[tip:x86/mm] x86/boot/e820: Add support to determine the E820 type of an address

Commit-ID: d68baa3fa6e4d703fd0c7954ee5c739789e7242f Gitweb: http://git.kernel.org/tip/d68baa3fa6e4d703fd0c7954ee5c739789e7242f Author: Tom Lendacky AuthorDate: Mon, 17 Jul 2017 16:10:12 -0500 Committer: Ingo Molnar CommitDate: Tue, 18 Jul 2017 11:38:01 +0200 x86/boot/e820: Add support

[tip:x86/mm] x86/mm: Insure that boot memory areas are mapped properly

Commit-ID: b9d05200bc12444c7778a49c9694d8382ed06aa8 Gitweb: http://git.kernel.org/tip/b9d05200bc12444c7778a49c9694d8382ed06aa8 Author: Tom Lendacky AuthorDate: Mon, 17 Jul 2017 16:10:11 -0500 Committer: Ingo Molnar CommitDate: Tue, 18 Jul 2017 11:38:01 +0200 x86/mm: Insure that boot

[tip:x86/mm] x86/mm: Extend early_memremap() support with additional attrs

Commit-ID: f88a68facd9a15b94f8c195d9d2c0b30c76c595a Gitweb: http://git.kernel.org/tip/f88a68facd9a15b94f8c195d9d2c0b30c76c595a Author: Tom Lendacky AuthorDate: Mon, 17 Jul 2017 16:10:09 -0500 Committer: Ingo Molnar CommitDate: Tue, 18 Jul 2017 11:38:00 +0200 x86/mm: Extend

[tip:x86/mm] x86/mm: Provide general kernel support for memory encryption

Commit-ID: 21729f81ce8ae76a6995681d40e16f7ce8075db4 Gitweb: http://git.kernel.org/tip/21729f81ce8ae76a6995681d40e16f7ce8075db4 Author: Tom Lendacky AuthorDate: Mon, 17 Jul 2017 16:10:07 -0500 Committer: Ingo Molnar CommitDate: Tue, 18 Jul 2017 11:38:00 +0200 x86/mm: Provide general

[tip:x86/mm] x86/mm: Add SME support for read_cr3_pa()

Commit-ID: eef9c4abe77f55b1600f59d8ac5f1d953e2f5384 Gitweb: http://git.kernel.org/tip/eef9c4abe77f55b1600f59d8ac5f1d953e2f5384 Author: Tom Lendacky AuthorDate: Mon, 17 Jul 2017 16:10:08 -0500 Committer: Ingo Molnar CommitDate: Tue, 18 Jul 2017 11:38:00 +0200 x86/mm: Add SME support

[tip:x86/mm] x86/mm: Simplify p[g4um]d_page() macros

Commit-ID: fd7e315988b784509ba3f1b42f539bd0b1fca9bb Gitweb: http://git.kernel.org/tip/fd7e315988b784509ba3f1b42f539bd0b1fca9bb Author: Tom Lendacky AuthorDate: Mon, 17 Jul 2017 16:10:06 -0500 Committer: Ingo Molnar CommitDate: Tue, 18 Jul 2017 11:38:00 +0200 x86/mm: Simplify p[g4um

[tip:x86/mm] x86/mm: Add Secure Memory Encryption (SME) support

Commit-ID: 7744ccdbc16f0ac4adae21b3678af93775b3a386 Gitweb: http://git.kernel.org/tip/7744ccdbc16f0ac4adae21b3678af93775b3a386 Author: Tom Lendacky AuthorDate: Mon, 17 Jul 2017 16:10:03 -0500 Committer: Ingo Molnar CommitDate: Tue, 18 Jul 2017 11:37:59 +0200 x86/mm: Add Secure Memory

[tip:x86/mm] x86/mm: Remove phys_to_virt() usage in ioremap()

Commit-ID: 33c2b803edd13487518a2c7d5002d84d7e9c878f Gitweb: http://git.kernel.org/tip/33c2b803edd13487518a2c7d5002d84d7e9c878f Author: Tom Lendacky AuthorDate: Mon, 17 Jul 2017 16:10:04 -0500 Committer: Ingo Molnar CommitDate: Tue, 18 Jul 2017 11:37:59 +0200 x86/mm: Remove

[tip:x86/mm] x86/mm: Add support to enable SME in early boot processing

Commit-ID: 5868f3651fa0dff96a57f94d49247d3ef320ebe2 Gitweb: http://git.kernel.org/tip/5868f3651fa0dff96a57f94d49247d3ef320ebe2 Author: Tom Lendacky AuthorDate: Mon, 17 Jul 2017 16:10:05 -0500 Committer: Ingo Molnar CommitDate: Tue, 18 Jul 2017 11:37:59 +0200 x86/mm: Add support to

[tip:x86/mm] x86/cpu/AMD: Handle SME reduction in physical address size

Commit-ID: 9af9b94068fb1ea3206a700fc222075966fbef14 Gitweb: http://git.kernel.org/tip/9af9b94068fb1ea3206a700fc222075966fbef14 Author: Tom Lendacky AuthorDate: Mon, 17 Jul 2017 16:10:02 -0500 Committer: Ingo Molnar CommitDate: Tue, 18 Jul 2017 11:37:59 +0200 x86/cpu/AMD: Handle SME

[tip:x86/mm] x86, mpparse, x86/acpi, x86/PCI, x86/dmi, SFI: Use memremap() for RAM mappings

Commit-ID: f7750a79568788473c5e8092ee58a52248f34329 Gitweb: http://git.kernel.org/tip/f7750a79568788473c5e8092ee58a52248f34329 Author: Tom Lendacky AuthorDate: Mon, 17 Jul 2017 16:10:00 -0500 Committer: Ingo Molnar CommitDate: Tue, 18 Jul 2017 11:37:58 +0200 x86, mpparse, x86/acpi

[tip:x86/mm] x86/cpu/AMD: Add the Secure Memory Encryption CPU feature

Commit-ID: 872cbefd2d9c52bd0b1e2c7942c4369e98a5a5ae Gitweb: http://git.kernel.org/tip/872cbefd2d9c52bd0b1e2c7942c4369e98a5a5ae Author: Tom Lendacky AuthorDate: Mon, 17 Jul 2017 16:10:01 -0500 Committer: Ingo Molnar CommitDate: Tue, 18 Jul 2017 11:37:59 +0200 x86/cpu/AMD: Add the

[tip:x86/mm] x86/cpu/AMD: Document AMD Secure Memory Encryption (SME)

Commit-ID: c262f3b9a3246da87c66ce398cd7e30d8f1529ea Gitweb: http://git.kernel.org/tip/c262f3b9a3246da87c66ce398cd7e30d8f1529ea Author: Tom Lendacky AuthorDate: Mon, 17 Jul 2017 16:09:58 -0500 Committer: Ingo Molnar CommitDate: Tue, 18 Jul 2017 11:37:58 +0200 x86/cpu/AMD: Document AMD

[tip:x86/mm] x86/mm/pat: Set write-protect cache mode for full PAT support

Commit-ID: aac7b79eea6118dee3da9b99dcd564471672806d Gitweb: http://git.kernel.org/tip/aac7b79eea6118dee3da9b99dcd564471672806d Author: Tom Lendacky AuthorDate: Mon, 17 Jul 2017 16:09:59 -0500 Committer: Ingo Molnar CommitDate: Tue, 18 Jul 2017 11:37:58 +0200 x86/mm/pat: Set write

[PATCH v10 03/38] x86, mpparse, x86/acpi, x86/PCI, x86/dmi, SFI: Use memremap for RAM mappings

being mapped decrypted vs encrypted. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/dmi.h | 8 arch/x86/kernel/acpi/boot.c | 6 +++--- arch/x86/kernel/kdebugfs.c | 34 +++--- arch/x86/kernel/ksysfs.c | 28

[PATCH v10 07/38] x86/mm: Remove phys_to_virt() usage in ioremap()

scenario, remove the ISA range check and usage of phys_to_virt() and have ISA range mappings continue through the remaining ioremap() path. Signed-off-by: Tom Lendacky --- arch/x86/mm/ioremap.c | 18 -- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/arch/x86/mm

[PATCH v10 02/38] x86/mm/pat: Set write-protect cache mode for full PAT support

For processors that support PAT, set the write-protect cache mode (_PAGE_CACHE_MODE_WP) entry to the actual write-protect value (x05). Acked-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/mm/pat.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/x86

[PATCH v10 01/38] x86: Document AMD Secure Memory Encryption (SME)

Create a Documentation entry to describe the AMD Secure Memory Encryption (SME) feature and add documentation for the mem_encrypt= kernel parameter. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- Documentation/admin-guide/kernel-parameters.txt | 11 Documentation/x86/amd

[PATCH v10 05/38] x86/CPU/AMD: Handle SME reduction in physical address size

When System Memory Encryption (SME) is enabled, the physical address space is reduced. Adjust the x86_phys_bits value to reflect this reduction. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/kernel/cpu/amd.c | 24 +--- 1 file changed, 13 insertions

[PATCH v10 04/38] x86/CPU/AMD: Add the Secure Memory Encryption CPU feature

and not configured as CONFIG_X86_32. Signed-off-by: Tom Lendacky --- arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/msr-index.h | 2 ++ arch/x86/kernel/cpu/amd.c | 19 +++ arch/x86/kernel/cpu/scattered.c| 1 + 4 files changed, 23 insertions(+) diff

[PATCH v10 08/38] x86/mm: Add support to enable SME in early boot processing

routines to set the encryption mask and perform the encryption are stub routines for now with functionality to be added in a later patch. Signed-off-by: Tom Lendacky --- arch/x86/include/asm/mem_encrypt.h | 8 ++ arch/x86/kernel/head64.c | 53

[PATCH v10 10/38] x86/mm: Provide general kernel support for memory encryption

encryption mask so that user-space allocations will automatically have the encryption mask applied. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/boot/compressed/pagetable.c | 7 ++ arch/x86/include/asm/fixmap.h| 7 ++ arch/x86/include/asm

[PATCH v10 14/38] x86/mm: Insure that boot memory areas are mapped properly

initrd, encrypt this data in place. Since the future mapping of the initrd area will be mapped as encrypted the data will be accessed properly. Signed-off-by: Tom Lendacky --- arch/x86/include/asm/mem_encrypt.h | 6 arch/x86/include/asm/pgtable.h | 3 ++ arch/x86/kernel/head64.c

[PATCH v10 13/38] x86/mm: Add support for early encrypt/decrypt of memory

initrd will have been loaded by the boot loader and will not be encrypted, but the memory that it resides in is marked as encrypted). Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/mem_encrypt.h | 10 + arch/x86/mm/mem_encrypt.c | 76

[PATCH v10 11/38] x86/mm: Add SME support for read_cr3_pa()

native version of read_cr3_pa(), so create native_read_cr3_pa(). Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/processor-flags.h | 5 +++-- arch/x86/include/asm/processor.h | 5 + 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/arch

[PATCH v10 17/38] efi: Update efi_mem_type() to return an error rather than 0

on to return a negative error value when no memmap entry is found. Reviewed-by: Matt Fleming Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/ia64/kernel/efi.c | 4 ++-- arch/x86/platform/efi/efi.c | 6 +++--- include/linux/efi.h | 2 +- 3 files changed, 6 inser

[PATCH v10 12/38] x86/mm: Extend early_memremap() support with additional attrs

s that the hardware will never give the core a dirty line with this memtype. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/Kconfig | 4 arch/x86/include/asm/fixmap.h| 13 +++ arch/x86/include/asm/pgtable_types.h | 8 +++ a

[PATCH v10 18/38] x86/efi: Update EFI pagetable creation to work with SME

successfully. The pagetable mapping as well as the kernel are also added to the pagetable mapping as encrypted. All other EFI mappings are mapped decrypted (tables, etc.). Reviewed-by: Matt Fleming Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/platform/efi/efi_64.c | 15

[PATCH v10 15/38] x86/boot/e820: Add support to determine the E820 type of an address

Add a function that will return the E820 type associated with an address range. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/e820/api.h | 2 ++ arch/x86/kernel/e820.c | 26 +++--- 2 files changed, 25 insertions(+), 3 deletions

[PATCH v10 19/38] x86/mm: Add support to access boot related data in the clear

remapping, ioremap_cache() will be used instead, which will provide a decrypted mapping of the boot related data. Reviewed-by: Matt Fleming Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/io.h | 5 ++ arch/x86/mm/ioremap.c | 180

[PATCH v10 22/38] x86/mm: Add support for changing the memory encryption attribute

mask range. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/set_memory.h | 3 ++ arch/x86/mm/pageattr.c| 62 +++ 2 files changed, 65 insertions(+) diff --git a/arch/x86/include/asm/set_memory.h b/arch/x86/includ

[PATCH v10 23/38] x86/realmode: Decrypt trampoline area if memory encryption is active

When Secure Memory Encryption is enabled, the trampoline area must not be encrypted. A CPU running in real mode will not be able to decrypt memory that has been encrypted because it will not be able to use addresses with the memory encryption mask. Reviewed-by: Borislav Petkov Signed-off-by: Tom

[PATCH v10 21/38] x86/mm: Add support to access persistent memory in the clear

. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/mm/ioremap.c | 31 ++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c index 8986b28..704fc08 100644 --- a/arch/x86/mm/ioremap.c +++ b

[PATCH v10 26/38] x86/CPU/AMD: Make the microcode level available earlier in the boot

Move the setting of the cpuinfo_x86.microcode field from amd_init() to early_amd_init() so that it is available earlier in the boot process. This avoids having to read MSR_AMD64_PATCH_LEVEL directly during early boot. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/kernel

[PATCH v10 24/38] x86, swiotlb: Add memory encryption support

-by: Tom Lendacky --- arch/x86/include/asm/dma-mapping.h | 5 ++-- arch/x86/include/asm/mem_encrypt.h | 5 arch/x86/kernel/pci-dma.c | 11 +--- arch/x86/kernel/pci-nommu.c| 2 +- arch/x86/kernel/pci-swiotlb.c | 15 +-- arch/x86/mm/mem_encrypt.c

[PATCH v10 27/38] iommu/amd: Allow the AMD IOMMU to work with memory encryption

: Borislav Petkov Signed-off-by: Tom Lendacky --- drivers/iommu/amd_iommu.c | 30 -- drivers/iommu/amd_iommu_init.c | 34 -- drivers/iommu/amd_iommu_proto.h | 10 ++ drivers/iommu/amd_iommu_types.h | 2 +- 4 files changed, 55

[PATCH v10 29/38] x86, drm, fbdev: Do not specify encrypted memory for video mappings

Since video memory needs to be accessed decrypted, be sure that the memory encryption mask is not set for the video ranges. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/vga.h | 14 +- arch/x86/mm/pageattr.c | 2 ++ drivers/gpu

[PATCH v10 30/38] kvm: x86: svm: Support Secure Memory Encryption within KVM

tables. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/kvm_host.h | 2 +- arch/x86/kvm/mmu.c | 11 +++ arch/x86/kvm/mmu.h | 2 +- arch/x86/kvm/svm.c | 35 ++- arch/x86/kvm/vmx.c

[PATCH v10 33/38] x86/mm: Use proper encryption attributes with /dev/mem

mapped encrypted then the VMA protection value is updated to remove the encryption bit. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/io.h | 3 +++ arch/x86/mm/ioremap.c | 18 +- arch/x86/mm/pat.c | 3 +++ 3 files changed, 15

[PATCH v10 35/38] x86/mm: Add support to encrypt the kernel in-place

Add the support to encrypt the kernel in-place. This is done by creating new page mappings for the kernel - a decrypted write-protected mapping and an encrypted mapping. The kernel is encrypted by copying it through a temporary buffer. Signed-off-by: Tom Lendacky --- arch/x86/include/asm

[PATCH v10 34/38] x86/mm: Create native_make_p4d() for PGTABLE_LEVELS <= 4

Currently, native_make_p4d() is only defined when CONFIG_PGTABLE_LEVELS is greater than 4. Create a macro that will allow for defining and using native_make_p4d() when CONFIG_PGTABLES_LEVELS is not greater than 4. Signed-off-by: Tom Lendacky --- arch/x86/include/asm/pgtable_types.h | 5 + 1

[PATCH v10 31/38] x86/mm, kexec: Allow kexec to be used with SME

encryption bit. This can cause random memory corruption when caches are flushed depending on which cacheline is written last. Cc: Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/init.h | 1 + arch/x86/include/asm/kexec.h | 8 arch/x86

[PATCH v10 38/38] x86/mm: Add support to make use of Secure Memory Encryption

Signed-off-by: Tom Lendacky --- arch/x86/include/asm/mem_encrypt.h | 6 ++- arch/x86/kernel/head64.c | 5 ++- arch/x86/mm/mem_encrypt.c | 77 +- 3 files changed, 83 insertions(+), 5 deletions(-) diff --git a/arch/x86/include/asm/mem_encrypt

[PATCH v10 28/38] x86, realmode: Check for memory encryption on the APs

the AP to continue start up. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/realmode.h | 12 arch/x86/realmode/init.c | 4 arch/x86/realmode/rm/trampoline_64.S | 24 3 files changed, 40 insertions

[PATCH v10 37/38] compiler-gcc.h: Introduce __nostackp function attribute

Create a new function attribute, __nostackp, that can used to turn off stack protection on a per function basis. Signed-off-by: Tom Lendacky --- include/linux/compiler-gcc.h | 2 ++ include/linux/compiler.h | 4 2 files changed, 6 insertions(+) diff --git a/include/linux/compiler

[PATCH v10 36/38] x86/boot: Add early cmdline parsing for options with arguments

Add a cmdline_find_option() function to look for cmdline options that take arguments. The argument is returned in a supplied buffer and the argument length (regardless of whether it fits in the supplied buffer) is returned, with -1 indicating not found. Signed-off-by: Tom Lendacky --- arch/x86

[PATCH v10 32/38] xen/x86: Remove SME feature in PV guests

Xen does not currently support SME for PV guests. Clear the SME CPU capability in order to avoid any ambiguity. Cc: Cc: Boris Ostrovsky Cc: Juergen Gross Reviewed-by: Borislav Petkov Reviewed-by: Juergen Gross Signed-off-by: Tom Lendacky --- arch/x86/xen/enlighten_pv.c | 1 + 1 file

[PATCH v10 16/38] efi: Add an EFI table address match function

Add a function that will determine if a supplied physical address matches the address of an EFI table. Reviewed-by: Matt Fleming Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- drivers/firmware/efi/efi.c | 33 + include/linux/efi.h| 7

[PATCH v10 20/38] x86, mpparse: Use memremap to map the mpf and mpc data

encryption mask so that the data can be successfully accessed when SME is active. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/kernel/mpparse.c | 98 +-- 1 file changed, 70 insertions(+), 28 deletions(-) diff --git a/arch/x86/kernel

[PATCH v10 25/38] swiotlb: Add warnings for use of bounce buffers with SME

, replacing the device with another device that can support 64-bit DMA, ignoring the message if the device isn't used much, etc. Signed-off-by: Tom Lendacky --- include/linux/dma-mapping.h | 13 + lib/swiotlb.c | 3 +++ 2 files changed, 16 insertions(+) diff --git a/in

[PATCH v10 06/38] x86/mm: Add Secure Memory Encryption (SME) support

30 @@ +/* + * AMD Memory Encryption Support + * + * Copyright (C) 2016 Advanced Micro Devices, Inc. + * + * Author: Tom Lendacky + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by th

[PATCH v10 09/38] x86/mm: Simplify p[g4um]d_page() macros

Create a pgd_pfn() macro similar to the p[4um]d_pfn() macros and then use the p[g4um]d_pfn() macros in the p[g4um]d_page() macros instead of duplicating the code. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/pgtable.h | 16 +--- 1 file changed

[PATCH v10 00/38] x86: Secure Memory Encryption (AMD)

n of physical address size of the processor. It is possible that BIOS could have configured resources resources into a range that will now not be addressable. To prevent this, rely on BIOS to set the SYSCFG[MEME] bit and only then enable memory encryption support in the kernel. To

Re: [PATCH v9 07/38] x86/mm: Remove phys_to_virt() usage in ioremap()

On 7/11/2017 10:38 AM, Brian Gerst wrote: On Tue, Jul 11, 2017 at 11:02 AM, Tom Lendacky wrote: On 7/10/2017 11:58 PM, Brian Gerst wrote: On Mon, Jul 10, 2017 at 3:50 PM, Tom Lendacky wrote: On 7/8/2017 7:57 AM, Brian Gerst wrote: On Fri, Jul 7, 2017 at 9:39 AM, Tom Lendacky wrote

Re: [PATCH v9 04/38] x86/CPU/AMD: Add the Secure Memory Encryption CPU feature

On 7/11/2017 12:56 AM, Borislav Petkov wrote: On Tue, Jul 11, 2017 at 01:07:46AM -0400, Brian Gerst wrote: If I make the scattered feature support conditional on CONFIG_X86_64 (based on comment below) then cpu_has() will always be false unless CONFIG_X86_64 is enabled. So this won't need to be w

Re: [PATCH v9 04/38] x86/CPU/AMD: Add the Secure Memory Encryption CPU feature

On 7/11/2017 12:07 AM, Brian Gerst wrote: On Mon, Jul 10, 2017 at 3:41 PM, Tom Lendacky wrote: On 7/8/2017 7:50 AM, Brian Gerst wrote: On Fri, Jul 7, 2017 at 9:38 AM, Tom Lendacky wrote: Update the CPU features to include identifying and reporting on the Secure Memory Encryption (SME

Re: [PATCH v9 07/38] x86/mm: Remove phys_to_virt() usage in ioremap()

On 7/10/2017 11:58 PM, Brian Gerst wrote: On Mon, Jul 10, 2017 at 3:50 PM, Tom Lendacky wrote: On 7/8/2017 7:57 AM, Brian Gerst wrote: On Fri, Jul 7, 2017 at 9:39 AM, Tom Lendacky wrote: Currently there is a check if the address being mapped is in the ISA range (is_ISA_range()), and if it

Re: [PATCH v9 07/38] x86/mm: Remove phys_to_virt() usage in ioremap()

On 7/8/2017 7:57 AM, Brian Gerst wrote: On Fri, Jul 7, 2017 at 9:39 AM, Tom Lendacky wrote: Currently there is a check if the address being mapped is in the ISA range (is_ISA_range()), and if it is, then phys_to_virt() is used to perform the mapping. When SME is active, the default is to add

Re: [PATCH v9 04/38] x86/CPU/AMD: Add the Secure Memory Encryption CPU feature

On 7/8/2017 7:50 AM, Brian Gerst wrote: On Fri, Jul 7, 2017 at 9:38 AM, Tom Lendacky wrote: Update the CPU features to include identifying and reporting on the Secure Memory Encryption (SME) feature. SME is identified by CPUID 0x801f, but requires BIOS support to enable it (set bit 23 of

Re: [PATCH v9 00/38] x86: Secure Memory Encryption (AMD)

On 7/8/2017 4:24 AM, Ingo Molnar wrote: * Tom Lendacky wrote: This patch series provides support for AMD's new Secure Memory Encryption (SME) feature. I'm wondering, what's the typical performance hit to DRAM access latency when SME is enabled? It's about an ext

[PATCH v9 04/38] x86/CPU/AMD: Add the Secure Memory Encryption CPU feature

. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/cpufeatures.h |1 + arch/x86/include/asm/msr-index.h |2 ++ arch/x86/kernel/cpu/amd.c | 13 + arch/x86/kernel/cpu/scattered.c|1 + 4 files changed, 17 insertions(+) diff

[PATCH v9 08/38] x86/mm: Add support to enable SME in early boot processing

routines to set the encryption mask and perform the encryption are stub routines for now with functionality to be added in a later patch. Signed-off-by: Tom Lendacky --- arch/x86/include/asm/mem_encrypt.h |8 + arch/x86/kernel/head64.c | 53

[PATCH v9 11/38] x86/mm: Add SME support for read_cr3_pa()

native version of read_cr3_pa(), so create native_read_cr3_pa(). Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/processor-flags.h |5 +++-- arch/x86/include/asm/processor.h |5 + 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a

[PATCH v9 12/38] x86/mm: Extend early_memremap() support with additional attrs

s that the hardware will never give the core a dirty line with this memtype. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/Kconfig |4 +++ arch/x86/include/asm/fixmap.h| 13 ++ arch/x86/include/asm/pgtable_types.h |8 ++ a

[PATCH v9 19/38] x86/mm: Add support to access boot related data in the clear

remapping, ioremap_cache() will be used instead, which will provide a decrypted mapping of the boot related data. Reviewed-by: Matt Fleming Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/io.h |5 + arch/x86/mm/ioremap.c | 179

[PATCH v9 22/38] x86/mm: Add support for changing the memory encryption attribute

mask range. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/set_memory.h |3 ++ arch/x86/mm/pageattr.c| 62 + 2 files changed, 65 insertions(+) diff --git a/arch/x86/include/asm/set_memory.h b/arch/x86/in

[PATCH v9 26/38] x86/CPU/AMD: Make the microcode level available earlier in the boot

Move the setting of the cpuinfo_x86.microcode field from amd_init() to early_amd_init() so that it is available earlier in the boot process. This avoids having to read MSR_AMD64_PATCH_LEVEL directly during early boot. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/kernel

[PATCH v9 24/38] x86, swiotlb: Add memory encryption support

-by: Tom Lendacky --- arch/x86/include/asm/dma-mapping.h |5 ++- arch/x86/include/asm/mem_encrypt.h |5 +++ arch/x86/kernel/pci-dma.c | 11 +-- arch/x86/kernel/pci-nommu.c|2 + arch/x86/kernel/pci-swiotlb.c | 15 +- arch/x86/mm/mem_encrypt.c

[PATCH v9 30/38] kvm: x86: svm: Support Secure Memory Encryption within KVM

tables. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/kvm_host.h |2 +- arch/x86/kvm/mmu.c | 12 arch/x86/kvm/mmu.h |2 +- arch/x86/kvm/svm.c | 35 ++- arch/x86/kvm

[PATCH v9 33/38] x86/mm: Use proper encryption attributes with /dev/mem

mapped encrypted then the VMA protection value is updated to remove the encryption bit. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/io.h |3 +++ arch/x86/mm/ioremap.c | 18 +- arch/x86/mm/pat.c |3 +++ 3 files changed, 15

[PATCH v9 38/38] x86/mm: Add support to make use of Secure Memory Encryption

Signed-off-by: Tom Lendacky --- arch/x86/include/asm/mem_encrypt.h |6 ++- arch/x86/kernel/head64.c |5 +- arch/x86/mm/mem_encrypt.c | 77 3 files changed, 83 insertions(+), 5 deletions(-) diff --git a/arch/x86/include/asm/mem_en

[PATCH v9 36/38] x86/boot: Add early cmdline parsing for options with arguments

Add a cmdline_find_option() function to look for cmdline options that take arguments. The argument is returned in a supplied buffer and the argument length (regardless of whether it fits in the supplied buffer) is returned, with -1 indicating not found. Signed-off-by: Tom Lendacky --- arch/x86

[PATCH v9 35/38] x86/mm: Add support to encrypt the kernel in-place

Add the support to encrypt the kernel in-place. This is done by creating new page mappings for the kernel - a decrypted write-protected mapping and an encrypted mapping. The kernel is encrypted by copying it through a temporary buffer. Signed-off-by: Tom Lendacky --- arch/x86/include/asm

[PATCH v9 37/38] compiler-gcc.h: Introduce __nostackp function attribute

Create a new function attribute, __nostackp, that can used to turn off stack protection on a per function basis. Signed-off-by: Tom Lendacky --- include/linux/compiler-gcc.h |2 ++ include/linux/compiler.h |4 2 files changed, 6 insertions(+) diff --git a/include/linux

[PATCH v9 34/38] x86/mm: Create native_make_p4d() for PGTABLE_LEVELS <= 4

Currently, native_make_p4d() is only defined when CONFIG_PGTABLE_LEVELS is greater than 4. Create a macro that will allow for defining and using native_make_p4d() when CONFIG_PGTABLES_LEVELS is not greater than 4. Signed-off-by: Tom Lendacky --- arch/x86/include/asm/pgtable_types.h |5

[PATCH v9 31/38] x86/mm, kexec: Allow kexec to be used with SME

encryption bit. This can cause random memory corruption when caches are flushed depending on which cacheline is written last. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/init.h |1 + arch/x86/include/asm/kexec.h |8 arch/x86

[PATCH v9 32/38] xen/x86: Remove SME feature in PV guests

Xen does not currently support SME for PV guests. Clear the SME CPU capability in order to avoid any ambiguity. Reviewed-by: Borislav Petkov Reviewed-by: Juergen Gross Signed-off-by: Tom Lendacky --- arch/x86/xen/enlighten_pv.c |1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86

[PATCH v9 28/38] x86, realmode: Check for memory encryption on the APs

the AP to continue start up. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/realmode.h | 12 arch/x86/realmode/init.c |4 arch/x86/realmode/rm/trampoline_64.S | 24 3 files changed, 40

[PATCH v9 29/38] x86, drm, fbdev: Do not specify encrypted memory for video mappings

Since video memory needs to be accessed decrypted, be sure that the memory encryption mask is not set for the video ranges. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/vga.h | 14 +- arch/x86/mm/pageattr.c |2 ++ drivers

[PATCH v9 27/38] iommu/amd: Allow the AMD IOMMU to work with memory encryption

-by: Tom Lendacky --- drivers/iommu/amd_iommu.c | 30 -- drivers/iommu/amd_iommu_init.c | 34 -- drivers/iommu/amd_iommu_proto.h | 10 ++ drivers/iommu/amd_iommu_types.h |2 +- 4 files changed, 55 insertions(+), 21

[PATCH v9 25/38] swiotlb: Add warnings for use of bounce buffers with SME

, replacing the device with another device that can support 64-bit DMA, ignoring the message if the device isn't used much, etc. Signed-off-by: Tom Lendacky --- include/linux/dma-mapping.h | 13 + lib/swiotlb.c |3 +++ 2 files changed, 16 insertions(+) diff --git a/in

[PATCH v9 21/38] x86/mm: Add support to access persistent memory in the clear

. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/mm/ioremap.c | 31 ++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c index ee33838..effa529 100644 --- a/arch/x86/mm/ioremap.c +++ b

[PATCH v9 23/38] x86/realmode: Decrypt trampoline area if memory encryption is active

When Secure Memory Encryption is enabled, the trampoline area must not be encrypted. A CPU running in real mode will not be able to decrypt memory that has been encrypted because it will not be able to use addresses with the memory encryption mask. Reviewed-by: Borislav Petkov Signed-off-by: Tom

[PATCH v9 18/38] x86/efi: Update EFI pagetable creation to work with SME

successfully. The pagetable mapping as well as the kernel are also added to the pagetable mapping as encrypted. All other EFI mappings are mapped decrypted (tables, etc.). Reviewed-by: Matt Fleming Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/platform/efi/efi_64.c | 15

[PATCH v9 20/38] x86, mpparse: Use memremap to map the mpf and mpc data

encryption mask so that the data can be successfully accessed when SME is active. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/kernel/mpparse.c | 98 - 1 file changed, 70 insertions(+), 28 deletions(-) diff --git a/arch/x86/kernel

[PATCH v9 17/38] efi: Update efi_mem_type() to return an error rather than 0

on to return a negative error value when no memmap entry is found. Reviewed-by: Matt Fleming Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/ia64/kernel/efi.c |4 ++-- arch/x86/platform/efi/efi.c |6 +++--- include/linux/efi.h |2 +- 3 files chang

[PATCH v9 15/38] x86/boot/e820: Add support to determine the E820 type of an address

Add a function that will return the E820 type associated with an address range. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/e820/api.h |2 ++ arch/x86/kernel/e820.c | 26 +++--- 2 files changed, 25 insertions(+), 3

[PATCH v9 16/38] efi: Add an EFI table address match function

Add a function that will determine if a supplied physical address matches the address of an EFI table. Reviewed-by: Matt Fleming Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- drivers/firmware/efi/efi.c | 33 + include/linux/efi.h|7

[PATCH v9 10/38] x86/mm: Provide general kernel support for memory encryption

encryption mask so that user-space allocations will automatically have the encryption mask applied. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/boot/compressed/pagetable.c |7 + arch/x86/include/asm/fixmap.h|7 + arch/x86/include/asm

[PATCH v9 14/38] x86/mm: Insure that boot memory areas are mapped properly

initrd, encrypt this data in place. Since the future mapping of the initrd area will be mapped as encrypted the data will be accessed properly. Signed-off-by: Tom Lendacky --- arch/x86/include/asm/mem_encrypt.h |6 +++ arch/x86/include/asm/pgtable.h |3 ++ arch/x86/kernel/head64.c

[PATCH v9 13/38] x86/mm: Add support for early encrypt/decrypt of memory

initrd will have been loaded by the boot loader and will not be encrypted, but the memory that it resides in is marked as encrypted). Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/mem_encrypt.h | 10 + arch/x86/mm/mem_encrypt.c | 76

[PATCH v9 07/38] x86/mm: Remove phys_to_virt() usage in ioremap()

scenario, remove the ISA range check and usage of phys_to_virt() and have ISA range mappings continue through the remaining ioremap() path. Signed-off-by: Tom Lendacky --- arch/x86/mm/ioremap.c |7 +-- 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/arch/x86/mm/ioremap.c b/arch

[PATCH v9 09/38] x86/mm: Simplify p[g4um]d_page() macros

Create a pgd_pfn() macro similar to the p[4um]d_pfn() macros and then use the p[g4um]d_pfn() macros in the p[g4um]d_page() macros instead of duplicating the code. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/pgtable.h | 16 +--- 1 file changed

[PATCH v9 06/38] x86/mm: Add Secure Memory Encryption (SME) support

-0,0 +1,30 @@ +/* + * AMD Memory Encryption Support + * + * Copyright (C) 2016 Advanced Micro Devices, Inc. + * + * Author: Tom Lendacky + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +

[PATCH v9 05/38] x86/CPU/AMD: Handle SME reduction in physical address size

When System Memory Encryption (SME) is enabled, the physical address space is reduced. Adjust the x86_phys_bits value to reflect this reduction. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/kernel/cpu/amd.c | 10 +++--- 1 file changed, 7 insertions(+), 3

[PATCH v9 03/38] x86, mpparse, x86/acpi, x86/PCI, x86/dmi, SFI: Use memremap for RAM mappings

being mapped decrypted vs encrypted. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/dmi.h |8 arch/x86/kernel/acpi/boot.c |6 +++--- arch/x86/kernel/kdebugfs.c | 34 +++--- arch/x86/kernel/ksysfs.c | 28

[PATCH v9 02/38] x86/mm/pat: Set write-protect cache mode for full PAT support

For processors that support PAT, set the write-protect cache mode (_PAGE_CACHE_MODE_WP) entry to the actual write-protect value (x05). Acked-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/mm/pat.c |6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch

[PATCH v9 00/38] x86: Secure Memory Encryption (AMD)

cryption.txt create mode 100644 arch/x86/include/asm/mem_encrypt.h create mode 100644 arch/x86/mm/mem_encrypt.c create mode 100644 arch/x86/mm/mem_encrypt_boot.S create mode 100644 include/linux/mem_encrypt.h -- Tom Lendacky

[PATCH v9 01/38] x86: Document AMD Secure Memory Encryption (SME)

Create a Documentation entry to describe the AMD Secure Memory Encryption (SME) feature and add documentation for the mem_encrypt= kernel parameter. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- Documentation/admin-guide/kernel-parameters.txt | 11 Documentation/x86/amd

Re: [PATCH v2 2/3] crypto: ccp - Introduce the AMD Secure Processor device

On 6/28/2017 3:26 PM, Brijesh Singh wrote: On 06/28/2017 02:53 PM, Tom Lendacky wrote: In this I am leaving the top level config as-is and adding CONFIG_CRYPTO_DEV_SP_CCP to enable the CCP device support inside the SP device driver. [*] Support for AMD Secure Processor Secure Processor

<    3   4   5   6   7   8   9   10   11   12   >