[v9,37/43] x86/sev: Add SEV-SNP feature detection/setup

Message ID	20220128171804.569796-38-brijesh.singh@amd.com (mailing list archive)
State	Deferred, archived
Headers	show Return-Path: <platform-driver-x86-owner@kernel.org> Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; From: Brijesh Singh <brijesh.singh@amd.com> To: <x86@kernel.org>, <linux-kernel@vger.kernel.org>, <kvm@vger.kernel.org>, <linux-efi@vger.kernel.org>, <platform-driver-x86@vger.kernel.org>, <linux-coco@lists.linux.dev>, <linux-mm@kvack.org> CC: Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>, Joerg Roedel <jroedel@suse.de>, Tom Lendacky <thomas.lendacky@amd.com>, "H. Peter Anvin" <hpa@zytor.com>, Ard Biesheuvel <ardb@kernel.org>, Paolo Bonzini <pbonzini@redhat.com>, Sean Christopherson <seanjc@google.com>, "Vitaly Kuznetsov" <vkuznets@redhat.com>, Jim Mattson <jmattson@google.com>, "Andy Lutomirski" <luto@kernel.org>, Dave Hansen <dave.hansen@linux.intel.com>, Sergio Lopez <slp@redhat.com>, Peter Gonda <pgonda@google.com>, "Peter Zijlstra" <peterz@infradead.org>, Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>, David Rientjes <rientjes@google.com>, Dov Murik <dovmurik@linux.ibm.com>, Tobin Feldman-Fitzthum <tobin@ibm.com>, Borislav Petkov <bp@alien8.de>, Michael Roth <michael.roth@amd.com>, Vlastimil Babka <vbabka@suse.cz>, "Kirill A . Shutemov" <kirill@shutemov.name>, Andi Kleen <ak@linux.intel.com>, "Dr . David Alan Gilbert" <dgilbert@redhat.com>, <brijesh.ksingh@gmail.com>, <tony.luck@intel.com>, <marcorr@google.com>, <sathyanarayanan.kuppuswamy@linux.intel.com>, Brijesh Singh <brijesh.singh@amd.com> Subject: [PATCH v9 37/43] x86/sev: Add SEV-SNP feature detection/setup Date: Fri, 28 Jan 2022 11:17:58 -0600 Message-ID: <20220128171804.569796-38-brijesh.singh@amd.com> In-Reply-To: <20220128171804.569796-1-brijesh.singh@amd.com> References: <20220128171804.569796-1-brijesh.singh@amd.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain Precedence: bulk
Series	Add AMD Secure Nested Paging (SEV-SNP) Guest Support \| expand [v9,00/43] Add AMD Secure Nested Paging (SEV-SNP) Guest Support [v9,01/43] KVM: SVM: Define sev_features and vmpl field in the VMSA [v9,02/43] KVM: SVM: Create a separate mapping for the SEV-ES save area [v9,03/43] KVM: SVM: Create a separate mapping for the GHCB save area [v9,04/43] KVM: SVM: Update the SEV-ES save area mapping [v9,05/43] x86/compressed/64: Detect/setup SEV/SME features earlier in boot [v9,06/43] x86/sev: Detect/setup SEV/SME features earlier in boot [v9,07/43] x86/mm: Extend cc_attr to include AMD SEV-SNP [v9,08/43] x86/sev: Define the Linux specific guest termination reasons [v9,09/43] x86/sev: Save the negotiated GHCB version [v9,10/43] x86/sev: Check SEV-SNP features support [v9,11/43] x86/sev: Add a helper for the PVALIDATE instruction [v9,12/43] x86/sev: Check the vmpl level [v9,13/43] x86/compressed: Add helper for validating pages in the decompression stage [v9,14/43] x86/compressed: Register GHCB memory when SEV-SNP is active [v9,15/43] x86/sev: Register GHCB memory when SEV-SNP is active [v9,16/43] x86/sev: Add helper for validating pages in early enc attribute changes [v9,17/43] x86/kernel: Make the .bss..decrypted section shared in RMP table [v9,18/43] x86/kernel: Validate ROM memory before accessing when SEV-SNP is active [v9,19/43] x86/mm: Add support to validate memory when changing C-bit [v9,20/43] x86/sev: Use SEV-SNP AP creation to start secondary CPUs [v9,21/43] x86/head/64: Re-enable stack protection [v9,22/43] x86/sev: Move MSR-based VMGEXITs for CPUID to helper [v9,23/43] KVM: x86: Move lookup of indexed CPUID leafs to helper [v9,24/43] x86/compressed/acpi: Move EFI detection to helper [v9,25/43] x86/compressed/acpi: Move EFI system table lookup to helper [v9,26/43] x86/compressed/acpi: Move EFI config table lookup to helper [v9,27/43] x86/compressed/acpi: Move EFI vendor table lookup to helper [v9,28/43] x86/compressed/acpi: Move EFI kexec handling into common code [v9,29/43] x86/boot: Add Confidential Computing type to setup_data [v9,30/43] KVM: SEV: Add documentation for SEV-SNP CPUID Enforcement [v9,31/43] x86/compressed/64: Add support for SEV-SNP CPUID table in #VC handlers [v9,32/43] x86/boot: Add a pointer to Confidential Computing blob in bootparams [v9,33/43] x86/compressed: Add SEV-SNP feature detection/setup [v9,34/43] x86/compressed: Use firmware-validated CPUID leaves for SEV-SNP guests [v9,35/43] x86/compressed: Export and rename add_identity_map() [v9,36/43] x86/compressed/64: Add identity mapping for Confidential Computing blob [v9,37/43] x86/sev: Add SEV-SNP feature detection/setup [v9,38/43] x86/sev: Use firmware-validated CPUID for SEV-SNP guests [v9,39/43] x86/sev: Provide support for SNP guest request NAEs [v9,40/43] x86/sev: Register SEV-SNP guest request platform device [v9,41/43] virt: Add SEV-SNP guest driver [v9,42/43] virt: sevguest: Add support to derive key [v9,43/43] virt: sevguest: Add support to get extended report

Message ID

20220128171804.569796-38-brijesh.singh@amd.com (mailing list archive)

State

Deferred, archived

Headers

Received-SPF: Pass (protection.outlook.com: domain of amd.com designates
 165.204.84.17 as permitted sender) receiver=protection.outlook.com;
 client-ip=165.204.84.17; helo=SATLEXMB04.amd.com;
From: Brijesh Singh <brijesh.singh@amd.com>
To: <x86@kernel.org>, <linux-kernel@vger.kernel.org>,
        <kvm@vger.kernel.org>, <linux-efi@vger.kernel.org>,
        <platform-driver-x86@vger.kernel.org>,
        <linux-coco@lists.linux.dev>, <linux-mm@kvack.org>
CC: Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>, Joerg Roedel <jroedel@suse.de>,
        Tom Lendacky <thomas.lendacky@amd.com>,
        "H. Peter Anvin" <hpa@zytor.com>, Ard Biesheuvel <ardb@kernel.org>,
        Paolo Bonzini <pbonzini@redhat.com>,
        Sean Christopherson <seanjc@google.com>,
        "Vitaly Kuznetsov" <vkuznets@redhat.com>,
        Jim Mattson <jmattson@google.com>,
        "Andy Lutomirski" <luto@kernel.org>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Sergio Lopez <slp@redhat.com>, Peter Gonda <pgonda@google.com>,
        "Peter Zijlstra" <peterz@infradead.org>,
        Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>,
        David Rientjes <rientjes@google.com>,
        Dov Murik <dovmurik@linux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@ibm.com>,
        Borislav Petkov <bp@alien8.de>,
        Michael Roth <michael.roth@amd.com>,
        Vlastimil Babka <vbabka@suse.cz>,
        "Kirill A . Shutemov" <kirill@shutemov.name>,
        Andi Kleen <ak@linux.intel.com>,
        "Dr . David Alan Gilbert" <dgilbert@redhat.com>,
        <brijesh.ksingh@gmail.com>, <tony.luck@intel.com>,
        <marcorr@google.com>, <sathyanarayanan.kuppuswamy@linux.intel.com>,
        Brijesh Singh <brijesh.singh@amd.com>
Subject: [PATCH v9 37/43] x86/sev: Add SEV-SNP feature detection/setup
Date: Fri, 28 Jan 2022 11:17:58 -0600
Message-ID: <20220128171804.569796-38-brijesh.singh@amd.com>
In-Reply-To: <20220128171804.569796-1-brijesh.singh@amd.com>
References: <20220128171804.569796-1-brijesh.singh@amd.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Jan 2022 17:19:27.4521
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 a0d7524e-cfc7-46fd-266a-08d9e2825691
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com]
X-MS-Exchange-CrossTenant-AuthSource: 
 DM6NAM11FT032.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR12MB3460
Precedence: bulk
List-ID: <platform-driver-x86.vger.kernel.org>
X-Mailing-List: platform-driver-x86@vger.kernel.org

Series

Add AMD Secure Nested Paging (SEV-SNP) Guest Support | expand

Commit Message

Brijesh Singh Jan. 28, 2022, 5:17 p.m. UTC

From: Michael Roth <michael.roth@amd.com>

Initial/preliminary detection of SEV-SNP is done via the Confidential
Computing blob. Check for it prior to the normal SEV/SME feature
initialization, and add some sanity checks to confirm it agrees with
SEV-SNP CPUID/MSR bits.

Signed-off-by: Michael Roth <michael.roth@amd.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
 arch/x86/boot/compressed/sev.c     | 33 ---------------
 arch/x86/include/asm/sev.h         |  2 +
 arch/x86/kernel/sev-shared.c       | 33 +++++++++++++++
 arch/x86/kernel/sev.c              | 64 ++++++++++++++++++++++++++++++
 arch/x86/mm/mem_encrypt_identity.c |  8 ++++
 5 files changed, 107 insertions(+), 33 deletions(-)

Comments

Borislav Petkov Feb. 6, 2022, 7:38 p.m. UTC | #1

On Fri, Jan 28, 2022 at 11:17:58AM -0600, Brijesh Singh wrote:
> +static __init struct cc_blob_sev_info *snp_find_cc_blob(struct boot_params *bp)
> +{
> +	struct cc_blob_sev_info *cc_info;
> +
> +	/* Boot kernel would have passed the CC blob via boot_params. */
> +	if (bp->cc_blob_address) {
> +		cc_info = (struct cc_blob_sev_info *)(unsigned long)bp->cc_blob_address;
> +		goto found_cc_info;
> +	}

What is the difference here, why aren't you looking for the blob in an
EFI table?

Even if you're booted directly by firmware, there should still be EFI
there or?

And if so, then I think you should share some of the code through
sev-shared.c so that there's not so much duplication...

Michael Roth Feb. 8, 2022, 5:25 a.m. UTC | #2

On Sun, Feb 06, 2022 at 08:38:19PM +0100, Borislav Petkov wrote:
> On Fri, Jan 28, 2022 at 11:17:58AM -0600, Brijesh Singh wrote:
> > +static __init struct cc_blob_sev_info *snp_find_cc_blob(struct boot_params *bp)
> > +{
> > +	struct cc_blob_sev_info *cc_info;
> > +
> > +	/* Boot kernel would have passed the CC blob via boot_params. */
> > +	if (bp->cc_blob_address) {
> > +		cc_info = (struct cc_blob_sev_info *)(unsigned long)bp->cc_blob_address;
> > +		goto found_cc_info;
> > +	}
> 
> What is the difference here, why aren't you looking for the blob in an
> EFI table?
> 
> Even if you're booted directly by firmware, there should still be EFI
> there or?
> 
> And if so, then I think you should share some of the code through
> sev-shared.c so that there's not so much duplication...

In order to scan EFI this early in the boot of kernel proper, we'd need
to pull in the helpers from arch/x86/boot/compressed/efi.c, since the
normal EFI facilities don't get set up until later. It's doable, but
since any entry via boot/compressed kernel will have already done that
work and stashed it in boot_params->cc_blob_address, it seems like it
would only introduce more complexity and potential for breakage.

For direct entry to kernel proper, our thinking is that it would be for
things like the PVH entry path:

  https://stefano-garzarella.github.io/posts/2019-08-23-qemu-linux-kernel-pvh/

which doesn't use EFI, or other container-focused applications which use
lightweight non-EFI firmwares like qboot. So to support direct entry into
kernel proper, relying on the CC blob setup_data structure instead seems
more suited for these cases, so that's why kernel proper only uses the
setup_data structure and relies on boot/compressed to handle EFI entry.

> 
> -- 
> Regards/Gruss,
>     Boris.
> 
> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpeople.kernel.org%2Ftglx%2Fnotes-about-netiquette&amp;data=04%7C01%7Cmichael.roth%40amd.com%7Ccb8e665b2ed14dbd400c08d9e9a841ff%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637797731199858639%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=5Pd7PA4BdfnfWzcXpah8HkrtVfu4h6nUIR8b3mB%2BIxM%3D&amp;reserved=0

diff --git a/arch/x86/boot/compressed/sev.c b/arch/x86/boot/compressed/sev.c
index faf432684870..cde5658e1007 100644
--- a/arch/x86/boot/compressed/sev.c
+++ b/arch/x86/boot/compressed/sev.c
@@ -364,39 +364,6 @@  static struct cc_blob_sev_info *snp_find_cc_blob_efi(struct boot_params *bp)
 								EFI_CC_BLOB_GUID);
 }
 
-struct cc_setup_data {
-	struct setup_data header;
-	u32 cc_blob_address;
-};
-
-static struct cc_setup_data *get_cc_setup_data(struct boot_params *bp)
-{
-	struct setup_data *hdr = (struct setup_data *)bp->hdr.setup_data;
-
-	while (hdr) {
-		if (hdr->type == SETUP_CC_BLOB)
-			return (struct cc_setup_data *)hdr;
-		hdr = (struct setup_data *)hdr->next;
-	}
-
-	return NULL;
-}
-
-/*
- * Search for a Confidential Computing blob passed in as a setup_data entry
- * via the Linux Boot Protocol.
- */
-static struct cc_blob_sev_info *snp_find_cc_blob_setup_data(struct boot_params *bp)
-{
-	struct cc_setup_data *sd;
-
-	sd = get_cc_setup_data(bp);
-	if (!sd)
-		return NULL;
-
-	return (struct cc_blob_sev_info *)(unsigned long)sd->cc_blob_address;
-}
-
 /*
  * Initial set up of SEV-SNP relies on information provided by the
  * Confidential Computing blob, which can be passed to the boot kernel
diff --git a/arch/x86/include/asm/sev.h b/arch/x86/include/asm/sev.h
index 4e3909042001..219abb4590f2 100644
--- a/arch/x86/include/asm/sev.h
+++ b/arch/x86/include/asm/sev.h
@@ -153,6 +153,7 @@  void snp_set_memory_shared(unsigned long vaddr, unsigned int npages);
 void snp_set_memory_private(unsigned long vaddr, unsigned int npages);
 void snp_set_wakeup_secondary_cpu(void);
 bool snp_init(struct boot_params *bp);
+void snp_abort(void);
 #else
 static inline void sev_es_ist_enter(struct pt_regs *regs) { }
 static inline void sev_es_ist_exit(void) { }
@@ -171,6 +172,7 @@  static inline void snp_set_memory_shared(unsigned long vaddr, unsigned int npage
 static inline void snp_set_memory_private(unsigned long vaddr, unsigned int npages) { }
 static inline void snp_set_wakeup_secondary_cpu(void) { }
 static inline bool snp_init(struct boot_params *bp) { return false; }
+static inline void snp_abort(void) { }
 #endif
 
 #endif
diff --git a/arch/x86/kernel/sev-shared.c b/arch/x86/kernel/sev-shared.c
index dea9f7b28620..2bddbfea079b 100644
--- a/arch/x86/kernel/sev-shared.c
+++ b/arch/x86/kernel/sev-shared.c
@@ -928,3 +928,36 @@  static enum es_result vc_handle_rdtsc(struct ghcb *ghcb,
 
 	return ES_OK;
 }
+
+struct cc_setup_data {
+	struct setup_data header;
+	u32 cc_blob_address;
+};
+
+static struct cc_setup_data *get_cc_setup_data(struct boot_params *bp)
+{
+	struct setup_data *hdr = (struct setup_data *)bp->hdr.setup_data;
+
+	while (hdr) {
+		if (hdr->type == SETUP_CC_BLOB)
+			return (struct cc_setup_data *)hdr;
+		hdr = (struct setup_data *)hdr->next;
+	}
+
+	return NULL;
+}
+
+/*
+ * Search for a Confidential Computing blob passed in as a setup_data entry
+ * via the Linux Boot Protocol.
+ */
+static struct cc_blob_sev_info *snp_find_cc_blob_setup_data(struct boot_params *bp)
+{
+	struct cc_setup_data *sd;
+
+	sd = get_cc_setup_data(bp);
+	if (!sd)
+		return NULL;
+
+	return (struct cc_blob_sev_info *)(unsigned long)sd->cc_blob_address;
+}
diff --git a/arch/x86/kernel/sev.c b/arch/x86/kernel/sev.c
index c2bc07eb97e9..5c72b21c7e7b 100644
--- a/arch/x86/kernel/sev.c
+++ b/arch/x86/kernel/sev.c
@@ -1983,3 +1983,67 @@  bool __init handle_vc_boot_ghcb(struct pt_regs *regs)
 	while (true)
 		halt();
 }
+
+/*
+ * Initial set up of SEV-SNP relies on information provided by the
+ * Confidential Computing blob, which can be passed to the kernel
+ * in the following ways, depending on how it is booted:
+ *
+ * - when booted via the boot/decompress kernel:
+ *   - via boot_params
+ *
+ * - when booted directly by firmware/bootloader (e.g. CONFIG_PVH):
+ *   - via a setup_data entry, as defined by the Linux Boot Protocol
+ *
+ * Scan for the blob in that order.
+ */
+static __init struct cc_blob_sev_info *snp_find_cc_blob(struct boot_params *bp)
+{
+	struct cc_blob_sev_info *cc_info;
+
+	/* Boot kernel would have passed the CC blob via boot_params. */
+	if (bp->cc_blob_address) {
+		cc_info = (struct cc_blob_sev_info *)(unsigned long)bp->cc_blob_address;
+		goto found_cc_info;
+	}
+
+	/*
+	 * If kernel was booted directly, without the use of the
+	 * boot/decompression kernel, the CC blob may have been passed via
+	 * setup_data instead.
+	 */
+	cc_info = snp_find_cc_blob_setup_data(bp);
+	if (!cc_info)
+		return NULL;
+
+found_cc_info:
+	if (cc_info->magic != CC_BLOB_SEV_HDR_MAGIC)
+		snp_abort();
+
+	return cc_info;
+}
+
+bool __init snp_init(struct boot_params *bp)
+{
+	struct cc_blob_sev_info *cc_info;
+
+	if (!bp)
+		return false;
+
+	cc_info = snp_find_cc_blob(bp);
+	if (!cc_info)
+		return false;
+
+	/*
+	 * The CC blob will be used later to access the secrets page. Cache
+	 * it here like the boot kernel does.
+	 */
+	bp->cc_blob_address = (u32)(unsigned long)cc_info;
+
+	return true;
+}
+
+void __init snp_abort(void)
+{
+	sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SNP_UNSUPPORTED);
+}
diff --git a/arch/x86/mm/mem_encrypt_identity.c b/arch/x86/mm/mem_encrypt_identity.c
index 3f0abb403340..2f723e106ed3 100644
--- a/arch/x86/mm/mem_encrypt_identity.c
+++ b/arch/x86/mm/mem_encrypt_identity.c
@@ -44,6 +44,7 @@ 
 #include <asm/setup.h>
 #include <asm/sections.h>
 #include <asm/cmdline.h>
+#include <asm/sev.h>
 
 #include "mm_internal.h"
 
@@ -508,8 +509,11 @@  void __init sme_enable(struct boot_params *bp)
 	bool active_by_default;
 	unsigned long me_mask;
 	char buffer[16];
+	bool snp;
 	u64 msr;
 
+	snp = snp_init(bp);
+
 	/* Check for the SME/SEV support leaf */
 	eax = 0x80000000;
 	ecx = 0;
@@ -541,6 +545,10 @@  void __init sme_enable(struct boot_params *bp)
 	sev_status   = __rdmsr(MSR_AMD64_SEV);
 	feature_mask = (sev_status & MSR_AMD64_SEV_ENABLED) ? AMD_SEV_BIT : AMD_SME_BIT;
 
+	/* The SEV-SNP CC blob should never be present unless SEV-SNP is enabled. */
+	if (snp && !(sev_status & MSR_AMD64_SEV_SNP_ENABLED))
+		snp_abort();
+
 	/* Check if memory encryption is enabled */
 	if (feature_mask == AMD_SME_BIT) {
 		/*

[v9,37/43] x86/sev: Add SEV-SNP feature detection/setup

Commit Message

Comments

Patch