range.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/set_memory.h |3 ++
arch/x86/mm/pageattr.c| 62 +
2 files changed, 65 insertions(+)
diff --git a/arch
.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/realmode/init.c |8
1 file changed, 8 insertions(+)
diff --git a/arch/x86/realmode/init.c b/arch/x86/realmode/init.c
index cd4be19..d6ddc7e 100644
--- a/arch/x86/realmode/init.c
+++ b/arch/x86/realmode/init.c
.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/mm/ioremap.c | 31 ++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
index ee33
of the encryption mask so that the data can be successfully accessed when
SME is active.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/kernel/mpparse.c | 98 -
1 file changed, 70 inser
remapping, ioremap_cache() will be used
instead, which will provide a decrypted mapping of the boot related data.
Reviewed-by: Matt Fleming <m...@codeblueprint.co.uk>
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/inclu
successfully. The pagetable mapping
as well as the kernel are also added to the pagetable mapping as encrypted.
All other EFI mappings are mapped decrypted (tables, etc.).
Reviewed-by: Matt Fleming <m...@codeblueprint.co.uk>
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by:
to return a negative error value when no memmap entry is
found.
Reviewed-by: Matt Fleming <m...@codeblueprint.co.uk>
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/ia64/kernel/efi.c |4 ++--
arch/x86/platfor
Add a function that will determine if a supplied physical address matches
the address of an EFI table.
Reviewed-by: Matt Fleming <m...@codeblueprint.co.uk>
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
drivers/firmwar
the initrd will have been loaded by the boot loader and will not be
encrypted, but the memory that it resides in is marked as encrypted).
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/mem_encrypt.h | 10 +
.
For the initrd, encrypt this data in place. Since the future mapping of
the initrd area will be mapped as encrypted the data will be accessed
properly.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/mem_encrypt.h |6 +++
arch/x86/include/asm/pgtable.h
Add a function that will return the E820 type associated with an address
range.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/e820/api.h |2 ++
arch/x86/kernel/e820.c | 26 +
is implies that the hardware will never give the core a
dirty line with this memtype.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/Kconfig |4 +++
arch/x86/include/asm/fixmap.h| 13 ++
Create a pgd_pfn() macro similar to the p[4um]d_pfn() macros and then
use the p[g4um]d_pfn() macros in the p[g4um]d_page() macros instead of
duplicating the code.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/a
the encryption mask so
that user-space allocations will automatically have the encryption mask
applied.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/boot/compressed/pagetable.c |7 +
arch/x86/include/asm/fixmap.h
.
The routines to set the encryption mask and perform the encryption are
stub routines for now with functionality to be added in a later patch.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/mem_encrypt.h |8 +
arch/x86/kernel/head64.c
When System Memory Encryption (SME) is enabled, the physical address
space is reduced. Adjust the x86_phys_bits value to reflect this
reduction.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/kernel/cpu/amd.c | 10 +
.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/cpufeatures.h |1 +
arch/x86/include/asm/msr-index.h |2 ++
arch/x86/kernel/cpu/amd.c | 13 +
arch/x86/kernel/cpu/scattered.c
For processors that support PAT, set the write-protect cache mode
(_PAGE_CACHE_MODE_WP) entry to the actual write-protect value (x05).
Acked-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/mm/pat.c |6 +++---
1 file changed,
being mapped
decrypted vs encrypted.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/dmi.h |8
arch/x86/kernel/acpi/boot.c |6 +++---
arch/x86/kernel/kdebugf
range that will now not be addressable. To prevent this,
rely on BIOS to set the SYSCFG[MEME] bit and only then enable memory
encryption support in the kernel.
Tom Lendacky (38):
x86: Document AMD Secure Memory Encryption (SME)
x86/mm/pat: Set write-protect cache mode for full PAT suppor
Create a Documentation entry to describe the AMD Secure Memory
Encryption (SME) feature and add documentation for the mem_encrypt=
kernel parameter.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
Documentation/admin-
On 6/26/2017 10:45 AM, Borislav Petkov wrote:
On Fri, Jun 23, 2017 at 12:44:46PM -0500, Tom Lendacky wrote:
Normally the __p4d() macro would be used and that would be ok whether
CONFIG_X86_5LEVEL is defined or not. But since __p4d() is part of the
paravirt ops path I have to use native_make_p4d
On 6/23/2017 5:00 AM, Borislav Petkov wrote:
On Fri, Jun 16, 2017 at 01:56:19PM -0500, Tom Lendacky wrote:
Add the support to encrypt the kernel in-place. This is done by creating
new page mappings for the kernel - a decrypted write-protected mapping
and an encrypted mapping. The kernel
On 6/22/2017 5:56 AM, Borislav Petkov wrote:
On Fri, Jun 16, 2017 at 01:54:59PM -0500, Tom Lendacky wrote:
The IOMMU is programmed with physical addresses for the various tables
and buffers that are used to communicate between the device and the
driver. When the driver allocates this memory
On 6/21/2017 11:59 AM, Borislav Petkov wrote:
On Wed, Jun 21, 2017 at 05:37:22PM +0200, Joerg Roedel wrote:
Do you mean this is like the last exception case in that document above:
"
- Pointers to data structures in coherent memory which might be modified
by I/O devices can, sometimes,
sh queue. This new queue optimizes the flushing of
TLBs to the required protection domains.
Reviewed-by: Arindam Nath <arindam.n...@amd.com>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
drivers/iommu/amd_iommu.c | 56
-
1 file c
On 6/21/2017 5:50 AM, Borislav Petkov wrote:
On Fri, Jun 16, 2017 at 01:54:36PM -0500, Tom Lendacky wrote:
Add warnings to let the user know when bounce buffers are being used for
DMA when SME is active. Since the bounce buffers are not in encrypted
memory, these notifications are to allow
On 6/21/2017 2:16 AM, Thomas Gleixner wrote:
On Fri, 16 Jun 2017, Tom Lendacky wrote:
diff --git a/arch/x86/include/asm/mem_encrypt.h
b/arch/x86/include/asm/mem_encrypt.h
index a105796..988b336 100644
--- a/arch/x86/include/asm/mem_encrypt.h
+++ b/arch/x86/include/asm/mem_encrypt.h
@@ -15,16
On 6/21/2017 2:37 AM, Thomas Gleixner wrote:
On Fri, 16 Jun 2017, Tom Lendacky wrote:
Currently there is a check if the address being mapped is in the ISA
range (is_ISA_range()), and if it is then phys_to_virt() is used to
perform the mapping. When SME is active, however, this will result
On 6/20/2017 3:55 PM, Thomas Gleixner wrote:
On Fri, 16 Jun 2017, Tom Lendacky wrote:
Currently there is a check if the address being mapped is in the ISA
range (is_ISA_range()), and if it is then phys_to_virt() is used to
perform the mapping. When SME is active, however, this will result
On 6/20/2017 3:49 PM, Thomas Gleixner wrote:
On Fri, 16 Jun 2017, Tom Lendacky wrote:
+config ARCH_HAS_MEM_ENCRYPT
+ def_bool y
+ depends on X86
That one is silly. The config switch is in the x86 KConfig file, so X86 is
on. If you intended to move this to some generic place
On 6/20/2017 11:17 AM, Andy Lutomirski wrote:
On Fri, Jun 16, 2017 at 11:51 AM, Tom Lendacky <thomas.lenda...@amd.com> wrote:
The cr3 register entry can contain the SME encryption mask that indicates
the PGD is encrypted. The encryption mask should not be used when
creating a virtual a
On 6/20/2017 2:38 AM, Borislav Petkov wrote:
On Fri, Jun 16, 2017 at 01:51:15PM -0500, Tom Lendacky wrote:
Add support to the early boot code to use Secure Memory Encryption (SME).
Since the kernel has been loaded into memory in a decrypted state, encrypt
the kernel in place and update
Add a cmdline_find_option() function to look for cmdline options that
take arguments. The argument is returned in a supplied buffer and the
argument length (regardless of whether it fits in the supplied buffer)
is returned, with -1 indicating not found.
Signed-off-by: Tom Lendacky <thomas.le
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/mem_encrypt.h |6 ++-
arch/x86/kernel/head64.c |4 +-
arch/x86/mm/mem_encrypt.c | 86 +++-
3 files changed, 90 insertions(+), 6 deletions(-)
diff
Xen does not currently support SME for PV guests. Clear the SME cpu
capability in order to avoid any ambiguity.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/xen/enlighten_pv.c |1 +
1 file changed, 1 insertion(+)
diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x
or not. If it is not to be mapped encrypted then the VMA protection
value is updated to remove the encryption bit.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/io.h |3 +++
arch/x86/mm/ioremap.c | 18 +-
arch/x86/mm/pat.c |3 +++
3 files chang
Add the support to encrypt the kernel in-place. This is done by creating
new page mappings for the kernel - a decrypted write-protected mapping
and an encrypted mapping. The kernel is encrypted by copying it through
a temporary buffer.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.
the
AP to continue start up.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/realmode.h | 12
arch/x86/realmode/init.c |4
arch/x86/realmode/rm/trampoline
tables.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/kvm_host.h |2 +-
arch/x86/kvm/mmu.c | 12
arch/x86/kvm/mmu.h |2 +-
arch/x86/kvm/svm.c
the encryption bit. This
can cause random memory corruption when caches are flushed depending on
which cacheline is written last.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/init.h |1 +
arch/x86/include/asm/kexec.h |8
ar
Since video memory needs to be accessed decrypted, be sure that the
memory encryption mask is not set for the video ranges.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/vga.h | 14 +-
to be included in these physical addresses during configuration.
The PTE entries created by the IOMMU should also include the encryption
mask so that when the device behind the IOMMU performs a DMA, the DMA
will be performed to encrypted memory.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.
Move the setting of the cpuinfo_x86.microcode field from amd_init() to
early_amd_init() so that it is available earlier in the boot process. This
avoids having to read MSR_AMD64_PATCH_LEVEL directly during early boot.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/kern
-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/dma-mapping.h |5 ++-
arch/x86/include/asm/mem_encrypt.h |5 +++
arch/x86/kernel/pci-dma.c | 11 +--
arch/x86/kernel/pci-nommu.c|2 +
arch/x86/kernel/pci-swiotlb.c | 15 +-
ar
, replacing the device with another device that can support 64-bit
DMA, ignoring the message if the device isn't used much, etc.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
include/linux/dma-mapping.h | 11 +++
include/linux/mem_encrypt.h |8
lib/swi
When Secure Memory Encryption is enabled, the trampoline area must not
be encrypted. A CPU running in real mode will not be able to decrypt
memory that has been encrypted because it will not be able to use addresses
with the memory encryption mask.
Signed-off-by: Tom Lendacky <thomas.le
range.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/set_memory.h |3 ++
arch/x86/mm/pageattr.c| 62 +
2 files changed, 65 insertions(+)
diff --git a/arch
.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/mm/ioremap.c | 31 ++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
index f3fa
of the encryption mask so that the data can be successfully accessed when
SME is active.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/kernel/mpparse.c | 98 -
1 file changed, 70 insertions(+), 28 deletions(-)
diff --git a/arch/x86/
remapping, ioremap_cache() will be used
instead, which will provide a decrypted mapping of the boot related data.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/io.h |5 +
arch/x86/mm/ioremap.c | 179 +
include
successfully. The pagetable mapping
as well as the kernel are also added to the pagetable mapping as encrypted.
All other EFI mappings are mapped decrypted (tables, etc.).
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/
to return a negative error value when no memmap entry is
found.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/ia64/kernel/efi.c |4 ++--
arch/x86/platform/efi/efi.c |6 +++---
include/linux/efi.h |2
Add a function that will return the E820 type associated with an address
range.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/e820/api.h |2 ++
arch/x86/kernel/e820.c | 26 +
Add a function that will determine if a supplied physical address matches
the address of an EFI table.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
drivers/firmware/efi/efi.c | 33 +
include
is implies that the hardware will never give the core a
dirty line with this memtype.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/Kconfig |4 +++
arch/x86/include/asm/fixmap.h| 13 ++
the initrd will have been loaded by the boot loader and will not be
encrypted, but the memory that it resides in is marked as encrypted).
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/mem_encrypt.h | 10 +
.
For the initrd, encrypt this data in place. Since the future mapping of
the initrd area will be mapped as encrypted the data will be accessed
properly.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/mem_encrypt.h |6 +++
arch/x86/include/asm/pgtable.h
a native version of read_cr3_pa(),
so create native_read_cr3_pa().
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/processor-flags.h |3 ++-
arch/x86/include/asm/processor.h |5 +
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/ar
routines depending on CONFIG_AMD_MEM_ENCRYPT.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/mem_encrypt.h |8 +++
arch/x86/kernel/head64.c | 33 +-
arch/x86/kernel/head_64.S
the encryption mask so
that user-space allocations will automatically have the encryption mask
applied.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/boot/compressed/pagetable.c |7 +
arch/x86/include/asm/fixmap.h
Create a pgd_pfn() macro similar to the p[um]d_pfn() macros and then
use the p[gum]d_pfn() macros in the p[gum]d_page() macros instead of
duplicating the code.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/a
not have the encryption bit set. So only use the
phys_to_virt() function if SME is not active
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/mm/ioremap.c |7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff
ed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/Kconfig | 26 ++
arch/x86/include/asm/mem_encrypt.h | 30 ++
arch/x86/mm/Makefile |1 +
arch/x86/mm/mem_encrypt.c
When System Memory Encryption (SME) is enabled, the physical address
space is reduced. Adjust the x86_phys_bits value to reflect this
reduction.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/kernel/cpu/amd.c | 10 +
being mapped
decrypted vs encrypted.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/dmi.h |8
arch/x86/kernel/acpi/boot.c |6 +++---
arch/x86/kernel/kdebugfs.c | 34 +++---
arch/x86/kernel/ksysfs.c
.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/cpufeatures.h |1 +
arch/x86/include/asm/msr-index.h |2 ++
arch/x86/kernel/cpu/amd.c | 13 +
arch/x86/kernel/cpu/scattered.c
For processors that support PAT, set the write-protect cache mode
(_PAGE_CACHE_MODE_WP) entry to the actual write-protect value (x05).
Acked-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/mm/pat.c |6 +++---
1 file changed,
Create a Documentation entry to describe the AMD Secure Memory
Encryption (SME) feature and add documentation for the mem_encrypt=
kernel parameter.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
Documentation/admin-
w not be addressable. To prevent this,
rely on BIOS to set the SYSCFG[MEME] bit and only then enable memory
encryption support in the kernel.
Tom Lendacky (36):
x86: Document AMD Secure Memory Encryption (SME)
x86/mm/pat: Set write-protect cache mode for full PAT support
x86, mpparse, x8
On 6/15/2017 5:03 AM, Borislav Petkov wrote:
On Wed, Jun 07, 2017 at 02:18:27PM -0500, Tom Lendacky wrote:
Provide support so that kexec can be used to boot a kernel when SME is
enabled.
Support is needed to allocate pages for kexec without encryption. This
is needed in order to be able
On 6/15/2017 10:33 AM, Borislav Petkov wrote:
On Thu, Jun 15, 2017 at 09:59:45AM -0500, Tom Lendacky wrote:
Actually the detection routine, amd_iommu_detect(), is part of the
IOMMU_INIT_FINISH macro support which is called early through mm_init()
from start_kernel() and that routine is called
On 6/15/2017 4:41 AM, Borislav Petkov wrote:
On Wed, Jun 14, 2017 at 03:40:28PM -0500, Tom Lendacky wrote:
I was trying to keep all the logic for it here in the SME related files
rather than put it in the iommu code itself. But it is easy enough to
move if you think it's worth it.
Yes please
On 6/15/2017 4:08 AM, Borislav Petkov wrote:
On Wed, Jun 14, 2017 at 02:49:02PM -0500, Tom Lendacky wrote:
I guess I don't need the sme_active() check since the second part of the
if statement can only ever be true if SME is active (since mask is
unsigned).
... and you can define sme_me_mask
On 6/14/2017 12:42 PM, Borislav Petkov wrote:
On Wed, Jun 07, 2017 at 02:17:45PM -0500, Tom Lendacky wrote:
The IOMMU is programmed with physical addresses for the various tables
and buffers that are used to communicate between the device and the
driver. When the driver allocates this memory
On 6/14/2017 11:50 AM, Borislav Petkov wrote:
On Wed, Jun 07, 2017 at 02:17:32PM -0500, Tom Lendacky wrote:
Add warnings to let the user know when bounce buffers are being used for
DMA when SME is active. Since the bounce buffers are not in encrypted
memory, these notifications are to allow
On 6/14/2017 11:45 AM, Borislav Petkov wrote:
On Wed, Jun 07, 2017 at 02:17:21PM -0500, Tom Lendacky wrote:
Since DMA addresses will effectively look like 48-bit addresses when the
memory encryption mask is set, SWIOTLB is needed if the DMA mask of the
device performing the DMA does not support
On 6/14/2017 11:07 AM, Borislav Petkov wrote:
On Wed, Jun 07, 2017 at 02:16:43PM -0500, Tom Lendacky wrote:
The SMP MP-table is built by UEFI and placed in memory in a decrypted
state. These tables are accessed using a mix of early_memremap(),
early_memunmap(), phys_to_virt() and virt_to_phys
On 6/14/2017 11:24 AM, Borislav Petkov wrote:
On Wed, Jun 07, 2017 at 02:17:09PM -0500, Tom Lendacky wrote:
When Secure Memory Encryption is enabled, the trampoline area must not
be encrypted. A CPU running in real mode will not be able to decrypt
memory that has been encrypted because
On 6/10/2017 11:01 AM, Borislav Petkov wrote:
On Wed, Jun 07, 2017 at 02:15:39PM -0500, Tom Lendacky wrote:
The boot data and command line data are present in memory in a decrypted
state and are copied early in the boot process. The early page fault
support will map these areas as encrypted
On 6/9/2017 1:46 PM, Andy Lutomirski wrote:
On Thu, Jun 8, 2017 at 3:38 PM, Tom Lendacky <thomas.lenda...@amd.com> wrote:
On 6/8/2017 1:05 AM, Andy Lutomirski wrote:
On Wed, Jun 7, 2017 at 12:14 PM, Tom Lendacky <thomas.lenda...@amd.com>
wrote:
The cr3 register entry can con
On 6/9/2017 1:43 PM, Boris Ostrovsky wrote:
On 06/09/2017 02:36 PM, Tom Lendacky wrote:
On 6/8/2017 5:01 PM, Andrew Cooper wrote:
On 08/06/2017 22:17, Boris Ostrovsky wrote:
On 06/08/2017 05:02 PM, Tom Lendacky wrote:
On 6/8/2017 3:51 PM, Boris Ostrovsky wrote:
What may be needed is making
On 6/8/2017 5:01 PM, Andrew Cooper wrote:
On 08/06/2017 22:17, Boris Ostrovsky wrote:
On 06/08/2017 05:02 PM, Tom Lendacky wrote:
On 6/8/2017 3:51 PM, Boris Ostrovsky wrote:
What may be needed is making sure X86_FEATURE_SME is not set for PV
guests.
And that may be something that Xen
On 6/8/2017 2:58 AM, Christoph Hellwig wrote:
On Wed, Jun 07, 2017 at 02:17:32PM -0500, Tom Lendacky wrote:
Add warnings to let the user know when bounce buffers are being used for
DMA when SME is active. Since the bounce buffers are not in encrypted
memory, these notifications are to allow
On 6/8/2017 1:05 AM, Andy Lutomirski wrote:
On Wed, Jun 7, 2017 at 12:14 PM, Tom Lendacky <thomas.lenda...@amd.com> wrote:
The cr3 register entry can contain the SME encryption bit that indicates
the PGD is encrypted. The encryption bit should not be used when creating
a virtual a
://github.com/0day-ci/linux/commits/Tom-Lendacky/x86-Secure-Memory-Encryption-AMD/20170608-104147
config: sparc-defconfig (attached as .config)
compiler: sparc-linux-gcc (GCC) 6.2.0
reproduce:
wget
https://raw.githubusercontent.com/01org/lkp-tests/master/sbin/make.cross -O
~/bin/make.cross
On 6/8/2017 3:51 PM, Boris Ostrovsky wrote:
What may be needed is making sure X86_FEATURE_SME is not set for PV
guests.
And that may be something that Xen will need to control through either
CPUID or MSR support for the PV guests.
Only on newer versions of Xen. On earlier versions (2-3
On 6/7/2017 9:40 PM, Nick Sarnie wrote:
On Wed, Jun 7, 2017 at 3:13 PM, Tom Lendacky <thomas.lenda...@amd.com> wrote:
This patch series provides support for AMD's new Secure Memory Encryption (SME)
feature.
SME can be used to mark individual pages of memory as encrypted through the
page
On 6/7/2017 9:38 PM, Nick Sarnie wrote:
On Wed, Jun 7, 2017 at 3:17 PM, Tom Lendacky <thomas.lenda...@amd.com> wrote:
The IOMMU is programmed with physical addresses for the various tables
and buffers that are used to communicate between the device and the
driver. When the driver all
On 6/7/2017 5:06 PM, Boris Ostrovsky wrote:
On 06/07/2017 03:14 PM, Tom Lendacky wrote:
The cr3 register entry can contain the SME encryption bit that indicates
the PGD is encrypted. The encryption bit should not be used when creating
a virtual address for the PGD table.
Create a new function
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/kernel/head_64.S |1
arch/x86/mm/mem_encrypt.c | 93 +++--
2 files changed, 89 insertions(+), 5 deletions(-)
diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64
Add a cmdline_find_option() function to look for cmdline options that
take arguments. The argument is returned in a supplied buffer and the
argument length (regardless of whether it fits in the supplied buffer)
is returned, with -1 indicating not found.
Signed-off-by: Tom Lendacky <thomas.le
the encryption bit. This
can cause random memory corruption when caches are flushed depending on
which cacheline is written last.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/init.h |1 +
arch/x86/include/asm/kexec.h |8
ar
Add the support to encrypt the kernel in-place. This is done by creating
new page mappings for the kernel - a decrypted write-protected mapping
and an encrypted mapping. The kernel is encrypted by copying it through
a temporary buffer.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.
or not. If it is not to be mapped encrypted then the VMA protection
value is updated to remove the encryption bit.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/io.h |3 +++
arch/x86/mm/ioremap.c | 18 +-
arch/x86/mm/pat.c |3 +++
3 files chang
Since video memory needs to be accessed decrypted, be sure that the
memory encryption mask is not set for the video ranges.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/vga.h | 14 +-
arch/x86/mm/pageattr.c |2 ++
drive
the
AP to continue start up.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/realmode.h | 12
arch/x86/realmode/init.c |4
arch/x86/realmode/rm/trampoline_64.S | 24
3 files changed, 40 inse
Add warnings to let the user know when bounce buffers are being used for
DMA when SME is active. Since the bounce buffers are not in encrypted
memory, these notifications are to allow the user to determine some
appropriate action - if necessary.
Signed-off-by: Tom Lendacky <thomas.le
-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/dma-mapping.h |5 ++-
arch/x86/include/asm/mem_encrypt.h |5 +++
arch/x86/kernel/pci-dma.c | 11 +--
arch/x86/kernel/pci-nommu.c|2 +
arch/x86/kernel/pci-swiotlb.c | 15 --
ar
.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/realmode/init.c | 11 +++
mm/early_ioremap.c |2 +-
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/arch/x86/realmode/init.c b/arch/x86/realmode/init.c
index a163a90..195ba29 100644
--- a/ar
201 - 300 of 590 matches
Mail list logo
