Re: [RFC PATCH v2 13/20] x86: Decrypt trampoline area if memory encryption is active
On 09/09/2016 12:34 PM, Borislav Petkov wrote: > On Mon, Aug 22, 2016 at 05:37:57PM -0500, Tom Lendacky wrote: >> When Secure Memory Encryption is enabled, the trampoline area must not >> be encrypted. A cpu running in real mode will not be able to decrypt > > s/cpu/CPU/... always :-) Ok. > >> memory that has been encrypted because it will not be able to use addresses >> with the memory encryption mask. >> >> Signed-off-by: Tom Lendacky >> --- >> arch/x86/realmode/init.c |9 + >> 1 file changed, 9 insertions(+) >> >> diff --git a/arch/x86/realmode/init.c b/arch/x86/realmode/init.c >> index 5db706f1..f74925f 100644 >> --- a/arch/x86/realmode/init.c >> +++ b/arch/x86/realmode/init.c >> @@ -6,6 +6,7 @@ >> #include >> #include >> #include >> +#include >> >> struct real_mode_header *real_mode_header; >> u32 *trampoline_cr4_features; >> @@ -130,6 +131,14 @@ static void __init set_real_mode_permissions(void) >> unsigned long text_start = >> (unsigned long) __va(real_mode_header->text_start); >> >> +/* >> + * If memory encryption is active, the trampoline area will need to >> + * be in non-encrypted memory in order to bring up other processors > > Let's stick with either "unencrypted" - I'd prefer that one - or > "non-encrypted" nomenclature so that there's no distraction. I see both > versions in the patchset. Yup, I'll audit the code and make everything consistent. Thanks, Tom > -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC PATCH v2 13/20] x86: Decrypt trampoline area if memory encryption is active
On Mon, Aug 22, 2016 at 05:37:57PM -0500, Tom Lendacky wrote: > When Secure Memory Encryption is enabled, the trampoline area must not > be encrypted. A cpu running in real mode will not be able to decrypt s/cpu/CPU/... always :-) > memory that has been encrypted because it will not be able to use addresses > with the memory encryption mask. > > Signed-off-by: Tom Lendacky > --- > arch/x86/realmode/init.c |9 + > 1 file changed, 9 insertions(+) > > diff --git a/arch/x86/realmode/init.c b/arch/x86/realmode/init.c > index 5db706f1..f74925f 100644 > --- a/arch/x86/realmode/init.c > +++ b/arch/x86/realmode/init.c > @@ -6,6 +6,7 @@ > #include > #include > #include > +#include > > struct real_mode_header *real_mode_header; > u32 *trampoline_cr4_features; > @@ -130,6 +131,14 @@ static void __init set_real_mode_permissions(void) > unsigned long text_start = > (unsigned long) __va(real_mode_header->text_start); > > + /* > + * If memory encryption is active, the trampoline area will need to > + * be in non-encrypted memory in order to bring up other processors Let's stick with either "unencrypted" - I'd prefer that one - or "non-encrypted" nomenclature so that there's no distraction. I see both versions in the patchset. -- Regards/Gruss, Boris. ECO tip #101: Trim your mails when you reply. -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[RFC PATCH v2 13/20] x86: Decrypt trampoline area if memory encryption is active
When Secure Memory Encryption is enabled, the trampoline area must not be encrypted. A cpu running in real mode will not be able to decrypt memory that has been encrypted because it will not be able to use addresses with the memory encryption mask. Signed-off-by: Tom Lendacky --- arch/x86/realmode/init.c |9 + 1 file changed, 9 insertions(+) diff --git a/arch/x86/realmode/init.c b/arch/x86/realmode/init.c index 5db706f1..f74925f 100644 --- a/arch/x86/realmode/init.c +++ b/arch/x86/realmode/init.c @@ -6,6 +6,7 @@ #include #include #include +#include struct real_mode_header *real_mode_header; u32 *trampoline_cr4_features; @@ -130,6 +131,14 @@ static void __init set_real_mode_permissions(void) unsigned long text_start = (unsigned long) __va(real_mode_header->text_start); + /* +* If memory encryption is active, the trampoline area will need to +* be in non-encrypted memory in order to bring up other processors +* successfully. +*/ + sme_early_mem_dec(__pa(base), size); + sme_set_mem_dec(base, size); + set_memory_nx((unsigned long) base, size >> PAGE_SHIFT); set_memory_ro((unsigned long) base, ro_size >> PAGE_SHIFT); set_memory_x((unsigned long) text_start, text_size >> PAGE_SHIFT); -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
