2018-01-19 16:56 GMT+01:00 Tom Lendacky <[email protected]>: > On 1/19/2018 9:35 AM, Greg Kroah-Hartman wrote: >> On Fri, Jan 19, 2018 at 09:27:47AM -0600, Tom Lendacky wrote: >>> On 1/19/2018 9:11 AM, Greg Kroah-Hartman wrote: >>>> On Fri, Jan 19, 2018 at 09:03:52AM -0600, Tom Lendacky wrote: >>>>> On 1/15/2018 4:47 PM, Gabriel C wrote: >>>>>> On 11.01.2018 19:33, Borislav Petkov wrote: >>>>>>> On Wed, Jan 10, 2018 at 01:25:45PM -0600, Tom Lendacky wrote: >>>>>>>> This patch series addresses an issue when SME is active and the BSP >>>>>>>> is attempting to check for and load microcode during load_ucode_bsp(). >>>>>>>> Since the initrd has not been decrypted (yet) and the virtual address >>>>>>>> of the initrd treats the memory as encrypted, the CPIO archive parsing >>>>>>>> fails to locate the microcode. >>>>>>>> >>>>>>>> This series moves the encryption of the initrd into the early boot code >>>>>>>> and encrypts it at the same time that the kernel is encrypted. Since >>>>>>>> the initrd is now encrypted, the CPIO archive parsing succeeds in >>>>>>>> properly locating the microcode. >>>>>>>> >>>>>>>> The following patches are included in this fix: >>>>>>>> - Cleanup register saving in arch/x86/mm/mem_encrypt_boot.S >>>>>>>> - Reduce parameters and complexity for creating the SME PGD mappings >>>>>>>> - Centralize the use of the PMD flags used in sme_encrypt_kernel() in >>>>>>>> preparation for using PTE flags also. >>>>>>>> - Prepare sme_encrypt_kernel() to handle PAGE aligned encryption, not >>>>>>>> just 2MB large page aligned encryption. >>>>>>>> - Encrypt the initrd in sme_encrypt_kernel() when the kernel is being >>>>>>>> encrypted. >>>>>>>> >>>>>>>> This patch series is based on tip/master. >>>>>>>> >>>>>>>> --- >>>>>>>> >>>>>>>> Changes from v2: >>>>>>>> - General code cleanup based on feedback. >>>>>>>> >>>>>>>> Changes from v1: >>>>>>>> - Additional patch to cleanup the register saving performed in >>>>>>>> arch/x86/mm/mem_encrypt_boot.S in prep for changes made in the >>>>>>>> remainder of the patchset. >>>>>>>> - Additional patch to reduce parameters and complexity for creating the >>>>>>>> SME PGD mappings by introducing and using a structure for >>>>>>>> referencing >>>>>>>> the PGD to populate, the pagetable allocation area, the >>>>>>>> virtual/physical >>>>>>>> addresses being mapped and the pagetable flags to be used. >>>>>>>> - Consolidate PMD/PTE mapping code to reduce duplication. >>>>>>>> >>>>>>>> Tom Lendacky (5): >>>>>>>> x86/mm: Cleanup register saving in mem_encrypt_boot.S >>>>>>>> x86/mm: Use a struct to reduce parameters for SME PGD mapping >>>>>>>> x86/mm: Centralize PMD flags in sme_encrypt_kernel() >>>>>>>> x86/mm: Prepare sme_encrypt_kernel() for PAGE aligned encryption >>>>>>>> x86/mm: Encrypt the initrd earlier for BSP microcode update >>>>>>>> >>>>>>>> >>>>>>>> arch/x86/include/asm/mem_encrypt.h | 4 >>>>>>>> arch/x86/kernel/head64.c | 4 >>>>>>>> arch/x86/kernel/setup.c | 10 - >>>>>>>> arch/x86/mm/mem_encrypt.c | 356 >>>>>>>> ++++++++++++++++++++++++++---------- >>>>>>>> arch/x86/mm/mem_encrypt_boot.S | 80 ++++---- >>>>>>>> 5 files changed, 308 insertions(+), 146 deletions(-) >>>>>>> >>>>>>> All 5: >>>>>>> >>>>>>> Reviewed-by: Borislav Petkov <[email protected]> >>>>>>> >>>>>> >>>>>> Guys , are these patches going to be part of 4.15 ? >>>>>> >>>>>> With mem_encrypt=on without these patches microcode loading doesn't >>>>>> work right. Also @stable 4.14 would need the fixes too. >>>>> >>>>> It looks like these patches have been pulled into 4.15. I did forget >>>>> to cc stable, so I'll follow-up with a separate email to have these >>>>> back-ported to the 4.14 stable tree. >>>> >>>> What are the git commit ids? That's all I need :) >>> >>> Hi Greg, >>> >>> Here are the commit ids: >>> 1303880179e6 (“x86/mm: Clean up register saving in the __enc_copy() >>> assembly code”) >>> bacf6b499e11 (“x86/mm: Use a struct to reduce parameters for SME PGD >>> mapping”) >>> 2b5d00b6c2cd (“x86/mm: Centralize PMD flags in sme_encrypt_kernel()”) >>> cc5f01e28d6c (“x86/mm: Prepare sme_encrypt_kernel() for PAGE aligned >>> encryption”) >>> 107cd2532181 (“x86/mm: Encrypt the initrd earlier for BSP microcode >>> update”) >>> >>> The last commit won't apply cleanly on 4.14. There was a change in >>> arch/x86/kernel/setup.c for SEV support. The actual patch to that file >>> is very small it just removes the call to sme_early_encrypt() and the >>> associated comment. I can submit a new version of that patch if you >>> want, just let me know. >> >> A backported version of that would be great, thanks. > > Ok, I'll send that out as soon as possible. Since it is a changed patch > I was planning to remove the Tested-by, Signed-off-by (except for my sign > off), etc. or would you prefer I leave them in this case? >
I tested the series on top 4.14.13/.14 already , the conflict is trivial and easy to fix. If you wish you can keep my Tested-by. Regards, Gabriel C
