On 1/19/2018 9:11 AM, Greg Kroah-Hartman wrote: > On Fri, Jan 19, 2018 at 09:03:52AM -0600, Tom Lendacky wrote: >> On 1/15/2018 4:47 PM, Gabriel C wrote: >>> On 11.01.2018 19:33, Borislav Petkov wrote: >>>> On Wed, Jan 10, 2018 at 01:25:45PM -0600, Tom Lendacky wrote: >>>>> This patch series addresses an issue when SME is active and the BSP >>>>> is attempting to check for and load microcode during load_ucode_bsp(). >>>>> Since the initrd has not been decrypted (yet) and the virtual address >>>>> of the initrd treats the memory as encrypted, the CPIO archive parsing >>>>> fails to locate the microcode. >>>>> >>>>> This series moves the encryption of the initrd into the early boot code >>>>> and encrypts it at the same time that the kernel is encrypted. Since >>>>> the initrd is now encrypted, the CPIO archive parsing succeeds in >>>>> properly locating the microcode. >>>>> >>>>> The following patches are included in this fix: >>>>> - Cleanup register saving in arch/x86/mm/mem_encrypt_boot.S >>>>> - Reduce parameters and complexity for creating the SME PGD mappings >>>>> - Centralize the use of the PMD flags used in sme_encrypt_kernel() in >>>>> preparation for using PTE flags also. >>>>> - Prepare sme_encrypt_kernel() to handle PAGE aligned encryption, not >>>>> just 2MB large page aligned encryption. >>>>> - Encrypt the initrd in sme_encrypt_kernel() when the kernel is being >>>>> encrypted. >>>>> >>>>> This patch series is based on tip/master. >>>>> >>>>> --- >>>>> >>>>> Changes from v2: >>>>> - General code cleanup based on feedback. >>>>> >>>>> Changes from v1: >>>>> - Additional patch to cleanup the register saving performed in >>>>> arch/x86/mm/mem_encrypt_boot.S in prep for changes made in the >>>>> remainder of the patchset. >>>>> - Additional patch to reduce parameters and complexity for creating the >>>>> SME PGD mappings by introducing and using a structure for referencing >>>>> the PGD to populate, the pagetable allocation area, the >>>>> virtual/physical >>>>> addresses being mapped and the pagetable flags to be used. >>>>> - Consolidate PMD/PTE mapping code to reduce duplication. >>>>> >>>>> Tom Lendacky (5): >>>>> x86/mm: Cleanup register saving in mem_encrypt_boot.S >>>>> x86/mm: Use a struct to reduce parameters for SME PGD mapping >>>>> x86/mm: Centralize PMD flags in sme_encrypt_kernel() >>>>> x86/mm: Prepare sme_encrypt_kernel() for PAGE aligned encryption >>>>> x86/mm: Encrypt the initrd earlier for BSP microcode update >>>>> >>>>> >>>>> arch/x86/include/asm/mem_encrypt.h | 4 >>>>> arch/x86/kernel/head64.c | 4 >>>>> arch/x86/kernel/setup.c | 10 - >>>>> arch/x86/mm/mem_encrypt.c | 356 >>>>> ++++++++++++++++++++++++++---------- >>>>> arch/x86/mm/mem_encrypt_boot.S | 80 ++++---- >>>>> 5 files changed, 308 insertions(+), 146 deletions(-) >>>> >>>> All 5: >>>> >>>> Reviewed-by: Borislav Petkov <[email protected]> >>>> >>> >>> Guys , are these patches going to be part of 4.15 ? >>> >>> With mem_encrypt=on without these patches microcode loading doesn't >>> work right. Also @stable 4.14 would need the fixes too. >> >> It looks like these patches have been pulled into 4.15. I did forget >> to cc stable, so I'll follow-up with a separate email to have these >> back-ported to the 4.14 stable tree. > > What are the git commit ids? That's all I need :)
Hi Greg, Here are the commit ids: 1303880179e6 (“x86/mm: Clean up register saving in the __enc_copy() assembly code”) bacf6b499e11 (“x86/mm: Use a struct to reduce parameters for SME PGD mapping”) 2b5d00b6c2cd (“x86/mm: Centralize PMD flags in sme_encrypt_kernel()”) cc5f01e28d6c (“x86/mm: Prepare sme_encrypt_kernel() for PAGE aligned encryption”) 107cd2532181 (“x86/mm: Encrypt the initrd earlier for BSP microcode update”) The last commit won't apply cleanly on 4.14. There was a change in arch/x86/kernel/setup.c for SEV support. The actual patch to that file is very small it just removes the call to sme_early_encrypt() and the associated comment. I can submit a new version of that patch if you want, just let me know. Thanks Greg! Tom > > thanks, > > greg k-h >
