On 11/14/2016 10:32 AM, Joerg Roedel wrote:
> On Wed, Nov 09, 2016 at 06:37:32PM -0600, Tom Lendacky wrote:
>> +/* For now, disable the IOMMU if SME is active */
>> +if (sme_me_mask)
>> +return -ENODEV;
>> +
>
> Please print a message here t
On 11/11/2016 10:17 AM, Kani, Toshimitsu wrote:
> On Wed, 2016-11-09 at 18:36 -0600, Tom Lendacky wrote:
>> Boot data (such as EFI related data) is not encrypted when the system
>> is booted and needs to be accessed unencrypted. Add support to apply
>> the proper attributes t
Since the setup data is in memory in the clear, it must be accessed as
un-encrypted. Always use ioremap (similar to sysfs setup data support)
to map the data.
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/kdebugfs.c | 30 +++---
1 file changed, 11 insertions(+), 19
This patch adds the support to check if SME has been enabled and if the
mem_encrypt=on command line option is set. If both of these conditions
are true, then the encryption mask is set and the kernel is encrypted
"in place."
Signed-off-by: Tom Lendacky
---
arch/x86/kernel
This patch adds the support to check if SME has been enabled and if the
mem_encrypt=on command line option is set. If both of these conditions
are true, then the encryption mask is set and the kernel is encrypted
"in place."
Signed-off-by: Tom Lendacky
---
arch/x86/kerne
For now, disable the AMD IOMMU if memory encryption is active. A future
patch will re-enable the function with full memory encryption support.
Signed-off-by: Tom Lendacky
---
drivers/iommu/amd_iommu_init.c |5 +
1 file changed, 5 insertions(+)
diff --git a/drivers/iommu
Since video memory needs to be accessed unencrypted be sure that the
memory encryption mask is not set for the video ranges.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/vga.h | 13 +
drivers/gpu/drm/drm_gem.c|2 ++
drivers/gpu/drm/drm_vm.c |4
Update the KVM support to include the memory encryption mask when creating
and using nested page tables.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/kvm_host.h |3 ++-
arch/x86/kvm/mmu.c |8 ++--
arch/x86/kvm/vmx.c |3 ++-
arch/x86/kvm/x86.c
This patch adds support to be change the memory encryption attribute for
one or more memory pages.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/cacheflush.h |3 +
arch/x86/include/asm/mem_encrypt.h | 13 ++
arch/x86/mm/mem_encrypt.c | 43 +
arch
When Secure Memory Encryption is enabled, the trampoline area must not
be encrypted. A CPU running in real mode will not be able to decrypt
memory that has been encrypted because it will not be able to use addresses
with the memory encryption mask.
Signed-off-by: Tom Lendacky
---
arch/x86
-off-by: Tom Lendacky
---
arch/x86/include/asm/dma-mapping.h |5 ++-
arch/x86/include/asm/mem_encrypt.h |5 +++
arch/x86/kernel/pci-dma.c | 11 ---
arch/x86/kernel/pci-nommu.c|2 +
arch/x86/kernel/pci-swiotlb.c |8 -
arch/x86/mm/mem_encrypt.c
Add support to check if memory encryption is active in the kernel and that
it has been enabled on the AP. If memory encryption is active in the kernel
but has not been enabled on the AP then do not allow the AP to continue
start up.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm
.
For the initrd, encrypt this data in place. Since the future mapping of the
initrd area will be mapped as encrypted the data will be accessed properly.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/mem_encrypt.h | 13
arch/x86/kernel/head64.c | 21 --
arch
encryption attribute can be applied.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/e820.h|1
arch/x86/kernel/e820.c | 16 +++
arch/x86/mm/ioremap.c | 89
arch/x86/platform/efi/efi_64.c | 12 -
drivers/firmware/efi
routine to update the protection map with
the memory encryption mask so that it is used by default
- #undef CONFIG_AMD_MEM_ENCRYPT in the compressed boot path
Signed-off-by: Tom Lendacky
---
arch/x86/boot/compressed/pagetable.c |7 +
arch/x86/include/asm/fixmap.h|7 +
arch
when encrypting data "in place". The write-protect attribute is
considered cacheable for loads, but not stores. This implies that the
hardware will never give the core a dirty line with this memtype.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/fixmap.h|9 +++
arch/x
Add support for Secure Memory Encryption (SME). This initial support
provides a Kconfig entry to build the SME support into the kernel and
defines the memory encryption mask that will be used in subsequent
patches to mark pages as encrypted.
Signed-off-by: Tom Lendacky
---
arch/x86/Kconfig
When System Memory Encryption (SME) is enabled, the physical address
space is reduced. Adjust the x86_phys_bits value to reflect this
reduction.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/msr-index.h |2 ++
arch/x86/kernel/cpu/common.c | 30 ++
2
with full function to be added in a later patch.
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/Makefile |2 ++
arch/x86/kernel/head_64.S | 35 ++-
arch/x86/kernel/mem_encrypt_init.c | 29 +
3 files changed, 65
This patch adds a Documenation entry to decribe the AMD Secure Memory
Encryption (SME) feature.
Signed-off-by: Tom Lendacky
---
Documentation/kernel-parameters.txt |5 +++
Documentation/x86/amd-memory-encryption.txt | 40 +++
2 files changed, 45 insertions
possible that BIOS could have configured resources
resources into a range that will now not be addressable. To prevent this,
rely on BIOS to set the SYSCFG[MEME] bit and only then enable memory
encryption support in the kernel.
Tom Lendacky (20):
x86: Documentation for AMD Secure Memory Encry
Update the cpu features to include identifying and reporting on the
Secure Memory Encryption feature.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/cpufeatures.h |1 +
arch/x86/kernel/cpu/scattered.c|1 +
2 files changed, 2 insertions(+)
diff --git a/arch/x86/include/asm
For processors that support PAT, set the write-protect cache mode
(_PAGE_CACHE_MODE_WP) entry to the actual write-protect value (x05).
Acked-by: Borislav Petkov
Signed-off-by: Tom Lendacky
---
arch/x86/mm/pat.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86
On 09/14/2016 09:51 AM, Borislav Petkov wrote:
> On Wed, Sep 14, 2016 at 09:29:41AM -0500, Tom Lendacky wrote:
>> This is still required because just using the __va() would still cause
>> the mapping created to have the encryption bit set. The ioremap call
>> will result in t
On 09/14/2016 09:41 AM, Borislav Petkov wrote:
> On Wed, Sep 14, 2016 at 08:45:44AM -0500, Tom Lendacky wrote:
>> Currently, mem_encrypt.h only lives in the arch/x86 directory so it
>> wouldn't be able to be included here without breaking other archs.
>
> I'm wond
On 09/15/2016 04:57 AM, Matt Fleming wrote:
> On Wed, 14 Sep, at 09:20:44AM, Tom Lendacky wrote:
>> On 09/12/2016 11:55 AM, Andy Lutomirski wrote:
>>> On Aug 22, 2016 6:53 PM, "Tom Lendacky" wrote:
>>>>
>>>> BOOT data (such as EFI related data)
On 09/12/2016 12:08 PM, Borislav Petkov wrote:
> On Mon, Aug 22, 2016 at 05:39:08PM -0500, Tom Lendacky wrote:
>> This patch adds the support to check if SME has been enabled and if the
>> mem_encrypt=on command line option is set. If both of these conditions
>> are true, the
On 09/12/2016 11:59 AM, Borislav Petkov wrote:
> On Mon, Aug 22, 2016 at 05:38:59PM -0500, Tom Lendacky wrote:
>> Since the setup data is in memory in the clear, it must be accessed as
>> un-encrypted. Always use ioremap (similar to sysfs setup data support)
>> to map the d
On 09/12/2016 11:55 AM, Andy Lutomirski wrote:
> On Aug 22, 2016 6:53 PM, "Tom Lendacky" wrote:
>>
>> BOOT data (such as EFI related data) is not encyrpted when the system is
>> booted and needs to be accessed as non-encrypted. Add support to the
>> early
On 09/12/2016 11:43 AM, Borislav Petkov wrote:
> On Mon, Aug 22, 2016 at 05:38:29PM -0500, Tom Lendacky wrote:
>> Add support to check if memory encryption is active in the kernel and that
>> it has been enabled on the AP. If memory encryption is active in the kernel
>
&g
On 09/12/2016 11:33 AM, Borislav Petkov wrote:
> On Mon, Sep 12, 2016 at 10:05:36AM -0500, Tom Lendacky wrote:
>> I can look into that. The reason I put this here is this is all the
>> early page fault support that is very specific to this file. I modified
>> an existing st
On 09/12/2016 09:35 AM, Borislav Petkov wrote:
> On Mon, Aug 22, 2016 at 05:38:49PM -0500, Tom Lendacky wrote:
>> Update the KVM support to include the memory encryption mask when creating
>> and using nested page tables.
>>
>> Signed-off-by: Tom Lendacky
>
On 09/12/2016 07:17 AM, Borislav Petkov wrote:
> On Mon, Aug 22, 2016 at 05:38:29PM -0500, Tom Lendacky wrote:
>> Add support to check if memory encryption is active in the kernel and that
>> it has been enabled on the AP. If memory encryption is active in the kernel
>> but ha
On 09/12/2016 06:45 AM, Borislav Petkov wrote:
> On Mon, Aug 22, 2016 at 05:38:20PM -0500, Tom Lendacky wrote:
>> Add support to the AMD IOMMU driver to set the memory encryption mask if
>> memory encryption is enabled.
>>
>> Signed-off-by: Tom Lendacky
>
On 09/12/2016 05:58 AM, Borislav Petkov wrote:
> On Mon, Aug 22, 2016 at 05:38:07PM -0500, Tom Lendacky wrote:
>> Since DMA addresses will effectively look like 48-bit addresses when the
>> memory encryption mask is set, SWIOTLB is needed if the DMA mask of the
>> device pe
On 09/09/2016 12:34 PM, Borislav Petkov wrote:
> On Mon, Aug 22, 2016 at 05:37:57PM -0500, Tom Lendacky wrote:
>> When Secure Memory Encryption is enabled, the trampoline area must not
>> be encrypted. A cpu running in real mode will not be able to decrypt
>
> s/cpu/C
On 09/09/2016 12:23 PM, Borislav Petkov wrote:
> On Mon, Aug 22, 2016 at 05:37:49PM -0500, Tom Lendacky wrote:
>> This patch adds support to be change the memory encryption attribute for
>> one or more memory pages.
>>
>> Signed-off-by: Tom Lendacky
>> ---
>
On 09/09/2016 11:38 AM, Borislav Petkov wrote:
> On Mon, Aug 22, 2016 at 05:37:38PM -0500, Tom Lendacky wrote:
>> BOOT data (such as EFI related data) is not encyrpted when the system is
>> booted and needs to be accessed as non-encrypted. Add support to the
>> early_memrema
On 09/09/2016 10:53 AM, Borislav Petkov wrote:
> On Mon, Aug 22, 2016 at 05:37:23PM -0500, Tom Lendacky wrote:
>> Encrypt memory areas in place when possible (e.g. zero page, etc.) so
>> that special handling isn't needed afterwards.
>>
>> Signed-off-by: Tom Lend
On 09/08/2016 08:55 AM, Borislav Petkov wrote:
> On Thu, Sep 08, 2016 at 08:26:27AM -0500, Tom Lendacky wrote:
>> When does this value get initialized? Since _PAGE_ENC is #defined to
>> sme_me_mask, which is not set until the boot process begins, I'm afraid
>> we'd
On 09/07/2016 10:55 AM, Borislav Petkov wrote:
> On Wed, Sep 07, 2016 at 09:30:54AM -0500, Tom Lendacky wrote:
>> _PAGE_ENC is #defined as sme_me_mask and sme_me_mask has already been
>> set (or not set) at this point - so it will be the mask if SME is
>> active or 0
On 09/06/2016 04:31 AM, Borislav Petkov wrote:
> On Mon, Aug 22, 2016 at 05:36:46PM -0500, Tom Lendacky wrote:
>> Adding general kernel support for memory encryption includes:
>> - Modify and create some page table macros to include the Secure Memory
>> Encryption (SME) m
On 09/05/2016 10:22 AM, Borislav Petkov wrote:
> On Mon, Aug 22, 2016 at 05:36:46PM -0500, Tom Lendacky wrote:
>> Adding general kernel support for memory encryption includes:
>> - Modify and create some page table macros to include the Secure Memory
>> Encryption (SME) m
On 09/05/2016 03:48 AM, Borislav Petkov wrote:
> On Mon, Aug 22, 2016 at 05:36:46PM -0500, Tom Lendacky wrote:
>> Adding general kernel support for memory encryption includes:
>> - Modify and create some page table macros to include the Secure Memory
>> Encryption (SME) m
On 09/02/2016 01:14 PM, Borislav Petkov wrote:
> On Mon, Aug 22, 2016 at 05:36:46PM -0500, Tom Lendacky wrote:
>> Adding general kernel support for memory encryption includes:
>> - Modify and create some page table macros to include the Secure Memory
>> Encryption (SME) m
On 09/02/2016 09:09 AM, Borislav Petkov wrote:
> On Mon, Aug 22, 2016 at 05:36:22PM -0500, Tom Lendacky wrote:
>> Update the cpu features to include identifying and reporting on the
>> Secure Memory Encryption feature.
>>
>> Signed-off-by: Tom Lendacky
>> ---
>
On 09/02/2016 06:03 AM, Borislav Petkov wrote:
> On Mon, Aug 22, 2016 at 05:35:59PM -0500, Tom Lendacky wrote:
>> Provide the Kconfig support to build the SME support in the kernel.
>>
>> Signed-off-by: Tom Lendacky
>> ---
>> arch/x86/Kconfig |9 +
On 09/02/2016 03:50 AM, Borislav Petkov wrote:
> On Mon, Aug 22, 2016 at 05:35:39PM -0500, Tom Lendacky wrote:
>> This patch adds a Documenation entry to decribe the AMD Secure Memory
>> Encryption (SME) feature.
>>
>> Signed-off-by: Tom Lendacky
>> ---
On 08/30/2016 09:57 AM, Andy Lutomirski wrote:
> On Aug 30, 2016 6:34 AM, "Tom Lendacky" wrote:
>>
>> On 08/25/2016 08:04 AM, Thomas Gleixner wrote:
>>> On Mon, 22 Aug 2016, Tom Lendacky wrote:
>>>
>>>> Provide support for Secure Memory
On 08/25/2016 08:04 AM, Thomas Gleixner wrote:
> On Mon, 22 Aug 2016, Tom Lendacky wrote:
>
>> Provide support for Secure Memory Encryption (SME). This initial support
>> defines the memory encryption mask as a variable for quick access and an
>> accessor for retrievin
Since the setup data is in memory in the clear, it must be accessed as
un-encrypted. Always use ioremap (similar to sysfs setup data support)
to map the data.
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/kdebugfs.c | 30 +++---
1 file changed, 11 insertions(+), 19
This patch adds the support to check if SME has been enabled and if the
mem_encrypt=on command line option is set. If both of these conditions
are true, then the encryption mask is set and the kernel is encrypted
"in place."
Signed-off-by: Tom Lendacky
---
Documentation/kernel-para
Update the KVM support to include the memory encryption mask when creating
and using nested page tables.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/kvm_host.h |3 ++-
arch/x86/kvm/mmu.c |8 ++--
arch/x86/kvm/vmx.c |3 ++-
arch/x86/kvm/x86.c
Add support to the AMD IOMMU driver to set the memory encryption mask if
memory encryption is enabled.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/mem_encrypt.h |2 ++
arch/x86/mm/mem_encrypt.c |5 +
drivers/iommu/amd_iommu.c | 10 ++
3 files
Add support to check if memory encryption is active in the kernel and that
it has been enabled on the AP. If memory encryption is active in the kernel
but has not been enabled on the AP then do not allow the AP to continue
start up.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/msr
-off-by: Tom Lendacky
---
arch/x86/include/asm/dma-mapping.h |5 ++-
arch/x86/include/asm/mem_encrypt.h |6 +++
arch/x86/kernel/pci-dma.c | 11 --
arch/x86/kernel/pci-nommu.c|2 +
arch/x86/kernel/pci-swiotlb.c |8 +++--
arch/x86/mm/mem_encrypt.c
Since the VGA memory needs to be accessed unencrypted be sure that the
memory encryption mask is not set for the VGA range being mapped.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/vga.h | 13 +
1 file changed, 13 insertions(+)
diff --git a/arch/x86/include/asm/vga.h b
When Secure Memory Encryption is enabled, the trampoline area must not
be encrypted. A cpu running in real mode will not be able to decrypt
memory that has been encrypted because it will not be able to use addresses
with the memory encryption mask.
Signed-off-by: Tom Lendacky
---
arch/x86
This patch adds support to be change the memory encryption attribute for
one or more memory pages.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/cacheflush.h |3 +
arch/x86/include/asm/mem_encrypt.h | 13 ++
arch/x86/mm/mem_encrypt.c | 43 +
arch
initrd will have been loaded by the boot loader and
will not be encrypted, but the memory that it resides in is marked as
encrypted).
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/mem_encrypt.h | 15 +
arch/x86/mm/mem_encrypt.c | 101
2
defined, KERNEL_DATA and BOOT_DATA.
Signed-off-by: Tom Lendacky
---
arch/arm64/kernel/acpi.c |2 +-
arch/ia64/include/asm/early_ioremap.h |2 +-
arch/x86/kernel/devicetree.c |6 --
arch/x86/kernel/e820.c|2 +-
arch/x86/kernel/setup.c
Encrypt memory areas in place when possible (e.g. zero page, etc.) so
that special handling isn't needed afterwards.
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/head64.c | 93 --
arch/x86/kernel/setup.c |8
2 files change
Provide support for Secure Memory Encryption (SME). This initial support
defines the memory encryption mask as a variable for quick access and an
accessor for retrieving the number of physical addressing bits lost if
SME is enabled.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm
When System Memory Encryption (SME) is enabled, the physical address
space is reduced. Adjust the x86_phys_bits value to reflect this
reduction.
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/cpu/common.c |2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/x86/kernel/cpu/common.c b
plies that the hardware will never give the core a
dirty line with this memtype.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/fixmap.h|9 +
arch/x86/include/asm/pgtable_types.h |8
arch/x86/mm/ioremap.c| 28
i
so that it is used by default
Signed-off-by: Tom Lendacky
---
arch/x86/boot/compressed/pagetable.c |7 ++
arch/x86/include/asm/fixmap.h|7 ++
arch/x86/include/asm/mem_encrypt.h | 18 +++
arch/x86/include/asm/pgtable.h | 26
Update the cpu features to include identifying and reporting on the
Secure Memory Encryption feature.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/cpufeature.h|7 +--
arch/x86/include/asm/cpufeatures.h |5 -
arch/x86/include/asm/disabled-features.h |3
Provide the Kconfig support to build the SME support in the kernel.
Signed-off-by: Tom Lendacky
---
arch/x86/Kconfig |9 +
1 file changed, 9 insertions(+)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index c580d8c..131f329 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
This patch adds a Documenation entry to decribe the AMD Secure Memory
Encryption (SME) feature.
Signed-off-by: Tom Lendacky
---
Documentation/x86/amd-memory-encryption.txt | 35 +++
1 file changed, 35 insertions(+)
create mode 100644 Documentation/x86/amd-memory
For processors that support PAT, set the write-protect cache mode
(_PAGE_CACHE_MODE_WP) entry to the actual write-protect value (x05).
Signed-off-by: Tom Lendacky
---
arch/x86/mm/pat.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/mm/pat.c b/arch/x86/mm
cryption support in the kernel.
Tom Lendacky (20):
x86: Documentation for AMD Secure Memory Encryption (SME)
x86: Set the write-protect cache mode for full PAT support
x86: Secure Memory Encryption (SME) build enablement
x86: Secure Memory Encryption (SME) support
x86: Ad
On 06/15/2016 08:17 AM, Tom Lendacky wrote:
> On 06/13/2016 08:51 AM, Matt Fleming wrote:
>> On Thu, 09 Jun, at 01:33:30PM, Tom Lendacky wrote:
>>>
[...]
>>
>>> I'll look further into this, but I saw that this area of virtual memory
>>> was mapped u
On 06/13/2016 08:51 AM, Matt Fleming wrote:
> On Thu, 09 Jun, at 01:33:30PM, Tom Lendacky wrote:
>>
>> I was trying to play it safe here, but as you say, the firmware should
>> be using our page tables so we can get rid of this call. The problem
>> will actually be if we
On 06/13/2016 07:03 AM, Matt Fleming wrote:
> On Thu, 09 Jun, at 11:16:40AM, Tom Lendacky wrote:
>>
>> So maybe something along the lines of an enum that would have entries
>> (initially) like KERNEL_DATA (equal to zero) and EFI_DATA. Others could
>> be added later
On 06/08/2016 06:18 AM, Matt Fleming wrote:
> On Tue, 26 Apr, at 05:57:40PM, Tom Lendacky wrote:
>> The EFI tables are not encrypted and need to be accessed as such. Be sure
>> to memmap them without the encryption attribute set. For EFI support that
>> lives outside of the ar
On 06/08/2016 05:07 AM, Matt Fleming wrote:
> (Sorry for the delay)
No worries, thanks for all the feedback.
>
> On Thu, 26 May, at 08:45:58AM, Tom Lendacky wrote:
>>
>> The patch in question is patch 6/18 where PAGE_KERNEL is changed to
>> include the _PAGE_ENC att
On 05/25/2016 02:30 PM, Matt Fleming wrote:
> On Tue, 24 May, at 09:54:31AM, Tom Lendacky wrote:
>>
>> I looked into this and this would be a large change also to parse tables
>> and build lists. It occurred to me that this could all be taken care of
>> if the early_mem
On 05/12/2016 01:20 PM, Tom Lendacky wrote:
> On 05/10/2016 08:57 AM, Borislav Petkov wrote:
>> On Tue, May 10, 2016 at 02:43:58PM +0100, Matt Fleming wrote:
>>> Is it not possible to maintain some kind of kernel virtual address
>>> mapping so memremap*() and friends can
On 05/10/2016 08:57 AM, Borislav Petkov wrote:
> On Tue, May 10, 2016 at 02:43:58PM +0100, Matt Fleming wrote:
>> Is it not possible to maintain some kind of kernel virtual address
>> mapping so memremap*() and friends can figure out when to twiddle the
>> mapping attributes and map with/without en
On 05/09/2016 10:13 AM, Paolo Bonzini wrote:
>
>
> On 02/05/2016 20:31, Andy Lutomirski wrote:
>> And did the SEV implementation remember to encrypt the guest register
>> state? Because, if not, everything of importance will leak out
>> through the VMCB and/or GPRs.
>
> No, it doesn't. And SEV
On 05/01/2016 05:10 PM, Huang, Kai wrote:
>
>
> On 4/27/2016 10:58 AM, Tom Lendacky wrote:
>> Add support to set the memory encryption enable flag on the APs during
>> realmode initialization. When an AP is started it checks this flag, and
>> if set, enables me
On 04/30/2016 01:13 AM, Elliott, Robert (Persistent Memory) wrote:
>> -Original Message-
>> From: linux-kernel-ow...@vger.kernel.org [mailto:linux-kernel-
>> ow...@vger.kernel.org] On Behalf Of Tom Lendacky
>> Sent: Tuesday, April 26, 2016 5:56 PM
>> Sub
On 04/29/2016 11:27 AM, Konrad Rzeszutek Wilk wrote:
> On Fri, Apr 29, 2016 at 10:12:45AM -0500, Tom Lendacky wrote:
>> On 04/29/2016 02:17 AM, Konrad Rzeszutek Wilk wrote:
>>> On Tue, Apr 26, 2016 at 05:58:12PM -0500, Tom Lendacky wrote:
>>>> Since DMA addresses wil
On 04/29/2016 02:17 AM, Konrad Rzeszutek Wilk wrote:
> On Tue, Apr 26, 2016 at 05:58:12PM -0500, Tom Lendacky wrote:
>> Since DMA addresses will effectively look like 48-bit addresses when the
>> memory encryption mask is set, SWIOTLB is needed if the DMA mask of the
>> devi
On 04/27/2016 09:39 AM, Andy Lutomirski wrote:
> On Tue, Apr 26, 2016 at 3:55 PM, Tom Lendacky wrote:
>> This RFC patch series provides support for AMD's new Secure Memory
>> Encryption (SME) feature.
>>
>> SME can be used to mark individual pages of memory as encr
On 03/22/2016 08:03 AM, Pavel Machek wrote:
> On Tue 2016-04-26 17:56:26, Tom Lendacky wrote:
>> Provide support for Secure Memory Encryption (SME). This initial support
>> defines the memory encryption mask as a variable for quick access and an
>> accessor for retrieving t
On 03/22/2016 08:01 AM, Pavel Machek wrote:
> On Tue 2016-04-26 17:56:14, Tom Lendacky wrote:
>> Provide the Kconfig support to build the SME support in the kernel.
>
>
> Probably should go last in the series?
Yeah, I've seen arguments both ways for this. Doing it ear
On 04/27/2016 09:47 AM, Andy Lutomirski wrote:
> On Wed, Apr 27, 2016 at 7:44 AM, Tom Lendacky wrote:
>> On 04/27/2016 09:33 AM, Andy Lutomirski wrote:
>>> On Tue, Apr 26, 2016 at 3:56 PM, Tom Lendacky
>>> wrote:
>>>> For AMD processors that suppor
On 04/27/2016 09:33 AM, Andy Lutomirski wrote:
> On Tue, Apr 26, 2016 at 3:56 PM, Tom Lendacky wrote:
>> For AMD processors that support PAT, set the write-protect cache mode
>> (_PAGE_CACHE_MODE_WP) entry to the actual write-protect value (x05).
>
> What's the purp
On 03/22/2016 08:00 AM, Pavel Machek wrote:
> Hi!
>
>> This RFC patch series provides support for AMD's new Secure Memory
>> Encryption (SME) feature.
>>
>> SME can be used to mark individual pages of memory as encrypted through the
>> page tables. A page of memory that is marked encrypted will be
Signed-off-by: Tom Lendacky
---
Documentation/kernel-parameters.txt |3
arch/x86/kernel/asm-offsets.c |2
arch/x86/kernel/mem_encrypt.S | 306 +++
3 files changed, 311 insertions(+)
diff --git a/Documentation/kernel-parameters.txt
b/Doc
Encrypt memory areas in place when possible (e.g. zero page, etc.) so
that special handling isn't needed afterwards.
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/head64.c | 90 +++---
arch/x86/kernel/setup.c |8
2 files change
initrd will have been loaded by the boot loader and
will not be encrypted, but the memory that it resides in is marked as
encrypted).
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/mem_encrypt.h | 15 ++
arch/x86/mm/mem_encrypt.c | 89
2
When Secure Memory Encryption is enabled, the trampoline area must not
be encrypted. A cpu running in real mode will not be able to decrypt
memory that has been encrypted because it will not be able to use addresses
with the memory encryption mask.
Signed-off-by: Tom Lendacky
---
arch/x86
.
When freeing boot services related memory, since it has been mapped as
un-encrypted, be sure to change the mapping to encrypted for future use.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/cacheflush.h |3 +
arch/x86/include/asm/mem_encrypt.h | 22 +++
arch/x86/kernel
Add support to the AMD IOMMU driver to set the memory encryption mask if
memory encryption is enabled.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/mem_encrypt.h |2 ++
arch/x86/mm/mem_encrypt.c |5 +
drivers/iommu/amd_iommu.c | 10 ++
3 files
Since the VGA memory needs to be accessed unencrypted be sure that the
memory encryption mask is not set for the VGA range being mapped.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/vga.h | 13 +
1 file changed, 13 insertions(+)
diff --git a/arch/x86/include/asm/vga.h b
-off-by: Tom Lendacky
---
arch/x86/include/asm/dma-mapping.h |5 ++-
arch/x86/include/asm/mem_encrypt.h |5 +++
arch/x86/kernel/pci-dma.c | 11 --
arch/x86/kernel/pci-nommu.c|2 +
arch/x86/kernel/pci-swiotlb.c |8 +++--
arch/x86/mm/mem_encrypt.c
Update the KVM support to include the memory encryption mask when creating
and using nested page tables.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/kvm_host.h |2 +-
arch/x86/kvm/mmu.c |7 +--
arch/x86/kvm/vmx.c |2 +-
arch/x86/kvm/x86.c
The device tree is not encrypted and needs to be accessed as such. Be sure
to memmap it without the encryption mask set.
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/devicetree.c |6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/devicetree.c b/arch
501 - 600 of 620 matches
Mail list logo