Hi Boris,
On 8/28/17 5:51 AM, Borislav Petkov wrote:
[..]
> +static int __init early_set_memory_enc_dec(resource_size_t paddr,
>> + unsigned long size, bool enc)
>> +{
>> +unsigned long vaddr, vaddr_end, vaddr_next;
>> +unsigned long psize, pmask;
>
Hi Boris,
On 08/29/2017 05:22 AM, Borislav Petkov wrote:
[...]
On Mon, Jul 24, 2017 at 02:07:56PM -0500, Brijesh Singh wrote:
Some KVM specific MSR's (steal-time, asyncpf, avic_eio) allocates per-CPU
MSRs
variable at compile time and share its physical address
Hi Boris,
On 08/30/2017 12:46 PM, Borislav Petkov wrote:
On Wed, Aug 30, 2017 at 11:18:42AM -0500, Brijesh Singh wrote:
I was trying to avoid mixing early and no-early set_memory_decrypted() but if
feedback is: use early_set_memory_decrypted() only if its required otherwise
use
On 9/1/17 10:21 PM, Andy Lutomirski wrote:
> On Fri, Sep 1, 2017 at 3:52 PM, Brijesh Singh wrote:
>> Hi Boris,
>>
>> On 08/30/2017 12:46 PM, Borislav Petkov wrote:
>>> On Wed, Aug 30, 2017 at 11:18:42AM -0500, Brijesh Singh wrote:
>>>> I was
On 9/4/17 12:05 PM, Borislav Petkov wrote:
> On Fri, Sep 01, 2017 at 05:52:13PM -0500, Brijesh Singh wrote:
>> So far, we have not seen the need for having such functions except
>> this cases. The approach we have right now works just fine and not
>> sure if its worth
On 09/15/2017 07:24 AM, Borislav Petkov wrote:
On Tue, Aug 22, 2017 at 06:52:48PM +0200, Borislav Petkov wrote:
As always, the devil is in the detail.
Ok, actually we can make this much simpler by using a static key. A
conceptual patch below - I only need to fix that crazy include hell I'm
s
On 09/15/2017 09:40 AM, Borislav Petkov wrote:
I need to figure out the include hell first.
I am working with slightly newer patch sets -- in that patch Tom has
moved the sev_active() definition in arch/x86/mm/mem_encrypt.c and I
have no issue using your recommended (since I no longer need th
On 09/15/2017 11:22 AM, Borislav Petkov wrote:
mem_encrypt_init() where everything should be set up already.
Yep, its safe to derefs the static key in mem_encrypt_init(). I've
tried the approach and it seems to be work fine. I will include the
required changes in next rev. thanks
Signed-off-by: Tom Lendacky
Signed-off-by: Brijesh Singh
---
arch/powerpc/kernel/machine_kexec_file_64.c | 12 +---
arch/x86/kernel/crash.c | 18 +-
arch/x86/kernel/pmem.c | 2 +-
include/linux/ioport.h | 4 ++-
Signed-off-by: Tom Lendacky
Signed-off-by: Brijesh Singh
---
arch/powerpc/kernel/machine_kexec_file_64.c | 12 +---
arch/x86/kernel/crash.c | 18 +-
arch/x86/kernel/pmem.c | 2 +-
include/linux/ioport.h | 4 ++-
Signed-off-by: Tom Lendacky
Signed-off-by: Brijesh Singh
---
arch/powerpc/kernel/machine_kexec_file_64.c | 12 +---
arch/x86/kernel/crash.c | 18 +-
arch/x86/kernel/pmem.c | 2 +-
include/linux/ioport.h | 4 ++-
functions can obtain
them from the resource structure directly.
Signed-off-by: Tom Lendacky
Signed-off-by: Brijesh Singh
Reviewed-by: Kees Cook
Reviewed-by: Borislav Petkov
Tested-by: Borislav Petkov
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: "H. Peter Anvin"
Cc: Borislav Petkov
Cc:
d documentation
* update early_set_memory_* to use kernel_physical_mapping_init()
to split larger page into smaller (recommended by Boris)
* changes to address v2 feedback
Brijesh Singh (4):
Documentation/x86: Add AMD Secure Encrypted Virtualization (SEV)
descrption
x86: Add support for
Update amd-memory-encryption document describing the AMD Secure Encrypted
Virtualization (SEV) feature.
Signed-off-by: Brijesh Singh
---
Documentation/x86/amd-memory-encryption.txt | 29 ++---
1 file changed, 26 insertions(+), 3 deletions(-)
diff --git a/Documentation
feature
as available if reported by CPUID and enabled by BIOS.
Signed-off-by: Tom Lendacky
Signed-off-by: Brijesh Singh
---
arch/x86/include/asm/cpufeatures.h | 1 +
arch/x86/include/asm/msr-index.h | 2 ++
arch/x86/kernel/cpu/amd.c | 30 +-
arch/x86/kernel
From: Tom Lendacky
Provide support for Secure Encyrpted Virtualization (SEV). This initial
support defines a flag that is used by the kernel to determine if it is
running with SEV active.
Signed-off-by: Tom Lendacky
Signed-off-by: Brijesh Singh
---
arch/x86/include/asm/mem_encrypt.h | 2
From: Tom Lendacky
When SEV is active the initrd/initramfs will already have already been
placed in memory encyrpted so do not try to encrypt it.
Signed-off-by: Tom Lendacky
Signed-off-by: Brijesh Singh
---
arch/x86/kernel/setup.c | 6 --
1 file changed, 4 insertions(+), 2 deletions
From: Tom Lendacky
When SEV is active the trampoline area will need to be in encrypted
memory so only mark the area decrypted if SME is active.
Signed-off-by: Tom Lendacky
Signed-off-by: Brijesh Singh
---
arch/x86/realmode/init.c | 6 --
1 file changed, 4 insertions(+), 2 deletions
-off-by: Tom Lendacky
Signed-off-by: Brijesh Singh
---
arch/x86/mm/ioremap.c | 44
1 file changed, 32 insertions(+), 12 deletions(-)
diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
index 34f0e18..c0be7cf 100644
--- a/arch/x86/mm/ioremap.c
From: Tom Lendacky
The current code checks only for sme_active() when determining whether
to perform the encryption attribute change. Include sev_active() in this
check so that memory attribute changes can occur under SME and SEV.
Signed-off-by: Tom Lendacky
Signed-off-by: Brijesh Singh
From: Tom Lendacky
EFI data is encrypted when the kernel is run under SEV. Update the
page table references to be sure the EFI memory areas are accessed
encrypted.
Signed-off-by: Tom Lendacky
Signed-off-by: Brijesh Singh
---
arch/x86/platform/efi/efi_64.c | 15 ++-
1 file changed
Lendacky
Signed-off-by: Brijesh Singh
---
kernel/resource.c | 53 ++---
1 file changed, 26 insertions(+), 27 deletions(-)
diff --git a/kernel/resource.c b/kernel/resource.c
index 9b5f044..7b20b3e 100644
--- a/kernel/resource.c
+++ b/kernel/resource.c
functions can obtain
them from the resource structure directly.
Signed-off-by: Tom Lendacky
Signed-off-by: Brijesh Singh
---
arch/powerpc/kernel/machine_kexec_file_64.c | 12 +---
arch/x86/kernel/crash.c | 18 +-
arch/x86/kernel/pmem.c
Signed-off-by: Brijesh Singh
---
arch/x86/mm/ioremap.c | 28
include/linux/ioport.h | 3 +++
kernel/resource.c | 17 +
3 files changed, 48 insertions(+)
diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
index c0be7cf..7b27332 100644
--- a
: Brijesh Singh
---
arch/x86/mm/mem_encrypt.c | 86 +++
lib/swiotlb.c | 5 +--
2 files changed, 89 insertions(+), 2 deletions(-)
diff --git a/arch/x86/mm/mem_encrypt.c b/arch/x86/mm/mem_encrypt.c
index 1e4643e..5e5d460 100644
--- a/arch/x86/mm
From: Tom Lendacky
Secure Encrypted Virtualization (SEV) does not support string I/O, so
unroll the string I/O operation into a loop operating on one element at
a time.
Signed-off-by: Tom Lendacky
Signed-off-by: Brijesh Singh
---
arch/x86/include/asm/io.h | 26 ++
1
. DMA (always bounce
buffered with SEV) or EFI tables (always access decrypted with SME).
Signed-off-by: Tom Lendacky
Signed-off-by: Brijesh Singh
---
arch/x86/boot/compressed/Makefile | 2 +
arch/x86/boot/compressed/head_64.S | 16 +
arch/x86/boot/compressed/mem_encrypt.S | 103
code.
Signed-off-by: Brijesh Singh
---
arch/x86/include/asm/mem_encrypt.h | 17 ++
arch/x86/mm/mem_encrypt.c | 117 +
2 files changed, 134 insertions(+)
diff --git a/arch/x86/include/asm/mem_encrypt.h
b/arch/x86/include/asm/mem_encrypt.h
index
is
detected we map this section without C-bit.
This patch implements #3. It introduces a new DEFINE_PER_CPU_HV_SHAHRED
macro to create a compile time per-CPU variable. When SEV is detected we
clear the C-bit from the shared per-CPU variable.
Signed-off-by: Brijesh Singh
---
arch/x
hypervisor and guest can access the data.
Signed-off-by: Brijesh Singh
---
arch/x86/entry/vdso/vma.c | 5 ++--
arch/x86/kernel/kvmclock.c | 64 +++---
2 files changed, 58 insertions(+), 11 deletions(-)
diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86
On 07/25/2017 12:45 AM, Borislav Petkov wrote:
On Mon, Jul 24, 2017 at 02:07:41PM -0500, Brijesh Singh wrote:
Subject: Re: [RFC Part1 PATCH v3 01/17] Documentation/x86: Add AMD Secure
Encrypted Virtualization (SEV) descrption
Hi Arnd and David,
On 07/26/2017 05:45 AM, Arnd Bergmann wrote:
On Tue, Jul 25, 2017 at 11:51 AM, David Laight wrote:
From: Brijesh Singh
Sent: 24 July 2017 20:08
From: Tom Lendacky
Secure Encrypted Virtualization (SEV) does not support string I/O, so
unroll the string I/O operation into
On 07/26/2017 02:26 PM, H. Peter Anvin wrote:
\
static inline void outs##bwl(int port, const void *addr, unsigned
long count) \
{
This will clash with a fix I did to add a "memory" clobber
for the traditional imp
33 matches
Mail list logo
