Re: [PATCH 0/3] Add kdump support for the SEV enabled guest
在 2019年03月15日 18:32, Lianbo Jiang 写道:
> For the AMD SEV machines, add kdump support when the SEV is enabled.
>
> Test tools:
> makedumpfile[v1.6.5]:
> git://git.code.sf.net/p/makedumpfile/code
> commit ("Add support for AMD Secure Memory Encryption")
> Note: This patch was merged into the devel branch.
>
> crash-7.2.5: https://github.com/crash-utility/crash.git
commit <942d813cda35> ("Fix for the "kmem -i" option on Linux 5.0 and later
kernels")
>
> kexec-tools-2.0.19:
> git://git.kernel.org/pub/scm/utils/kernel/kexec/kexec-tools.git
> commit <942d813cda35> ("Fix for the kmem '-i' option on Linux 5.0")
> http://lists.infradead.org/pipermail/kexec/2019-March/022576.html
> Note: The second kernel cann't boot without this patch.
>
> kernel:
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
> commit ("Merge branch 'akpm' (patches from Andrew)")
>
> Test steps:
> [1] load the vmlinux and initrd for kdump
> # kexec -p /boot/vmlinuz-5.0.0+ --initrd=/boot/initramfs-5.0.0+kdump.img
> --command-line="BOOT_IMAGE=(hd0,gpt2)/vmlinuz-5.0.0+ ro
> resume=UUID=126c5e95-fc8b-48d6-a23b-28409198a52e console=ttyS0,115200
> earlyprintk=serial irqpoll nr_cpus=1 reset_devices cgroup_disable=memory
> mce=off numa=off udev.children-max=2 panic=10 rootflags=nofail
> acpi_no_memhotplug transparent_hugepage=never disable_cpu_apicid=0"
>
> [2] trigger panic
> # echo 1 > /proc/sys/kernel/sysrq
> # echo c > /proc/sysrq-trigger
>
> [3] check and parse the vmcore
> # crash vmlinux /var/crash/127.0.0.1-2019-03-15-05\:03\:42/vmcore
>
> Lianbo Jiang (3):
> kexec: Do not map the kexec area as decrypted when SEV is active
> kexec: Set the C-bit in the identity map page table when SEV is active
> kdump,proc/vmcore: Enable kdumping encrypted memory when SEV was
> active
>
> arch/x86/kernel/machine_kexec_64.c | 20 +---
> fs/proc/vmcore.c | 6 +++---
> 2 files changed, 20 insertions(+), 6 deletions(-)
>
___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
[PATCH 0/3] Add kdump support for the SEV enabled guest
For the AMD SEV machines, add kdump support when the SEV is enabled.
Test tools:
makedumpfile[v1.6.5]:
git://git.code.sf.net/p/makedumpfile/code
commit ("Add support for AMD Secure Memory Encryption")
Note: This patch was merged into the devel branch.
crash-7.2.5: https://github.com/crash-utility/crash.git
kexec-tools-2.0.19:
git://git.kernel.org/pub/scm/utils/kernel/kexec/kexec-tools.git
commit <942d813cda35> ("Fix for the kmem '-i' option on Linux 5.0")
http://lists.infradead.org/pipermail/kexec/2019-March/022576.html
Note: The second kernel cann't boot without this patch.
kernel:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
commit ("Merge branch 'akpm' (patches from Andrew)")
Test steps:
[1] load the vmlinux and initrd for kdump
# kexec -p /boot/vmlinuz-5.0.0+ --initrd=/boot/initramfs-5.0.0+kdump.img
--command-line="BOOT_IMAGE=(hd0,gpt2)/vmlinuz-5.0.0+ ro
resume=UUID=126c5e95-fc8b-48d6-a23b-28409198a52e console=ttyS0,115200
earlyprintk=serial irqpoll nr_cpus=1 reset_devices cgroup_disable=memory
mce=off numa=off udev.children-max=2 panic=10 rootflags=nofail
acpi_no_memhotplug transparent_hugepage=never disable_cpu_apicid=0"
[2] trigger panic
# echo 1 > /proc/sys/kernel/sysrq
# echo c > /proc/sysrq-trigger
[3] check and parse the vmcore
# crash vmlinux /var/crash/127.0.0.1-2019-03-15-05\:03\:42/vmcore
Lianbo Jiang (3):
kexec: Do not map the kexec area as decrypted when SEV is active
kexec: Set the C-bit in the identity map page table when SEV is active
kdump,proc/vmcore: Enable kdumping encrypted memory when SEV was
active
arch/x86/kernel/machine_kexec_64.c | 20 +---
fs/proc/vmcore.c | 6 +++---
2 files changed, 20 insertions(+), 6 deletions(-)
--
2.17.1
___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
[PATCH 3/3] kdump, proc/vmcore: Enable kdumping encrypted memory when SEV was active
In the kdump kernel, the memory of first kernel needs to be dumped
into the vmcore file.
It is similar to the SME, if SEV is enabled in the first kernel, the
old memory has to be remapped with memory encryption mask in order to
access it properly. Following commit 992b649a3f01 ("kdump, proc/vmcore:
Enable kdumping encrypted memory with SME enabled") took care of the
SME case but it uses sme_active() which checks for SME only. Lets use
the mem_encrypt_active() which returns true when either of them are
active.
Unlike the SME, the first kernel is loaded into the encrypted memory
when SEV was enabled, hence the kernel elf header must be remapped as
encrypted in order to access it properly.
Co-developed-by: Brijesh Singh
Signed-off-by: Brijesh Singh
Signed-off-by: Lianbo Jiang
---
fs/proc/vmcore.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/proc/vmcore.c b/fs/proc/vmcore.c
index 3fe90443c1bb..cda6c1922e4f 100644
--- a/fs/proc/vmcore.c
+++ b/fs/proc/vmcore.c
@@ -165,7 +165,7 @@ void __weak elfcorehdr_free(unsigned long long addr)
*/
ssize_t __weak elfcorehdr_read(char *buf, size_t count, u64 *ppos)
{
- return read_from_oldmem(buf, count, ppos, 0, false);
+ return read_from_oldmem(buf, count, ppos, 0, sev_active());
}
/*
@@ -173,7 +173,7 @@ ssize_t __weak elfcorehdr_read(char *buf, size_t count, u64
*ppos)
*/
ssize_t __weak elfcorehdr_read_notes(char *buf, size_t count, u64 *ppos)
{
- return read_from_oldmem(buf, count, ppos, 0, sme_active());
+ return read_from_oldmem(buf, count, ppos, 0, mem_encrypt_active());
}
/*
@@ -373,7 +373,7 @@ static ssize_t __read_vmcore(char *buffer, size_t buflen,
loff_t *fpos,
buflen);
start = m->paddr + *fpos - m->offset;
tmp = read_from_oldmem(buffer, tsz, ,
- userbuf, sme_active());
+ userbuf, mem_encrypt_active());
if (tmp < 0)
return tmp;
buflen -= tsz;
--
2.17.1
___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
[PATCH 2/3] kexec: Set the C-bit in the identity map page table when SEV is active
When SEV is active, the second kernel image is loaded into the
encrypted memory. Lets make sure that when kexec builds the
identity mapping page table it adds the memory encryption mask(C-bit).
Co-developed-by: Brijesh Singh
Signed-off-by: Brijesh Singh
Signed-off-by: Lianbo Jiang
---
arch/x86/kernel/machine_kexec_64.c | 12 +++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/machine_kexec_64.c
b/arch/x86/kernel/machine_kexec_64.c
index bcebf4993da4..8c58d1864500 100644
--- a/arch/x86/kernel/machine_kexec_64.c
+++ b/arch/x86/kernel/machine_kexec_64.c
@@ -56,6 +56,7 @@ static int init_transition_pgtable(struct kimage *image,
pgd_t *pgd)
pte_t *pte;
unsigned long vaddr, paddr;
int result = -ENOMEM;
+ pgprot_t prot = PAGE_KERNEL_EXEC_NOENC;
vaddr = (unsigned long)relocate_kernel;
paddr = __pa(page_address(image->control_code_page)+PAGE_SIZE);
@@ -92,7 +93,11 @@ static int init_transition_pgtable(struct kimage *image,
pgd_t *pgd)
set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
}
pte = pte_offset_kernel(pmd, vaddr);
- set_pte(pte, pfn_pte(paddr >> PAGE_SHIFT, PAGE_KERNEL_EXEC_NOENC));
+
+ if (sev_active())
+ prot = PAGE_KERNEL_EXEC;
+
+ set_pte(pte, pfn_pte(paddr >> PAGE_SHIFT, prot));
return 0;
err:
return result;
@@ -129,6 +134,11 @@ static int init_pgtable(struct kimage *image, unsigned
long start_pgtable)
level4p = (pgd_t *)__va(start_pgtable);
clear_page(level4p);
+ if (sev_active()) {
+ info.page_flag |= _PAGE_ENC;
+ info.kernpg_flag = _KERNPG_TABLE;
+ }
+
if (direct_gbpages)
info.direct_gbpages = true;
--
2.17.1
___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
[PATCH 1/3] kexec: Do not map the kexec area as decrypted when SEV is active
Currently, the arch_kexec_post_{alloc,free}_pages unconditionally
maps the kexec area as decrypted. This works fine when SME is active.
Because in SME, the first kernel is loaded in decrypted area by the
BIOS, so the second kernel must be also loaded into the decrypted
memory.
When SEV is active, the first kernel is loaded into the encrypted
area, so the second kernel must be also loaded into the encrypted
memory. Lets make sure that arch_kexec_post_{alloc,free}_pages does
not clear the memory encryption mask from the kexec area when SEV
is active.
Co-developed-by: Brijesh Singh
Signed-off-by: Brijesh Singh
Signed-off-by: Lianbo Jiang
---
arch/x86/kernel/machine_kexec_64.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/machine_kexec_64.c
b/arch/x86/kernel/machine_kexec_64.c
index ceba408ea982..bcebf4993da4 100644
--- a/arch/x86/kernel/machine_kexec_64.c
+++ b/arch/x86/kernel/machine_kexec_64.c
@@ -566,7 +566,10 @@ int arch_kexec_post_alloc_pages(void *vaddr, unsigned int
pages, gfp_t gfp)
* not encrypted because when we boot to the new kernel the
* pages won't be accessed encrypted (initially).
*/
- return set_memory_decrypted((unsigned long)vaddr, pages);
+ if (sme_active())
+ return set_memory_decrypted((unsigned long)vaddr, pages);
+
+ return 0;
}
void arch_kexec_pre_free_pages(void *vaddr, unsigned int pages)
@@ -575,5 +578,6 @@ void arch_kexec_pre_free_pages(void *vaddr, unsigned int
pages)
* If SME is active we need to reset the pages back to being
* an encrypted mapping before freeing them.
*/
- set_memory_encrypted((unsigned long)vaddr, pages);
+ if (sme_active())
+ set_memory_encrypted((unsigned long)vaddr, pages);
}
--
2.17.1
___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
Re: [PATCH v4 0/8] selftests/kexec: add kexec tests
Hi Mimi, ... > Changelog v4: > - Moved the kexec tests to selftests/kexec, as requested by Dave Young. > - Removed the kernel module selftest from this patch set. > - Rewritten cover letter, removing reference to kernel modules. LGTM, to whole patch-set: Reviewed-by: Petr Vorel Kind regards, Petr ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
[PATCH] kexec/x86: Unconditionally add the acpi_rsdp command line
The Linux kernel commit 3a63f70bf4c3 introduces the early parsing
of the RSDP. This means that boot loader must either set the
boot_params.acpi_rsdp_addr or pass a command line 'acpi_rsdp=xxx'
to tell the RDSP physical address.
Currently, kexec neither sets the boot_params.acpi_rsdp or passes
acpi_rsdp command line if it sees the first kernel support efi
runtime. This is causing the second kernel boot failure.
The EFI runtime is not available so early in the boot process so
unconditionally pass the 'acpi_rsdp=xxx' to the second kernel.
Signed-off-by: Lianbo Jiang
Signed-off-by: Brijesh Singh
---
kexec/arch/i386/crashdump-x86.c | 17 +
1 file changed, 1 insertion(+), 16 deletions(-)
diff --git a/kexec/arch/i386/crashdump-x86.c b/kexec/arch/i386/crashdump-x86.c
index 140f45b..a29b15b 100644
--- a/kexec/arch/i386/crashdump-x86.c
+++ b/kexec/arch/i386/crashdump-x86.c
@@ -35,7 +35,6 @@
#include
#include
#include
-#include
#include "../../kexec.h"
#include "../../kexec-elf.h"
#include "../../kexec-syscall.h"
@@ -772,18 +771,6 @@ static enum coretype get_core_type(struct crash_elf_info
*elf_info,
}
}
-static int sysfs_efi_runtime_map_exist(void)
-{
- DIR *dir;
-
- dir = opendir("/sys/firmware/efi/runtime-map");
- if (!dir)
- return 0;
-
- closedir(dir);
- return 1;
-}
-
/* Appends 'acpi_rsdp=' commandline for efi boot crash dump */
static void cmdline_add_efi(char *cmdline)
{
@@ -978,9 +965,7 @@ int load_crashdump_segments(struct kexec_info *info, char*
mod_cmdline,
dbgprintf("Created elf header segment at 0x%lx\n", elfcorehdr);
if (delete_memmap(memmap_p, _memmap, elfcorehdr, memsz) < 0)
return -1;
- if (!bzImage_support_efi_boot || arch_options.noefi ||
- !sysfs_efi_runtime_map_exist())
- cmdline_add_efi(mod_cmdline);
+ cmdline_add_efi(mod_cmdline);
cmdline_add_elfcorehdr(mod_cmdline, elfcorehdr);
/* Inform second kernel about the presence of ACPI tables. */
--
2.17.1
___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
