initrd will have been loaded by the boot loader and will not be
encrypted, but the memory that it resides in is marked as encrypted).
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/mem_encrypt.h | 15 +++
arch/x86/mm/mem_encrypt.c | 76
encryption mask so
that user-space allocations will automatically have the encryption mask
applied.
Signed-off-by: Tom Lendacky
---
arch/x86/boot/compressed/pagetable.c |7 +
arch/x86/include/asm/fixmap.h|7 +
arch/x86/include/asm/mem_encrypt.h | 25
functionality or stub routines depending on CONFIG_AMD_MEM_ENCRYPT.
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/head_64.S | 61 -
arch/x86/mm/Makefile |4 +--
arch/x86/mm/mem_encrypt.c | 26 +++
3 files changed, 86
Create a pgd_pfn() and p4d_pfn() macro similar to the p[um]d_pfn() macros
and then use the p[g4um]d_pfn() macros in the p[g4um]d_page() macros
instead of duplicating the code.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/pgtable.h | 16 +---
1 file changed, 9 insertions
When System Memory Encryption (SME) is enabled, the physical address
space is reduced. Adjust the x86_phys_bits value to reflect this
reduction.
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/cpu/amd.c | 14 +++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/arch
Add support for Secure Memory Encryption (SME). This initial support
provides a Kconfig entry to build the SME support into the kernel and
defines the memory encryption mask that will be used in subsequent
patches to mark pages as encrypted.
Signed-off-by: Tom Lendacky
---
arch/x86/Kconfig
.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/cpufeatures.h |1 +
arch/x86/include/asm/msr-index.h |2 ++
arch/x86/kernel/cpu/amd.c | 15 +++
arch/x86/kernel/cpu/scattered.c|1 +
4 files changed, 19 insertions(+)
diff --git a/arch/x86/include/asm
mapped
decrypted vs encrypted.
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/acpi/boot.c |6 +++---
arch/x86/kernel/kdebugfs.c | 34 +++---
arch/x86/kernel/ksysfs.c| 28 ++--
arch/x86/kernel/mpparse.c | 10 +-
arch/x86
For processors that support PAT, set the write-protect cache mode
(_PAGE_CACHE_MODE_WP) entry to the actual write-protect value (x05).
Acked-by: Borislav Petkov
Signed-off-by: Tom Lendacky
---
arch/x86/mm/pat.c |6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch
s,
rely on BIOS to set the SYSCFG[MEME] bit and only then enable memory
encryption support in the kernel.
Tom Lendacky (32):
x86: Documentation for AMD Secure Memory Encryption (SME)
x86/mm/pat: Set write-protect cache mode for full PAT support
x86, mpparse, x86/acpi, x86/PCI,
Create a Documentation entry to describe the AMD Secure Memory
Encryption (SME) feature and add documentation for the mem_encrypt=
kernel parameter.
Signed-off-by: Tom Lendacky
---
Documentation/admin-guide/kernel-parameters.txt | 11
Documentation/x86/amd-memory-encryption.txt
Add support for Secure Memory Encryption (SME). This initial support
provides a Kconfig entry to build the SME support into the kernel and
defines the memory encryption mask that will be used in subsequent
patches to mark pages as encrypted.
Signed-off-by: Tom Lendacky
---
arch/x86/Kconfig
When System Memory Encryption (SME) is enabled, the physical address
space is reduced. Adjust the x86_phys_bits value to reflect this
reduction.
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/cpu/amd.c | 14 +++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/arch
Create a Documentation entry to describe the AMD Secure Memory
Encryption (SME) feature and add documentation for the mem_encrypt=
kernel parameter.
Signed-off-by: Tom Lendacky
---
Documentation/admin-guide/kernel-parameters.txt | 11
Documentation/x86/amd-memory-encryption.txt
mapped
decrypted vs encrypted.
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/acpi/boot.c |6 +++---
arch/x86/kernel/kdebugfs.c | 34 +++---
arch/x86/kernel/ksysfs.c| 28 ++--
arch/x86/kernel/mpparse.c | 10 +-
arch/x86
.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/cpufeatures.h |1 +
arch/x86/include/asm/msr-index.h |2 ++
arch/x86/kernel/cpu/amd.c | 15 +++
arch/x86/kernel/cpu/scattered.c|1 +
4 files changed, 19 insertions(+)
diff --git a/arch/x86/include/asm
For processors that support PAT, set the write-protect cache mode
(_PAGE_CACHE_MODE_WP) entry to the actual write-protect value (x05).
Acked-by: Borislav Petkov
Signed-off-by: Tom Lendacky
---
arch/x86/mm/pat.c |6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch
s,
rely on BIOS to set the SYSCFG[MEME] bit and only then enable memory
encryption support in the kernel.
Tom Lendacky (32):
x86: Documentation for AMD Secure Memory Encryption (SME)
x86/mm/pat: Set write-protect cache mode for full PAT support
x86, mpparse, x86/acpi, x86/PCI,
On 3/17/2017 5:58 PM, Elliott, Robert (Persistent Memory) wrote:
-Original Message-
From: linux-kernel-ow...@vger.kernel.org [mailto:linux-kernel-
ow...@vger.kernel.org] On Behalf Of Tom Lendacky
Sent: Thursday, February 16, 2017 9:45 AM
Subject: [RFC PATCH v4 15/28] Add support to
On 3/8/2017 1:09 AM, Dave Young wrote:
On 02/16/17 at 09:47am, Tom Lendacky wrote:
Use memremap() to map the setup data. This will make the appropriate
decision as to whether a RAM remapping can be done or if a fallback to
ioremap_cache() is needed (similar to the setup data debugfs support
On 3/8/2017 1:04 AM, Dave Young wrote:
On 02/16/17 at 09:47am, Tom Lendacky wrote:
Use memremap() to map the setup data. This simplifies the code and will
make the appropriate decision as to whether a RAM remapping can be done
or if a fallback to ioremap_cache() is needed (which includes
On 3/8/2017 12:55 AM, Dave Young wrote:
On 02/16/17 at 09:45am, Tom Lendacky wrote:
[snip]
+ * This function determines if an address should be mapped encrypted.
+ * Boot setup data, EFI data and E820 areas are checked in making this
+ * determination.
+ */
+static bool
On 3/1/2017 12:40 PM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:48:25AM -0600, Tom Lendacky wrote:
This patch adds the support to check if SME has been enabled and if
memory encryption should be activated (checking of command line option
based on the configuration of the default state
+kexec-list
On 3/6/2017 11:58 AM, Tom Lendacky wrote:
On 3/1/2017 3:25 AM, Dave Young wrote:
Hi Tom,
Hi Dave,
On 02/17/17 at 10:43am, Tom Lendacky wrote:
On 2/17/2017 9:57 AM, Konrad Rzeszutek Wilk wrote:
On Thu, Feb 16, 2017 at 09:47:55AM -0600, Tom Lendacky wrote:
Provide support so
On 3/1/2017 3:25 AM, Dave Young wrote:
Hi Tom,
Hi Dave,
On 02/17/17 at 10:43am, Tom Lendacky wrote:
On 2/17/2017 9:57 AM, Konrad Rzeszutek Wilk wrote:
On Thu, Feb 16, 2017 at 09:47:55AM -0600, Tom Lendacky wrote:
Provide support so that kexec can be used to boot a kernel when SME is
On 2/25/2017 11:10 AM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:46:04AM -0600, Tom Lendacky wrote:
Since DMA addresses will effectively look like 48-bit addresses when the
memory encryption mask is set, SWIOTLB is needed if the DMA mask of the
device performing the DMA does not support
On 3/1/2017 11:36 AM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:48:08AM -0600, Tom Lendacky wrote:
This patch adds the support to encrypt the kernel in-place. This is
done by creating new page mappings for the kernel - a decrypted
write-protected mapping and an encrypted mapping. The
On 3/1/2017 3:17 AM, Dave Young wrote:
Hi Tom,
Hi Dave,
... SNIP ...
- Added support for (re)booting with kexec
Could you please add kexec list in cc when you updating the patches so
that kexec/kdump people do not miss them?
Sorry about that, I'll be sure to add it to the cc list.
+kexec list
On 2/28/2017 4:35 AM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:47:55AM -0600, Tom Lendacky wrote:
Provide support so that kexec can be used to boot a kernel when SME is
enabled.
Support is needed to allocate pages for kexec without encryption. This
is needed in order to
On 2/27/2017 12:17 PM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:46:47AM -0600, Tom Lendacky wrote:
Add support to check if memory encryption is active in the kernel and that
it has been enabled on the AP. If memory encryption is active in the kernel
but has not been enabled on the AP
On 2/27/2017 11:52 AM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:46:19AM -0600, Tom Lendacky wrote:
Add warnings to let the user know when bounce buffers are being used for
DMA when SME is active. Since the bounce buffers are not in encrypted
memory, these notifications are to allow
On 2/25/2017 9:29 AM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:43:07AM -0600, Tom Lendacky wrote:
Add support for Secure Memory Encryption (SME). This initial support
provides a Kconfig entry to build the SME support into the kernel and
defines the memory encryption mask that will be
On 2/22/2017 12:52 PM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:45:35AM -0600, Tom Lendacky wrote:
Add support for changing the memory encryption attribute for one or more
memory pages.
"This will be useful when we, , for example."
Yup, will expand on the "why&q
On 2/20/2017 2:09 PM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:44:30AM -0600, Tom Lendacky wrote:
This patch adds support to return the E820 type associated with an address
s/This patch adds/Add/
range.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/e820/api.h |2
On 2/24/2017 4:21 AM, Borislav Petkov wrote:
On Thu, Feb 23, 2017 at 03:34:30PM -0600, Tom Lendacky wrote:
Hmm... maybe I'm missing something here. This doesn't have anything to
do with kexec or efi_reuse_config. This has to do with the fact that
I said kexec because kexe
On 2/22/2017 12:13 PM, Dave Hansen wrote:
On 02/16/2017 07:43 AM, Tom Lendacky wrote:
static inline unsigned long pte_pfn(pte_t pte)
{
- return (pte_val(pte) & PTE_PFN_MASK) >> PAGE_SHIFT;
+ return (pte_val(pte) & ~sme_me_mask & PTE_PFN_MASK) >> PAGE_S
On 2/21/2017 9:06 AM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:45:09AM -0600, Tom Lendacky wrote:
Boot data (such as EFI related data) is not encrypted when the system is
booted and needs to be mapped decrypted. Add support to apply the proper
attributes to the EFI page tables and to
On 2/21/2017 6:05 AM, Matt Fleming wrote:
On Thu, 16 Feb, at 09:44:57AM, Tom Lendacky wrote:
Update the efi_mem_type() to return EFI_RESERVED_TYPE instead of a
hardcoded 0.
Signed-off-by: Tom Lendacky
---
arch/x86/platform/efi/efi.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions
On 2/20/2017 1:45 PM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:44:11AM -0600, Tom Lendacky wrote:
The boot data and command line data are present in memory in a decrypted
state and are copied early in the boot process. The early page fault
support will map these areas as encrypted, so
On 2/20/2017 12:38 PM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:43:32AM -0600, Tom Lendacky wrote:
Adding general kernel support for memory encryption includes:
- Modify and create some page table macros to include the Secure Memory
Encryption (SME) memory encryption mask
- Modify
On 2/20/2017 12:22 PM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:43:58AM -0600, Tom Lendacky wrote:
Add support to be able to either encrypt or decrypt data in place during
the early stages of booting the kernel. This does not change the memory
encryption attribute - it is used for
On 2/20/2017 9:43 AM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:43:48AM -0600, Tom Lendacky wrote:
Add to the early_memremap support to be able to specify encrypted and
early_memremap()
Please append "()" to function names in your commit messages text.
decrypted mapping
On 2/20/2017 9:21 AM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:43:32AM -0600, Tom Lendacky wrote:
Adding general kernel support for memory encryption includes:
- Modify and create some page table macros to include the Secure Memory
Encryption (SME) memory encryption mask
Let'
On 2/18/2017 12:12 PM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:41:59AM -0600, Tom Lendacky wrote:
create mode 100644 Documentation/x86/amd-memory-encryption.txt
create mode 100644 arch/x86/include/asm/mem_encrypt.h
create mode 100644 arch/x86/kernel/mem_encrypt_boot.S
create mode
On 2/20/2017 6:51 AM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:43:19AM -0600, Tom Lendacky wrote:
This patch adds support to the early boot code to use Secure Memory
Encryption (SME). Support is added to update the early pagetables with
the memory encryption mask and to encrypt the
On 2/17/2017 9:59 AM, Konrad Rzeszutek Wilk wrote:
On Thu, Feb 16, 2017 at 09:46:19AM -0600, Tom Lendacky wrote:
Add warnings to let the user know when bounce buffers are being used for
DMA when SME is active. Since the bounce buffers are not in encrypted
memory, these notifications are to
On 2/17/2017 9:57 AM, Konrad Rzeszutek Wilk wrote:
On Thu, Feb 16, 2017 at 09:47:55AM -0600, Tom Lendacky wrote:
Provide support so that kexec can be used to boot a kernel when SME is
enabled.
Is the point of kexec and kdump to ehh, dump memory ? But if the
rest of the memory is encrypted you
On 2/17/2017 5:07 AM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:42:25AM -0600, Tom Lendacky wrote:
For processors that support PAT, set the write-protect cache mode
(_PAGE_CACHE_MODE_WP) entry to the actual write-protect value (x05).
Acked-by: Borislav Petkov
Signed-off-by: Tom
On 02/16/2017 11:56 AM, Borislav Petkov wrote:
> Ok, this time detailed review :-)
>
> On Thu, Feb 16, 2017 at 09:42:11AM -0600, Tom Lendacky wrote:
>> This patch adds a Documenation entry to decribe the AMD Secure Memory
>> Encryption (SME) feature.
>
> Please introdu
On 02/16/2017 12:13 PM, Borislav Petkov wrote:
> On Thu, Feb 16, 2017 at 09:42:36AM -0600, Tom Lendacky wrote:
>> Update the CPU features to include identifying and reporting on the
>> Secure Memory Encryption (SME) feature. SME is identified by CPUID
>> 0x801f, but req
When Secure Memory Encryption is enabled, the trampoline area must not
be encrypted. A CPU running in real mode will not be able to decrypt
memory that has been encrypted because it will not be able to use addresses
with the memory encryption mask.
Signed-off-by: Tom Lendacky
---
arch/x86
of physical address size
of the processor. It is possible that BIOS could have configured resources
resources into a range that will now not be addressable. To prevent this,
rely on BIOS to set the SYSCFG[MEME] bit and only then enable memory
encryption support in the kernel.
For processors that support PAT, set the write-protect cache mode
(_PAGE_CACHE_MODE_WP) entry to the actual write-protect value (x05).
Acked-by: Borislav Petkov
Signed-off-by: Tom Lendacky
---
arch/x86/mm/pat.c |6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch
This patch adds the support to encrypt the kernel in-place. This is
done by creating new page mappings for the kernel - a decrypted
write-protected mapping and an encrypted mapping. The kernel is encyrpted
by copying the kernel through a temporary buffer.
Signed-off-by: Tom Lendacky
---
arch
ot;in place."
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/head_64.S |1 +
arch/x86/kernel/mem_encrypt_init.c | 71 +++-
arch/x86/mm/mem_encrypt.c |2 +
3 files changed, 73 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/h
encryption bit. This
can cause random memory corruption when caches are flushed depending on
which cacheline is written last.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/cacheflush.h|2 ++
arch/x86/include/asm/init.h |1 +
arch/x86/include/asm/mem_encrypt.h | 10
Use memremap() to map the setup data. This will make the appropriate
decision as to whether a RAM remapping can be done or if a fallback to
ioremap_cache() is needed (similar to the setup data debugfs support).
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/ksysfs.c | 27
Use memremap() to map the setup data. This simplifies the code and will
make the appropriate decision as to whether a RAM remapping can be done
or if a fallback to ioremap_cache() is needed (which includes checking
PageHighMem).
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/kdebugfs.c | 30
Update the KVM support to include the memory encryption mask when creating
and using nested page tables.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/kvm_host.h |3 ++-
arch/x86/kvm/mmu.c |8 ++--
arch/x86/kvm/vmx.c |3 ++-
arch/x86/kvm/x86.c
Since video memory needs to be accessed decrypted, be sure that the
memory encryption mask is not set for the video ranges.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/vga.h | 13 +
drivers/gpu/drm/drm_gem.c|2 ++
drivers/gpu/drm/drm_vm.c |4
.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/realmode.h | 12
arch/x86/realmode/init.c |4
arch/x86/realmode/rm/trampoline_64.S | 17 +
3 files changed, 33 insertions(+)
diff --git a/arch/x86/include/asm/realmode.h b/arch/x86/include
For now, disable the AMD IOMMU if memory encryption is active. A future
patch will re-enable the function with full memory encryption support.
Signed-off-by: Tom Lendacky
---
drivers/iommu/amd_iommu_init.c |7 +++
1 file changed, 7 insertions(+)
diff --git a/drivers/iommu
Add warnings to let the user know when bounce buffers are being used for
DMA when SME is active. Since the bounce buffers are not in encrypted
memory, these notifications are to allow the user to determine some
appropriate action - if necessary.
Signed-off-by: Tom Lendacky
---
arch/x86/include
-by: Tom Lendacky
---
arch/x86/include/asm/dma-mapping.h |5 ++-
arch/x86/include/asm/mem_encrypt.h |5 +++
arch/x86/kernel/pci-dma.c | 11 +--
arch/x86/kernel/pci-nommu.c|2 +
arch/x86/kernel/pci-swiotlb.c |8 -
arch/x86/mm/mem_encrypt.c
.
Signed-off-by: Tom Lendacky
---
arch/x86/mm/ioremap.c |2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
index b0ff6bc..c6cb921 100644
--- a/arch/x86/mm/ioremap.c
+++ b/arch/x86/mm/ioremap.c
@@ -498,6 +498,8 @@ static bool
Add support for changing the memory encryption attribute for one or more
memory pages.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/cacheflush.h |3 ++
arch/x86/mm/pageattr.c| 66 +
2 files changed, 69 insertions(+)
diff --git a
attribute can be applied.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/io.h |3 +
arch/x86/include/asm/setup.h |8 +++
arch/x86/kernel/setup.c| 33
arch/x86/mm/ioremap.c | 111
arch/x86/platform/efi
Update the efi_mem_type() to return EFI_RESERVED_TYPE instead of a
hardcoded 0.
Signed-off-by: Tom Lendacky
---
arch/x86/platform/efi/efi.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
index a15cf81..6407103
This patch adds support that will determine if a supplied physical address
matches the address of an EFI table.
Signed-off-by: Tom Lendacky
---
drivers/firmware/efi/efi.c | 33 +
include/linux/efi.h|7 +++
2 files changed, 40 insertions(+)
diff
initrd, encrypt this data in place. Since the future mapping of the
initrd area will be mapped as encrypted the data will be accessed properly.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/mem_encrypt.h | 11 +
arch/x86/kernel/head64.c | 34 +++--
arch/x86
encrypting data "in place". The write-protect attribute is
considered cacheable for loads, but not stores. This implies that the
hardware will never give the core a dirty line with this memtype.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/mem_encrypt.h | 15 +++
a
This patch adds support to return the E820 type associated with an address
range.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/e820/api.h |2 ++
arch/x86/include/asm/e820/types.h |2 ++
arch/x86/kernel/e820.c| 26 +++---
3 files changed, 27
When System Memory Encryption (SME) is enabled, the physical address
space is reduced. Adjust the x86_phys_bits value to reflect this
reduction.
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/cpu/common.c | 10 +++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/arch/x86
Add support for Secure Memory Encryption (SME). This initial support
provides a Kconfig entry to build the SME support into the kernel and
defines the memory encryption mask that will be used in subsequent
patches to mark pages as encrypted.
Signed-off-by: Tom Lendacky
---
arch/x86/Kconfig
.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/cpufeature.h|7 +--
arch/x86/include/asm/cpufeatures.h |5 -
arch/x86/include/asm/disabled-features.h |3 ++-
arch/x86/include/asm/msr-index.h |2 ++
arch/x86/include/asm/required-features.h |3
s that the hardware will never give the core a
dirty line with this memtype.
Signed-off-by: Tom Lendacky
---
arch/x86/Kconfig |4 +++
arch/x86/include/asm/fixmap.h| 13 ++
arch/x86/include/asm/pgtable_types.h |8 ++
arch/x86/mm
routine to update the protection map with
the memory encryption mask so that it is used by default
- #undef CONFIG_AMD_MEM_ENCRYPT in the compressed boot path
Signed-off-by: Tom Lendacky
---
arch/x86/boot/compressed/pagetable.c |7 +
arch/x86/include/asm/fixmap.h|7 +
arch
the necessary #ifdefs
to allow head_64.S to successfully build and call the SME routines.
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/Makefile |2 +
arch/x86/kernel/head_64.S | 46 -
arch/x86/kernel/mem_encrypt_init.c | 50
This patch adds a Documenation entry to decribe the AMD Secure Memory
Encryption (SME) feature.
Signed-off-by: Tom Lendacky
---
Documentation/admin-guide/kernel-parameters.txt | 11
Documentation/x86/amd-memory-encryption.txt | 57 +++
2 files changed, 68
On 12/7/2016 7:19 AM, Matt Fleming wrote:
> On Wed, 09 Nov, at 06:36:31PM, Tom Lendacky wrote:
>> Boot data (such as EFI related data) is not encrypted when the system is
>> booted and needs to be accessed unencrypted. Add support to apply the
>> proper attributes to the E
On 11/26/2016 2:47 PM, Borislav Petkov wrote:
> On Wed, Nov 09, 2016 at 06:38:38PM -0600, Tom Lendacky wrote:
>> This patch adds the support to check if SME has been enabled and if the
>> mem_encrypt=on command line option is set. If both of these conditions
>> are true, the
On 11/24/2016 6:50 AM, Borislav Petkov wrote:
> On Wed, Nov 09, 2016 at 06:38:26PM -0600, Tom Lendacky wrote:
>> This patch adds the support to check if SME has been enabled and if the
>> mem_encrypt=on command line option is set. If both of these conditions
>> are true, the
On 11/22/2016 1:25 PM, Borislav Petkov wrote:
> On Wed, Nov 09, 2016 at 06:37:40PM -0600, Tom Lendacky wrote:
>> Add support to check if memory encryption is active in the kernel and that
>> it has been enabled on the AP. If memory encryption is active in the kernel
>> but ha
On 11/17/2016 12:09 PM, Borislav Petkov wrote:
> On Wed, Nov 09, 2016 at 06:37:08PM -0600, Tom Lendacky wrote:
>> When Secure Memory Encryption is enabled, the trampoline area must not
>> be encrypted. A CPU running in real mode will not be able to decrypt
>> memory that has b
On 11/17/2016 11:39 AM, Borislav Petkov wrote:
> On Wed, Nov 09, 2016 at 06:36:55PM -0600, Tom Lendacky wrote:
>> This patch adds support to be change the memory encryption attribute for
>> one or more memory pages.
>
> "Add support for changing ..."
Yeah, I kind
On 11/17/2016 9:55 AM, Borislav Petkov wrote:
> On Wed, Nov 09, 2016 at 06:36:31PM -0600, Tom Lendacky wrote:
>> Boot data (such as EFI related data) is not encrypted when the system is
>> booted and needs to be accessed unencrypted. Add support to apply the
>> proper attri
On 11/17/2016 6:20 AM, Borislav Petkov wrote:
> On Wed, Nov 09, 2016 at 06:36:20PM -0600, Tom Lendacky wrote:
>> The boot data and command line data are present in memory in an
>> un-encrypted state and are copied early in the boot process. The early
>> page fault support wi
09, 2016 at 06:36:10PM -0600, Tom Lendacky wrote:
>> Add support to be able to either encrypt or decrypt data in place during
>> the early stages of booting the kernel. This does not change the memory
>> encryption attribute - it is used for ensuring that data present in either
>&g
On 11/15/2016 3:33 PM, Borislav Petkov wrote:
> On Tue, Nov 15, 2016 at 03:22:45PM -0600, Tom Lendacky wrote:
>> Hmmm... I still need the ebx value from the CPUID instruction to
>> calculate the proper reduction in physical bits, so I'll still need
>> to make the CPUI
On 11/15/2016 6:14 AM, Borislav Petkov wrote:
> On Tue, Nov 15, 2016 at 01:10:35PM +0100, Joerg Roedel wrote:
>> Maybe add a comment here why you can't use cpu_has (yet).
>
> So that could be alleviated by moving this function *after*
> init_scattered_cpuid_features(). Then you can simply do *cpu_
On 11/15/2016 12:17 PM, Radim Krčmář wrote:
> 2016-11-15 11:02-0600, Tom Lendacky:
>> On 11/15/2016 8:39 AM, Radim Krčmář wrote:
>>> 2016-11-09 18:37-0600, Tom Lendacky:
>>>> Since DMA addresses will effectively look like 48-bit addresses when the
>>>>
On 11/15/2016 9:16 AM, Michael S. Tsirkin wrote:
> On Wed, Nov 09, 2016 at 06:37:23PM -0600, Tom Lendacky wrote:
>> Since DMA addresses will effectively look like 48-bit addresses when the
>> memory encryption mask is set, SWIOTLB is needed if the DMA mask of the
>> device pe
On 11/15/2016 10:33 AM, Borislav Petkov wrote:
> On Tue, Nov 15, 2016 at 10:06:16AM -0600, Tom Lendacky wrote:
>> Yes, but that doesn't relate to the physical address space reduction.
>>
>> Once the SYS_CFG MSR bit for SME is set, even if the encryption bit is
>>
On 11/15/2016 8:39 AM, Radim Krčmář wrote:
> 2016-11-09 18:37-0600, Tom Lendacky:
>> Since DMA addresses will effectively look like 48-bit addresses when the
>> memory encryption mask is set, SWIOTLB is needed if the DMA mask of the
>> device performing the DMA does not sup
On 11/15/2016 9:33 AM, Borislav Petkov wrote:
> On Tue, Nov 15, 2016 at 08:40:05AM -0600, Tom Lendacky wrote:
>> The feature may be present and enabled even if it is not currently
>> active. In other words, the SYS_CFG MSR bit could be set but we aren't
>> actually usi
On 11/15/2016 6:14 AM, Borislav Petkov wrote:
> On Tue, Nov 15, 2016 at 01:10:35PM +0100, Joerg Roedel wrote:
>> Maybe add a comment here why you can't use cpu_has (yet).
>
> So that could be alleviated by moving this function *after*
> init_scattered_cpuid_features(). Then you can simply do *cpu_
On 11/15/2016 6:10 AM, Joerg Roedel wrote:
> On Wed, Nov 09, 2016 at 06:35:13PM -0600, Tom Lendacky wrote:
>> +/*
>> + * AMD Secure Memory Encryption (SME) can reduce the size of the physical
>> + * address space if it is enabled, even if memory encryption is not
On 11/14/2016 11:29 AM, Borislav Petkov wrote:
> On Wed, Nov 09, 2016 at 06:35:43PM -0600, Tom Lendacky wrote:
>> This patch adds support to the early boot code to use Secure Memory
>> Encryption (SME). Support is added to update the early pagetables with
>> the memory e
On 11/10/2016 4:51 AM, Borislav Petkov wrote:
> On Wed, Nov 09, 2016 at 06:34:39PM -0600, Tom Lendacky wrote:
>> This patch adds a Documenation entry to decribe the AMD Secure Memory
>> Encryption (SME) feature.
>>
>> Signed-off-by: Tom Lendacky
>> ---
>&g
On 11/10/2016 07:26 PM, Kani, Toshimitsu wrote:
> On Thu, 2016-11-10 at 14:14 +0100, Borislav Petkov wrote:
>> + Toshi.
>>
>> On Wed, Nov 09, 2016 at 06:34:48PM -0600, Tom Lendacky wrote:
>>>
>>> For processors that support PAT, set the write-protect cache
401 - 500 of 620 matches
Mail list logo