On 1/19/2018 9:35 AM, Greg Kroah-Hartman wrote: > On Fri, Jan 19, 2018 at 09:27:47AM -0600, Tom Lendacky wrote: >> On 1/19/2018 9:11 AM, Greg Kroah-Hartman wrote: >>> On Fri, Jan 19, 2018 at 09:03:52AM -0600, Tom Lendacky wrote: >>>> On 1/15/2018 4:47 PM, Gabriel C wrote: >>>>> On 11.01.2018 19:33, Borislav Petkov wrote: >>>>>> On Wed, Jan 10, 2018 at 01:25:45PM -0600, Tom Lendacky wrote: >>>>>>> This patch series addresses an issue when SME is active and the BSP >>>>>>> is attempting to check for and load microcode during load_ucode_bsp(). >>>>>>> Since the initrd has not been decrypted (yet) and the virtual address >>>>>>> of the initrd treats the memory as encrypted, the CPIO archive parsing >>>>>>> fails to locate the microcode. >>>>>>> >>>>>>> This series moves the encryption of the initrd into the early boot code >>>>>>> and encrypts it at the same time that the kernel is encrypted. Since >>>>>>> the initrd is now encrypted, the CPIO archive parsing succeeds in >>>>>>> properly locating the microcode. >>>>>>> >>>>>>> The following patches are included in this fix: >>>>>>> - Cleanup register saving in arch/x86/mm/mem_encrypt_boot.S >>>>>>> - Reduce parameters and complexity for creating the SME PGD mappings >>>>>>> - Centralize the use of the PMD flags used in sme_encrypt_kernel() in >>>>>>> preparation for using PTE flags also. >>>>>>> - Prepare sme_encrypt_kernel() to handle PAGE aligned encryption, not >>>>>>> just 2MB large page aligned encryption. >>>>>>> - Encrypt the initrd in sme_encrypt_kernel() when the kernel is being >>>>>>> encrypted. >>>>>>> >>>>>>> This patch series is based on tip/master. >>>>>>> >>>>>>> --- >>>>>>> >>>>>>> Changes from v2: >>>>>>> - General code cleanup based on feedback. >>>>>>> >>>>>>> Changes from v1: >>>>>>> - Additional patch to cleanup the register saving performed in >>>>>>> arch/x86/mm/mem_encrypt_boot.S in prep for changes made in the >>>>>>> remainder of the patchset. >>>>>>> - Additional patch to reduce parameters and complexity for creating the >>>>>>> SME PGD mappings by introducing and using a structure for referencing >>>>>>> the PGD to populate, the pagetable allocation area, the >>>>>>> virtual/physical >>>>>>> addresses being mapped and the pagetable flags to be used. >>>>>>> - Consolidate PMD/PTE mapping code to reduce duplication. >>>>>>> >>>>>>> Tom Lendacky (5): >>>>>>> x86/mm: Cleanup register saving in mem_encrypt_boot.S >>>>>>> x86/mm: Use a struct to reduce parameters for SME PGD mapping >>>>>>> x86/mm: Centralize PMD flags in sme_encrypt_kernel() >>>>>>> x86/mm: Prepare sme_encrypt_kernel() for PAGE aligned encryption >>>>>>> x86/mm: Encrypt the initrd earlier for BSP microcode update >>>>>>> >>>>>>> >>>>>>> arch/x86/include/asm/mem_encrypt.h | 4 >>>>>>> arch/x86/kernel/head64.c | 4 >>>>>>> arch/x86/kernel/setup.c | 10 - >>>>>>> arch/x86/mm/mem_encrypt.c | 356 >>>>>>> ++++++++++++++++++++++++++---------- >>>>>>> arch/x86/mm/mem_encrypt_boot.S | 80 ++++---- >>>>>>> 5 files changed, 308 insertions(+), 146 deletions(-) >>>>>> >>>>>> All 5: >>>>>> >>>>>> Reviewed-by: Borislav Petkov <[email protected]> >>>>>> >>>>> >>>>> Guys , are these patches going to be part of 4.15 ? >>>>> >>>>> With mem_encrypt=on without these patches microcode loading doesn't >>>>> work right. Also @stable 4.14 would need the fixes too. >>>> >>>> It looks like these patches have been pulled into 4.15. I did forget >>>> to cc stable, so I'll follow-up with a separate email to have these >>>> back-ported to the 4.14 stable tree. >>> >>> What are the git commit ids? That's all I need :) >> >> Hi Greg, >> >> Here are the commit ids: >> 1303880179e6 (“x86/mm: Clean up register saving in the __enc_copy() >> assembly code”) >> bacf6b499e11 (“x86/mm: Use a struct to reduce parameters for SME PGD >> mapping”) >> 2b5d00b6c2cd (“x86/mm: Centralize PMD flags in sme_encrypt_kernel()”) >> cc5f01e28d6c (“x86/mm: Prepare sme_encrypt_kernel() for PAGE aligned >> encryption”) >> 107cd2532181 (“x86/mm: Encrypt the initrd earlier for BSP microcode >> update”) >> >> The last commit won't apply cleanly on 4.14. There was a change in >> arch/x86/kernel/setup.c for SEV support. The actual patch to that file >> is very small it just removes the call to sme_early_encrypt() and the >> associated comment. I can submit a new version of that patch if you >> want, just let me know. > > A backported version of that would be great, thanks.
Ok, I'll send that out as soon as possible. Since it is a changed patch I was planning to remove the Tested-by, Signed-off-by (except for my sign off), etc. or would you prefer I leave them in this case? > > And are any of these needed in older kernels like 4.4 and 4.9? Nope, SME was new in 4.14. Thanks, Tom > > thanks, > > greg k-h >
