On Mon, Jul 24, 2017 at 02:07:41PM -0500, Brijesh Singh wrote:
Subject: Re: [RFC Part1 PATCH v3 01/17] Documentation/x86: Add AMD Secure
Encrypted Virtualization (SEV) descrption
^^
From: Tom Lendacky
Secure Encrypted Virtualization (SEV) does not support string I/O, so
unroll the string I/O operation into a loop operating on one element at
a time.
Signed-off-by: Tom Lendacky
Signed-off-by: Brijesh Singh
---
arch/x86/include/asm/io.h | 26 ++
1 fi
From: Tom Lendacky
Early in the boot process, add checks to determine if the kernel is
running with Secure Encrypted Virtualization (SEV) active.
Checking for SEV requires checking that the kernel is running under a
hypervisor (CPUID 0x0001, bit 31), that the SEV feature is available
(CPUID
The guest physical memory area holding the struct pvclock_wall_clock and
struct pvclock_vcpu_time_info are shared with the hypervisor. Hypervisor
periodically updates the contents of the memory. When SEV is active, we
must clear the encryption attributes from the shared memory pages so that
both hy
Some KVM-specific custom MSRs shares the guest physical address with
hypervisor. When SEV is active, the shared physical address must be mapped
with encryption attribute cleared so that both hypervsior and guest can
access the data.
Add APIs to change memory encryption attribute in early boot code
Some KVM specific MSR's (steal-time, asyncpf, avic_eio) allocates per-CPU
variable at compile time and share its physical address with hypervisor.
It presents a challege when SEV is active in guest OS, when SEV is active,
the guest memory is encrypted with guest key hence hypervisor will not
able t
From: Tom Lendacky
In order for memory pages to be properly mapped when SEV is active, we
need to use the PAGE_KERNEL protection attribute as the base protection.
This will insure that memory mapping of, e.g. ACPI tables, receives the
proper mapping attributes.
Signed-off-by: Tom Lendacky
Signe
From: Tom Lendacky
DMA access to memory mapped as encrypted while SEV is active can not be
encrypted during device write or decrypted during device read. In order
for DMA to properly work when SEV is active, the SWIOTLB bounce buffers
must be used.
Signed-off-by: Tom Lendacky
Signed-off-by: Bri
From: Tom Lendacky
In prep for a new function that will need additional resource information
during the resource walk, update the resource walk callback to pass the
resource structure. Since the current callback start and end arguments
are pulled from the resource structure, the callback functio
From: Tom Lendacky
The walk_iomem_res_desc(), walk_system_ram_res() and walk_system_ram_range()
functions each have much of the same code. Create a new function that
consolidates the common code from these functions in one place to reduce
the amount of duplicated code.
Signed-off-by: Tom Lendac
From: Tom Lendacky
When SEV is active the trampoline area will need to be in encrypted
memory so only mark the area decrypted if SME is active.
Signed-off-by: Tom Lendacky
Signed-off-by: Brijesh Singh
---
arch/x86/realmode/init.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
di
From: Tom Lendacky
When Secure Encrypted Virtualization (SEV) is active, boot data (such as
EFI related data, setup data) is encrypted and needs to be accessed as
such when mapped. Update the architecture override in early_memremap to
keep the encryption attribute when mapping this data.
Signed-
From: Tom Lendacky
The current code checks only for sme_active() when determining whether
to perform the encryption attribute change. Include sev_active() in this
check so that memory attribute changes can occur under SME and SEV.
Signed-off-by: Tom Lendacky
Signed-off-by: Brijesh Singh
---
From: Tom Lendacky
EFI data is encrypted when the kernel is run under SEV. Update the
page table references to be sure the EFI memory areas are accessed
encrypted.
Signed-off-by: Tom Lendacky
Signed-off-by: Brijesh Singh
---
arch/x86/platform/efi/efi_64.c | 15 ++-
1 file changed,
From: Tom Lendacky
Update the CPU features to include identifying and reporting on the
Secure Encrypted Virtualization (SEV) feature. SME is identified by
CPUID 0x801f, but requires BIOS support to enable it (set bit 23 of
MSR_K8_SYSCFG and set bit 0 of MSR_K7_HWCR). Only show the SEV featu
From: Tom Lendacky
When SEV is active the initrd/initramfs will already have already been
placed in memory encyrpted so do not try to encrypt it.
Signed-off-by: Tom Lendacky
Signed-off-by: Brijesh Singh
---
arch/x86/kernel/setup.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
d
From: Tom Lendacky
Provide support for Secure Encyrpted Virtualization (SEV). This initial
support defines a flag that is used by the kernel to determine if it is
running with SEV active.
Signed-off-by: Tom Lendacky
Signed-off-by: Brijesh Singh
---
arch/x86/include/asm/mem_encrypt.h | 2 ++
a
Update amd-memory-encryption document describing the AMD Secure Encrypted
Virtualization (SEV) feature.
Signed-off-by: Brijesh Singh
---
Documentation/x86/amd-memory-encryption.txt | 29 ++---
1 file changed, 26 insertions(+), 3 deletions(-)
diff --git a/Documentation/x8
This part of Secure Encrypted Virtualization (SEV) series focuses on the
changes required in a guest OS for SEV support.
When SEV is active, the memory content of guest OS will be transparently
encrypted
with a key unique to the guest VM.
SEV guests have concept of private and shared memory. Pri
> diff --git a/scripts/mod/file2alias.c b/scripts/mod/file2alias.c
> index 29d6699d5a06..1c68709123aa 100644
> --- a/scripts/mod/file2alias.c
> +++ b/scripts/mod/file2alias.c
> @@ -36,7 +36,7 @@ typedef uint16_t__u16;
> typedef unsigned char__u8;
> typedef struct {
> __u8 b[16];
On Wed, Jul 19, 2017 at 09:28:55PM +0300, Andy Shevchenko wrote:
> There are new types and helpers that are supposed to be used in new code.
>
> As a preparation to get rid of legacy types and API functions do
> the conversion here.
Can you split the uapi changes into a separate patch?
I'd love
21 matches
Mail list logo