 01, 2023 at 07:39:32PM +0100, Borislav Petkov wrote:
> > On Wed, Dec 14, 2022 at 01:40:05PM -0600, Michael Roth wrote:
> > > From: Brijesh Singh <brijesh.singh@amd.com>
> > > 
> > > Add CPU feature detection for Secure Encrypted Virtualization with
> > > Secure Nested Paging. This feature adds a strong memory integrity
> > > protection to help prevent malicious hypervisor-based attacks like
> > > data replay, memory re-mapping, and more.
> > > 
> > > Link: https://lore.kernel.org/all/YrGINaPc3cojG6%2F3@zn.tnic/
> > 
> > That points to some review feedback I've given - dunno if it is
> > relevant.
> > 
> > > Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
> > > Signed-off-by: Jarkko Sakkinen <jarkko@profian.com>
> > 
> > I read this as Jarkko has handled this patch too. Is that the case?
> 
> Yes we shared some patches via an internal tree at some stages.

In the sense that, he took Brijesh's patch, then he did something with
it(?) and then Ashish took it from him and then you took it from Ashish?

This is how I'm reading this SOB chain at least...
Michael Roth Feb. 20, 2023, 6 p.m. UTC | #4
On Mon, Feb 20, 2023 at 06:50:09PM +0100, Borislav Petkov wrote:
> On Mon, Feb 20, 2023 at 10:26:47AM -0600, Michael Roth wrote:
> > On Wed, Feb 01, 2023 at 07:39:32PM +0100, Borislav Petkov wrote:
> > > On Wed, Dec 14, 2022 at 01:40:05PM -0600, Michael Roth wrote:
> > > > From: Brijesh Singh <brijesh.singh@amd.com>
> > > > 
> > > > Add CPU feature detection for Secure Encrypted Virtualization with
> > > > Secure Nested Paging. This feature adds a strong memory integrity
> > > > protection to help prevent malicious hypervisor-based attacks like
> > > > data replay, memory re-mapping, and more.
> > > > 
> > > > Link: https://lore.kernel.org/all/YrGINaPc3cojG6%2F3@zn.tnic/
> > > 
> > > That points to some review feedback I've given - dunno if it is
> > > relevant.
> > > 
> > > > Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
> > > > Signed-off-by: Jarkko Sakkinen <jarkko@profian.com>
> > > 
> > > I read this as Jarkko has handled this patch too. Is that the case?
> > 
> > Yes we shared some patches via an internal tree at some stages.
> 
> In the sense that, he took Brijesh's patch, then he did something with
> it(?) and then Ashish took it from him and then you took it from Ashish?

Yes, I think he rebased Ashish's tree on a newer tree and added his SoB on
patches that required any conflict resolutions or changes on his end, so
we kept those intact since then.

-Mike

> 
> This is how I'm reading this SOB chain at least...
> 
> -- 
> Regards/Gruss,
>     Boris.
> 
> https://people.kernel.org/tglx/notes-about-netiquette
Borislav Petkov Feb. 20, 2023, 6:36 p.m. UTC | #5
On Mon, Feb 20, 2023 at 12:00:38PM -0600, Michael Roth wrote:
> Yes, I think he rebased Ashish's tree on a newer tree and added his SoB on
> patches that required any conflict resolutions or changes on his end, so
> we kept those intact since then.

Ok, that makes sense.

Thx.
diff mbox series

Patch

diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
index 1419c4e04d45..480b4eaef310 100644
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -420,6 +420,7 @@ 
 #define X86_FEATURE_SEV			(19*32+ 1) /* AMD Secure Encrypted Virtualization */
 #define X86_FEATURE_VM_PAGE_FLUSH	(19*32+ 2) /* "" VM Page Flush MSR is supported */
 #define X86_FEATURE_SEV_ES		(19*32+ 3) /* AMD Secure Encrypted Virtualization - Encrypted State */
+#define X86_FEATURE_SEV_SNP		(19*32+ 4) /* AMD Secure Encrypted Virtualization - Secure Nested Paging */
 #define X86_FEATURE_V_TSC_AUX		(19*32+ 9) /* "" Virtual TSC_AUX */
 #define X86_FEATURE_SME_COHERENT	(19*32+10) /* "" AMD hardware-enforced cache coherency */
 
diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index 860b60273df3..c7884198ad5b 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -558,8 +558,8 @@  static void early_detect_mem_encrypt(struct cpuinfo_x86 *c)
 	 *	      SME feature (set in scattered.c).
 	 *	      If the kernel has not enabled SME via any means then
 	 *	      don't advertise the SME feature.
-	 *   For SEV: If BIOS has not enabled SEV then don't advertise the
-	 *            SEV and SEV_ES feature (set in scattered.c).
+	 *   For SEV: If BIOS has not enabled SEV then don't advertise SEV and
+	 *	      any additional functionality based on it.
 	 *
 	 *   In all cases, since support for SME and SEV requires long mode,
 	 *   don't advertise the feature under CONFIG_X86_32.
@@ -594,6 +594,7 @@  static void early_detect_mem_encrypt(struct cpuinfo_x86 *c)
 clear_sev:
 		setup_clear_cpu_cap(X86_FEATURE_SEV);
 		setup_clear_cpu_cap(X86_FEATURE_SEV_ES);
+		setup_clear_cpu_cap(X86_FEATURE_SEV_SNP);
 	}
 }
 
diff --git a/tools/arch/x86/include/asm/cpufeatures.h b/tools/arch/x86/include/asm/cpufeatures.h
index b71f4f2ecdd5..e81606fcd2ab 100644
--- a/tools/arch/x86/include/asm/cpufeatures.h
+++ b/tools/arch/x86/include/asm/cpufeatures.h
@@ -417,6 +417,7 @@ 
 #define X86_FEATURE_SEV			(19*32+ 1) /* AMD Secure Encrypted Virtualization */
 #define X86_FEATURE_VM_PAGE_FLUSH	(19*32+ 2) /* "" VM Page Flush MSR is supported */
 #define X86_FEATURE_SEV_ES		(19*32+ 3) /* AMD Secure Encrypted Virtualization - Encrypted State */
+#define X86_FEATURE_SEV_SNP		(19*32+ 4) /* AMD Secure Encrypted Virtualization - Secure Nested Paging */
 #define X86_FEATURE_V_TSC_AUX		(19*32+ 9) /* "" Virtual TSC_AUX */
 #define X86_FEATURE_SME_COHERENT	(19*32+10) /* "" AMD hardware-enforced cache coherency */