Re: [PATCH 0/3] Add kdump support for the SEV enabled guest
在 2019年03月15日 18:32, Lianbo Jiang 写道: > For the AMD SEV machines, add kdump support when the SEV is enabled. > > Test tools: > makedumpfile[v1.6.5]: > git://git.code.sf.net/p/makedumpfile/code > commit ("Add support for AMD Secure Memory Encryption") > Note: This patch was merged into the devel branch. > > crash-7.2.5: https://github.com/crash-utility/crash.git commit <942d813cda35> ("Fix for the "kmem -i" option on Linux 5.0 and later kernels") > > kexec-tools-2.0.19: > git://git.kernel.org/pub/scm/utils/kernel/kexec/kexec-tools.git > commit <942d813cda35> ("Fix for the kmem '-i' option on Linux 5.0") > http://lists.infradead.org/pipermail/kexec/2019-March/022576.html > Note: The second kernel cann't boot without this patch. > > kernel: > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git > commit ("Merge branch 'akpm' (patches from Andrew)") > > Test steps: > [1] load the vmlinux and initrd for kdump > # kexec -p /boot/vmlinuz-5.0.0+ --initrd=/boot/initramfs-5.0.0+kdump.img > --command-line="BOOT_IMAGE=(hd0,gpt2)/vmlinuz-5.0.0+ ro > resume=UUID=126c5e95-fc8b-48d6-a23b-28409198a52e console=ttyS0,115200 > earlyprintk=serial irqpoll nr_cpus=1 reset_devices cgroup_disable=memory > mce=off numa=off udev.children-max=2 panic=10 rootflags=nofail > acpi_no_memhotplug transparent_hugepage=never disable_cpu_apicid=0" > > [2] trigger panic > # echo 1 > /proc/sys/kernel/sysrq > # echo c > /proc/sysrq-trigger > > [3] check and parse the vmcore > # crash vmlinux /var/crash/127.0.0.1-2019-03-15-05\:03\:42/vmcore > > Lianbo Jiang (3): > kexec: Do not map the kexec area as decrypted when SEV is active > kexec: Set the C-bit in the identity map page table when SEV is active > kdump,proc/vmcore: Enable kdumping encrypted memory when SEV was > active > > arch/x86/kernel/machine_kexec_64.c | 20 +--- > fs/proc/vmcore.c | 6 +++--- > 2 files changed, 20 insertions(+), 6 deletions(-) > ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
[PATCH 0/3] Add kdump support for the SEV enabled guest
For the AMD SEV machines, add kdump support when the SEV is enabled. Test tools: makedumpfile[v1.6.5]: git://git.code.sf.net/p/makedumpfile/code commit ("Add support for AMD Secure Memory Encryption") Note: This patch was merged into the devel branch. crash-7.2.5: https://github.com/crash-utility/crash.git kexec-tools-2.0.19: git://git.kernel.org/pub/scm/utils/kernel/kexec/kexec-tools.git commit <942d813cda35> ("Fix for the kmem '-i' option on Linux 5.0") http://lists.infradead.org/pipermail/kexec/2019-March/022576.html Note: The second kernel cann't boot without this patch. kernel: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git commit ("Merge branch 'akpm' (patches from Andrew)") Test steps: [1] load the vmlinux and initrd for kdump # kexec -p /boot/vmlinuz-5.0.0+ --initrd=/boot/initramfs-5.0.0+kdump.img --command-line="BOOT_IMAGE=(hd0,gpt2)/vmlinuz-5.0.0+ ro resume=UUID=126c5e95-fc8b-48d6-a23b-28409198a52e console=ttyS0,115200 earlyprintk=serial irqpoll nr_cpus=1 reset_devices cgroup_disable=memory mce=off numa=off udev.children-max=2 panic=10 rootflags=nofail acpi_no_memhotplug transparent_hugepage=never disable_cpu_apicid=0" [2] trigger panic # echo 1 > /proc/sys/kernel/sysrq # echo c > /proc/sysrq-trigger [3] check and parse the vmcore # crash vmlinux /var/crash/127.0.0.1-2019-03-15-05\:03\:42/vmcore Lianbo Jiang (3): kexec: Do not map the kexec area as decrypted when SEV is active kexec: Set the C-bit in the identity map page table when SEV is active kdump,proc/vmcore: Enable kdumping encrypted memory when SEV was active arch/x86/kernel/machine_kexec_64.c | 20 +--- fs/proc/vmcore.c | 6 +++--- 2 files changed, 20 insertions(+), 6 deletions(-) -- 2.17.1 ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
[PATCH 3/3] kdump, proc/vmcore: Enable kdumping encrypted memory when SEV was active
In the kdump kernel, the memory of first kernel needs to be dumped into the vmcore file. It is similar to the SME, if SEV is enabled in the first kernel, the old memory has to be remapped with memory encryption mask in order to access it properly. Following commit 992b649a3f01 ("kdump, proc/vmcore: Enable kdumping encrypted memory with SME enabled") took care of the SME case but it uses sme_active() which checks for SME only. Lets use the mem_encrypt_active() which returns true when either of them are active. Unlike the SME, the first kernel is loaded into the encrypted memory when SEV was enabled, hence the kernel elf header must be remapped as encrypted in order to access it properly. Co-developed-by: Brijesh Singh Signed-off-by: Brijesh Singh Signed-off-by: Lianbo Jiang --- fs/proc/vmcore.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/proc/vmcore.c b/fs/proc/vmcore.c index 3fe90443c1bb..cda6c1922e4f 100644 --- a/fs/proc/vmcore.c +++ b/fs/proc/vmcore.c @@ -165,7 +165,7 @@ void __weak elfcorehdr_free(unsigned long long addr) */ ssize_t __weak elfcorehdr_read(char *buf, size_t count, u64 *ppos) { - return read_from_oldmem(buf, count, ppos, 0, false); + return read_from_oldmem(buf, count, ppos, 0, sev_active()); } /* @@ -173,7 +173,7 @@ ssize_t __weak elfcorehdr_read(char *buf, size_t count, u64 *ppos) */ ssize_t __weak elfcorehdr_read_notes(char *buf, size_t count, u64 *ppos) { - return read_from_oldmem(buf, count, ppos, 0, sme_active()); + return read_from_oldmem(buf, count, ppos, 0, mem_encrypt_active()); } /* @@ -373,7 +373,7 @@ static ssize_t __read_vmcore(char *buffer, size_t buflen, loff_t *fpos, buflen); start = m->paddr + *fpos - m->offset; tmp = read_from_oldmem(buffer, tsz, , - userbuf, sme_active()); + userbuf, mem_encrypt_active()); if (tmp < 0) return tmp; buflen -= tsz; -- 2.17.1 ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
[PATCH 2/3] kexec: Set the C-bit in the identity map page table when SEV is active
When SEV is active, the second kernel image is loaded into the encrypted memory. Lets make sure that when kexec builds the identity mapping page table it adds the memory encryption mask(C-bit). Co-developed-by: Brijesh Singh Signed-off-by: Brijesh Singh Signed-off-by: Lianbo Jiang --- arch/x86/kernel/machine_kexec_64.c | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/machine_kexec_64.c b/arch/x86/kernel/machine_kexec_64.c index bcebf4993da4..8c58d1864500 100644 --- a/arch/x86/kernel/machine_kexec_64.c +++ b/arch/x86/kernel/machine_kexec_64.c @@ -56,6 +56,7 @@ static int init_transition_pgtable(struct kimage *image, pgd_t *pgd) pte_t *pte; unsigned long vaddr, paddr; int result = -ENOMEM; + pgprot_t prot = PAGE_KERNEL_EXEC_NOENC; vaddr = (unsigned long)relocate_kernel; paddr = __pa(page_address(image->control_code_page)+PAGE_SIZE); @@ -92,7 +93,11 @@ static int init_transition_pgtable(struct kimage *image, pgd_t *pgd) set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE)); } pte = pte_offset_kernel(pmd, vaddr); - set_pte(pte, pfn_pte(paddr >> PAGE_SHIFT, PAGE_KERNEL_EXEC_NOENC)); + + if (sev_active()) + prot = PAGE_KERNEL_EXEC; + + set_pte(pte, pfn_pte(paddr >> PAGE_SHIFT, prot)); return 0; err: return result; @@ -129,6 +134,11 @@ static int init_pgtable(struct kimage *image, unsigned long start_pgtable) level4p = (pgd_t *)__va(start_pgtable); clear_page(level4p); + if (sev_active()) { + info.page_flag |= _PAGE_ENC; + info.kernpg_flag = _KERNPG_TABLE; + } + if (direct_gbpages) info.direct_gbpages = true; -- 2.17.1 ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
[PATCH 1/3] kexec: Do not map the kexec area as decrypted when SEV is active
Currently, the arch_kexec_post_{alloc,free}_pages unconditionally maps the kexec area as decrypted. This works fine when SME is active. Because in SME, the first kernel is loaded in decrypted area by the BIOS, so the second kernel must be also loaded into the decrypted memory. When SEV is active, the first kernel is loaded into the encrypted area, so the second kernel must be also loaded into the encrypted memory. Lets make sure that arch_kexec_post_{alloc,free}_pages does not clear the memory encryption mask from the kexec area when SEV is active. Co-developed-by: Brijesh Singh Signed-off-by: Brijesh Singh Signed-off-by: Lianbo Jiang --- arch/x86/kernel/machine_kexec_64.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/machine_kexec_64.c b/arch/x86/kernel/machine_kexec_64.c index ceba408ea982..bcebf4993da4 100644 --- a/arch/x86/kernel/machine_kexec_64.c +++ b/arch/x86/kernel/machine_kexec_64.c @@ -566,7 +566,10 @@ int arch_kexec_post_alloc_pages(void *vaddr, unsigned int pages, gfp_t gfp) * not encrypted because when we boot to the new kernel the * pages won't be accessed encrypted (initially). */ - return set_memory_decrypted((unsigned long)vaddr, pages); + if (sme_active()) + return set_memory_decrypted((unsigned long)vaddr, pages); + + return 0; } void arch_kexec_pre_free_pages(void *vaddr, unsigned int pages) @@ -575,5 +578,6 @@ void arch_kexec_pre_free_pages(void *vaddr, unsigned int pages) * If SME is active we need to reset the pages back to being * an encrypted mapping before freeing them. */ - set_memory_encrypted((unsigned long)vaddr, pages); + if (sme_active()) + set_memory_encrypted((unsigned long)vaddr, pages); } -- 2.17.1 ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
Re: [PATCH v4 0/8] selftests/kexec: add kexec tests
Hi Mimi, ... > Changelog v4: > - Moved the kexec tests to selftests/kexec, as requested by Dave Young. > - Removed the kernel module selftest from this patch set. > - Rewritten cover letter, removing reference to kernel modules. LGTM, to whole patch-set: Reviewed-by: Petr Vorel Kind regards, Petr ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
[PATCH] kexec/x86: Unconditionally add the acpi_rsdp command line
The Linux kernel commit 3a63f70bf4c3 introduces the early parsing of the RSDP. This means that boot loader must either set the boot_params.acpi_rsdp_addr or pass a command line 'acpi_rsdp=xxx' to tell the RDSP physical address. Currently, kexec neither sets the boot_params.acpi_rsdp or passes acpi_rsdp command line if it sees the first kernel support efi runtime. This is causing the second kernel boot failure. The EFI runtime is not available so early in the boot process so unconditionally pass the 'acpi_rsdp=xxx' to the second kernel. Signed-off-by: Lianbo Jiang Signed-off-by: Brijesh Singh --- kexec/arch/i386/crashdump-x86.c | 17 + 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/kexec/arch/i386/crashdump-x86.c b/kexec/arch/i386/crashdump-x86.c index 140f45b..a29b15b 100644 --- a/kexec/arch/i386/crashdump-x86.c +++ b/kexec/arch/i386/crashdump-x86.c @@ -35,7 +35,6 @@ #include #include #include -#include #include "../../kexec.h" #include "../../kexec-elf.h" #include "../../kexec-syscall.h" @@ -772,18 +771,6 @@ static enum coretype get_core_type(struct crash_elf_info *elf_info, } } -static int sysfs_efi_runtime_map_exist(void) -{ - DIR *dir; - - dir = opendir("/sys/firmware/efi/runtime-map"); - if (!dir) - return 0; - - closedir(dir); - return 1; -} - /* Appends 'acpi_rsdp=' commandline for efi boot crash dump */ static void cmdline_add_efi(char *cmdline) { @@ -978,9 +965,7 @@ int load_crashdump_segments(struct kexec_info *info, char* mod_cmdline, dbgprintf("Created elf header segment at 0x%lx\n", elfcorehdr); if (delete_memmap(memmap_p, _memmap, elfcorehdr, memsz) < 0) return -1; - if (!bzImage_support_efi_boot || arch_options.noefi || - !sysfs_efi_runtime_map_exist()) - cmdline_add_efi(mod_cmdline); + cmdline_add_efi(mod_cmdline); cmdline_add_elfcorehdr(mod_cmdline, elfcorehdr); /* Inform second kernel about the presence of ACPI tables. */ -- 2.17.1 ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec