1). When SEV is active the UEFI runtime data marked
> as EFI_MEMORY_MAPPED_IO should be mapped as 'unencrypted' so that both
> guest and hypervisor can access the data.
>
> Fixes: 1379edd59673 (x86/efi: Access EFI data as encrypted ...)
> Cc: Tom Lendacky
> Cc: Thomas Gleixner
On 11/3/2017 10:12 AM, Tomeu Vizoso wrote:
On 17 July 2017 at 23:10, Tom Lendacky <thomas.lenda...@amd.com> wrote:
The SMP MP-table is built by UEFI and placed in memory in a decrypted
state. These tables are accessed using a mix of early_memremap(),
early_memunmap(), phys_t
On 8/23/2017 10:30 AM, Borislav Petkov wrote:
On Mon, Jul 24, 2017 at 02:07:54PM -0500, Brijesh Singh wrote:
From: Tom Lendacky <thomas.lenda...@amd.com>
Early in the boot process, add checks to determine if the kernel is
running with Secure Encrypted Virtualization (SEV) active.
Ch
On 8/1/2017 11:02 PM, Borislav Petkov wrote:
On Mon, Jul 24, 2017 at 02:07:51PM -0500, Brijesh Singh wrote:
From: Tom Lendacky <thomas.lenda...@amd.com>
In order for memory pages to be properly mapped when SEV is active, we
need to use the PAGE_KERNEL protection attribute as th
On 8/17/2017 1:55 PM, Tom Lendacky wrote:
On 7/28/2017 10:23 AM, Borislav Petkov wrote:
On Mon, Jul 24, 2017 at 02:07:49PM -0500, Brijesh Singh wrote:
From: Tom Lendacky <thomas.lenda...@amd.com>
The walk_iomem_res_desc(), walk_system_ram_res() and
walk_system_ram_range()
function
On 7/28/2017 10:23 AM, Borislav Petkov wrote:
On Mon, Jul 24, 2017 at 02:07:49PM -0500, Brijesh Singh wrote:
From: Tom Lendacky <thomas.lenda...@amd.com>
The walk_iomem_res_desc(), walk_system_ram_res() and walk_system_ram_range()
functions each have much of the same code. Create
On 7/28/2017 5:31 AM, Borislav Petkov wrote:
On Mon, Jul 24, 2017 at 02:07:48PM -0500, Brijesh Singh wrote:
From: Tom Lendacky <thomas.lenda...@amd.com>
EFI data is encrypted when the kernel is run under SEV. Update the
page table references to be sure the EFI memory areas are ac
On 7/27/2017 9:58 AM, Borislav Petkov wrote:
On Mon, Jul 24, 2017 at 02:07:47PM -0500, Brijesh Singh wrote:
From: Tom Lendacky <thomas.lenda...@amd.com>
The current code checks only for sme_active() when determining whether
to perform the encryption attribute change. Include sev_
On 7/26/2017 11:03 AM, Borislav Petkov wrote:
Subject: x86/realmode: ...
Done.
On Mon, Jul 24, 2017 at 02:07:45PM -0500, Brijesh Singh wrote:
From: Tom Lendacky <thomas.lenda...@amd.com>
When SEV is active the trampoline area will need to be in encrypted
memory so only mark th
On 7/25/2017 11:28 PM, Borislav Petkov wrote:
On Mon, Jul 24, 2017 at 02:07:43PM -0500, Brijesh Singh wrote:
From: Tom Lendacky <thomas.lenda...@amd.com>
Provide support for Secure Encyrpted Virtualization (SEV). This initial
Your subject misses a verb and patch subjects shoul
On 7/18/2017 7:03 AM, Thomas Gleixner wrote:
On Mon, 17 Jul 2017, Tom Lendacky wrote:
This patch series provides support for AMD's new Secure Memory Encryption (SME)
feature.
SME can be used to mark individual pages of memory as encrypted through the
page tables. A page of memory
On 7/18/2017 4:36 AM, Ingo Molnar wrote:
* Tom Lendacky <thomas.lenda...@amd.com> wrote:
Create a new function attribute, __nostackp, that can used to turn off
stack protection on a per function basis.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
include/linux/co
When System Memory Encryption (SME) is enabled, the physical address
space is reduced. Adjust the x86_phys_bits value to reflect this
reduction.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/kernel/cp
.
For the initrd, encrypt this data in place. Since the future mapping of
the initrd area will be mapped as encrypted the data will be accessed
properly.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/mem_encrypt.h | 6
arch/x86/include/asm/pgtable.h | 3 ++
range.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/set_memory.h | 3 ++
arch/x86/mm/pageattr.c| 62 +++
2 files changed, 65 insertions(+)
diff --git a/arch
Move the setting of the cpuinfo_x86.microcode field from amd_init() to
early_amd_init() so that it is available earlier in the boot process. This
avoids having to read MSR_AMD64_PATCH_LEVEL directly during early boot.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Le
<jroe...@suse.de>
Acked-by: Joerg Roedel <jroe...@suse.de>
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
drivers/iommu/amd_iommu.c | 30 --
driver
, replacing the device with another device that can support 64-bit
DMA, ignoring the message if the device isn't used much, etc.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
include/linux/dma-mapping.h | 13 +
lib/swiotlb.c | 3 +++
2 files changed, 16 inse
or not. If it is not to be mapped encrypted then the VMA protection
value is updated to remove the encryption bit.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/io.h | 3 +++
arch/x86/mm/ioremap.c | 18 +-
arch/
Add the support to encrypt the kernel in-place. This is done by creating
new page mappings for the kernel - a decrypted write-protected mapping
and an encrypted mapping. The kernel is encrypted by copying it through
a temporary buffer.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.
Create a new function attribute, __nostackp, that can used to turn off
stack protection on a per function basis.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
include/linux/compiler-gcc.h | 2 ++
include/linux/compiler.h | 4
2 files changed, 6 insertions(+)
diff
Add a function that will return the E820 type associated with an address
range.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/e820/api.h | 2 ++
arch/x86/kernel/e820.c | 26 +++
and not configured as CONFIG_X86_32.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/cpufeatures.h | 1 +
arch/x86/include/asm/msr-index.h | 2 ++
arch/x86/kernel/cpu/amd.c | 19 +++
arch/x86/kernel/cpu/scattered.c| 1 +
4
On 7/10/2017 11:58 PM, Brian Gerst wrote:
On Mon, Jul 10, 2017 at 3:50 PM, Tom Lendacky <thomas.lenda...@amd.com> wrote:
On 7/8/2017 7:57 AM, Brian Gerst wrote:
On Fri, Jul 7, 2017 at 9:39 AM, Tom Lendacky <thomas.lenda...@amd.com>
wrote:
Currently there is a check if the a
On 7/8/2017 7:57 AM, Brian Gerst wrote:
On Fri, Jul 7, 2017 at 9:39 AM, Tom Lendacky <thomas.lenda...@amd.com> wrote:
Currently there is a check if the address being mapped is in the ISA
range (is_ISA_range()), and if it is, then phys_to_virt() is used to
perform the mapping. When SME is
On 7/8/2017 7:50 AM, Brian Gerst wrote:
On Fri, Jul 7, 2017 at 9:38 AM, Tom Lendacky <thomas.lenda...@amd.com> wrote:
Update the CPU features to include identifying and reporting on the
Secure Memory Encryption (SME) feature. SME is identified by CPUID
0x801f, but requires BIOS s
44 arch/x86/include/asm/mem_encrypt.h
create mode 100644 arch/x86/mm/mem_encrypt.c
create mode 100644 arch/x86/mm/mem_encrypt_boot.S
create mode 100644 include/linux/mem_encrypt.h
--
Tom Lendacky
--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a message
.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/cpufeatures.h |1 +
arch/x86/include/asm/msr-index.h |2 ++
arch/x86/kernel/cpu/amd.c | 13 +
arch/x86/kernel/cpu/scattered.c
For processors that support PAT, set the write-protect cache mode
(_PAGE_CACHE_MODE_WP) entry to the actual write-protect value (x05).
Acked-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/mm/pat.c |6 +++---
1 file changed,
When System Memory Encryption (SME) is enabled, the physical address
space is reduced. Adjust the x86_phys_bits value to reflect this
reduction.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/kernel/cpu/amd.c | 10 +
being mapped
decrypted vs encrypted.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/dmi.h |8
arch/x86/kernel/acpi/boot.c |6 +++---
arch/x86/kernel/kdebugf
.
The routines to set the encryption mask and perform the encryption are
stub routines for now with functionality to be added in a later patch.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/mem_encrypt.h |8 +
arch/x86/kernel/head64.c
ed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/Kconfig | 25 +
arch/x86/include/asm/mem_encrypt.h | 30 ++
arch/x86/mm/Makefile |1 +
arch/x86/mm/mem_encrypt.c
scenario, remove the ISA range check and
usage of phys_to_virt() and have ISA range mappings continue through the
remaining ioremap() path.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/mm/ioremap.c |7 +--
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git
a native version of read_cr3_pa(),
so create native_read_cr3_pa().
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/processor-flags.h |5 +++--
arch/x86/include/asm/processor.h |5 +
2 file
the initrd will have been loaded by the boot loader and will not be
encrypted, but the memory that it resides in is marked as encrypted).
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/mem_encrypt.h | 10 +
.
For the initrd, encrypt this data in place. Since the future mapping of
the initrd area will be mapped as encrypted the data will be accessed
properly.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/mem_encrypt.h |6 +++
arch/x86/include/asm/pgtable.h
to return a negative error value when no memmap entry is
found.
Reviewed-by: Matt Fleming <m...@codeblueprint.co.uk>
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/ia64/kernel/efi.c |4 ++--
arch/x86/platfor
of the encryption mask so that the data can be successfully accessed when
SME is active.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/kernel/mpparse.c | 98 -
1 file changed, 70 inser
the
AP to continue start up.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/realmode.h | 12
arch/x86/realmode/init.c |4
arch/x86/realmode/rm/trampoline
or not. If it is not to be mapped encrypted then the VMA protection
value is updated to remove the encryption bit.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/io.h |3 +++
arch/x86/mm/ioremap.c | 18 +-
arch/
Add a cmdline_find_option() function to look for cmdline options that
take arguments. The argument is returned in a supplied buffer and the
argument length (regardless of whether it fits in the supplied buffer)
is returned, with -1 indicating not found.
Signed-off-by: Tom Lendacky <thomas.le
Add the support to encrypt the kernel in-place. This is done by creating
new page mappings for the kernel - a decrypted write-protected mapping
and an encrypted mapping. The kernel is encrypted by copying it through
a temporary buffer.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.
Add the support to encrypt the kernel in-place. This is done by creating
new page mappings for the kernel - a decrypted write-protected mapping
and an encrypted mapping. The kernel is encrypted by copying it through
a temporary buffer.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/mem_encrypt.h |6 ++-
arch/x86/kernel/head64.c |5 +-
arch/x86/mm/mem_encrypt.c | 77
3 files changed, 83 insertions(+), 5 deletions(-)
diff
or not. If it is not to be mapped encrypted then the VMA protection
value is updated to remove the encryption bit.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/io.h |3 +++
arch/x86/mm/ioremap.c | 18 +-
arch/
tables.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/kvm_host.h |2 +-
arch/x86/kvm/mmu.c | 12
arch/x86/kvm/mmu.h |2 +-
arch/x86/kvm/svm.c
Since video memory needs to be accessed decrypted, be sure that the
memory encryption mask is not set for the video ranges.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/vga.h | 14 +-
.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/realmode/init.c |8
1 file changed, 8 insertions(+)
diff --git a/arch/x86/realmode/init.c b/arch/x86/realmode/init.c
index cd4be19..d6ddc7e 100644
--- a/arch/x86/realmode/init.c
+++ b/arch/x86/realmode/init.c
.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/mm/ioremap.c | 31 ++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
index ee33
ed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/Kconfig | 25 +
arch/x86/include/asm/mem_encrypt.h | 30 ++
arch/x86/mm/Makefile |1 +
arch/x86/mm/mem_encrypt.c
Move the setting of the cpuinfo_x86.microcode field from amd_init() to
early_amd_init() so that it is available earlier in the boot process. This
avoids having to read MSR_AMD64_PATCH_LEVEL directly during early boot.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Le
Since video memory needs to be accessed decrypted, be sure that the
memory encryption mask is not set for the video ranges.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/vga.h | 14 +-
to be included in these physical addresses during configuration.
The PTE entries created by the IOMMU should also include the encryption
mask so that when the device behind the IOMMU performs a DMA, the DMA
will be performed to encrypted memory.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-b
.
The routines to set the encryption mask and perform the encryption are
stub routines for now with functionality to be added in a later patch.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/mem_encrypt.h |8 +
arch/x86/kernel/head64.c
Create a pgd_pfn() macro similar to the p[4um]d_pfn() macros and then
use the p[g4um]d_pfn() macros in the p[g4um]d_page() macros instead of
duplicating the code.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/a
.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/mm/ioremap.c | 31 ++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
index ee33
is implies that the hardware will never give the core a
dirty line with this memtype.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/Kconfig |4 +++
arch/x86/include/asm/fixmap.h| 13 ++
range.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/set_memory.h |3 ++
arch/x86/mm/pageattr.c| 62 +
2 files changed, 65 insertions(+)
diff --git a/arch
remapping, ioremap_cache() will be used
instead, which will provide a decrypted mapping of the boot related data.
Reviewed-by: Matt Fleming <m...@codeblueprint.co.uk>
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/inclu
the initrd will have been loaded by the boot loader and will not be
encrypted, but the memory that it resides in is marked as encrypted).
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/mem_encrypt.h | 10 +
.
For the initrd, encrypt this data in place. Since the future mapping of
the initrd area will be mapped as encrypted the data will be accessed
properly.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/mem_encrypt.h |6 +++
arch/x86/include/asm/pgtable.h
Add a function that will return the E820 type associated with an address
range.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/e820/api.h |2 ++
arch/x86/kernel/e820.c | 26 +
of the encryption mask so that the data can be successfully accessed when
SME is active.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/kernel/mpparse.c | 98 -
1 file changed, 70 inser
successfully. The pagetable mapping
as well as the kernel are also added to the pagetable mapping as encrypted.
All other EFI mappings are mapped decrypted (tables, etc.).
Reviewed-by: Matt Fleming <m...@codeblueprint.co.uk>
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by:
When System Memory Encryption (SME) is enabled, the physical address
space is reduced. Adjust the x86_phys_bits value to reflect this
reduction.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/kernel/cpu/amd.c | 10 +
esources
resources into a range that will now not be addressable. To prevent this,
rely on BIOS to set the SYSCFG[MEME] bit and only then enable memory
encryption support in the kernel.
Tom Lendacky (38):
x86: Document AMD Secure Memory Encryption (SME)
x86/mm/pat: Set write-protect
.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/cpufeatures.h |1 +
arch/x86/include/asm/msr-index.h |2 ++
arch/x86/kernel/cpu/amd.c | 13 +
arch/x86/kernel/cpu/scattered.c
Create a Documentation entry to describe the AMD Secure Memory
Encryption (SME) feature and add documentation for the mem_encrypt=
kernel parameter.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
Documentation/admin-
being mapped
decrypted vs encrypted.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/dmi.h |8
arch/x86/kernel/acpi/boot.c |6 +++---
arch/x86/kernel/kdebugf
For processors that support PAT, set the write-protect cache mode
(_PAGE_CACHE_MODE_WP) entry to the actual write-protect value (x05).
Acked-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/mm/pat.c |6 +++---
1 file changed,
-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/dma-mapping.h |5 ++-
arch/x86/include/asm/mem_encrypt.h |5 +++
arch/x86/kernel/pci-dma.c | 11 +--
arch/x86/kernel/pci-nommu.c|2 +
arch/x86/kernel/pci-swiotlb.c | 15 +-
ar
remapping, ioremap_cache() will be used
instead, which will provide a decrypted mapping of the boot related data.
Reviewed-by: Matt Fleming <m...@codeblueprint.co.uk>
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/inclu
range.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/set_memory.h |3 ++
arch/x86/mm/pageattr.c| 62 +
2 files changed, 65 insertions(+)
diff --git a/arch
of the encryption mask so that the data can be successfully accessed when
SME is active.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/kernel/mpparse.c | 98 -
1 file changed, 70 inser
Add a function that will determine if a supplied physical address matches
the address of an EFI table.
Reviewed-by: Matt Fleming <m...@codeblueprint.co.uk>
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
drivers/firmwar
successfully. The pagetable mapping
as well as the kernel are also added to the pagetable mapping as encrypted.
All other EFI mappings are mapped decrypted (tables, etc.).
Reviewed-by: Matt Fleming <m...@codeblueprint.co.uk>
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by:
the encryption mask so
that user-space allocations will automatically have the encryption mask
applied.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/boot/compressed/pagetable.c |7 +
arch/x86/include/asm/fixmap.h
.
For the initrd, encrypt this data in place. Since the future mapping of
the initrd area will be mapped as encrypted the data will be accessed
properly.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/mem_encrypt.h |6 +++
arch/x86/include/asm/pgtable.h
Create a pgd_pfn() macro similar to the p[4um]d_pfn() macros and then
use the p[g4um]d_pfn() macros in the p[g4um]d_page() macros instead of
duplicating the code.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/a
being mapped
decrypted vs encrypted.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/dmi.h |8
arch/x86/kernel/acpi/boot.c |6 +++---
arch/x86/kernel/kdebugf
Create a Documentation entry to describe the AMD Secure Memory
Encryption (SME) feature and add documentation for the mem_encrypt=
kernel parameter.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
Documentation/admin-
.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/cpufeatures.h |1 +
arch/x86/include/asm/msr-index.h |2 ++
arch/x86/kernel/cpu/amd.c | 13 +
arch/x86/kernel/cpu/scattered.c
range that will now not be addressable. To prevent this,
rely on BIOS to set the SYSCFG[MEME] bit and only then enable memory
encryption support in the kernel.
Tom Lendacky (38):
x86: Document AMD Secure Memory Encryption (SME)
x86/mm/pat: Set write-protect cache mode for full PAT suppor
On 6/23/2017 5:00 AM, Borislav Petkov wrote:
On Fri, Jun 16, 2017 at 01:56:19PM -0500, Tom Lendacky wrote:
Add the support to encrypt the kernel in-place. This is done by creating
new page mappings for the kernel - a decrypted write-protected mapping
and an encrypted mapping. The kernel
On 6/22/2017 5:56 AM, Borislav Petkov wrote:
On Fri, Jun 16, 2017 at 01:54:59PM -0500, Tom Lendacky wrote:
The IOMMU is programmed with physical addresses for the various tables
and buffers that are used to communicate between the device and the
driver. When the driver allocates this memory
On 6/21/2017 11:59 AM, Borislav Petkov wrote:
On Wed, Jun 21, 2017 at 05:37:22PM +0200, Joerg Roedel wrote:
Do you mean this is like the last exception case in that document above:
"
- Pointers to data structures in coherent memory which might be modified
by I/O devices can, sometimes,
On 6/21/2017 5:50 AM, Borislav Petkov wrote:
On Fri, Jun 16, 2017 at 01:54:36PM -0500, Tom Lendacky wrote:
Add warnings to let the user know when bounce buffers are being used for
DMA when SME is active. Since the bounce buffers are not in encrypted
memory, these notifications are to allow
On 6/21/2017 2:16 AM, Thomas Gleixner wrote:
On Fri, 16 Jun 2017, Tom Lendacky wrote:
diff --git a/arch/x86/include/asm/mem_encrypt.h
b/arch/x86/include/asm/mem_encrypt.h
index a105796..988b336 100644
--- a/arch/x86/include/asm/mem_encrypt.h
+++ b/arch/x86/include/asm/mem_encrypt.h
@@ -15,16
On 6/21/2017 2:37 AM, Thomas Gleixner wrote:
On Fri, 16 Jun 2017, Tom Lendacky wrote:
Currently there is a check if the address being mapped is in the ISA
range (is_ISA_range()), and if it is then phys_to_virt() is used to
perform the mapping. When SME is active, however, this will result
On 6/20/2017 3:49 PM, Thomas Gleixner wrote:
On Fri, 16 Jun 2017, Tom Lendacky wrote:
+config ARCH_HAS_MEM_ENCRYPT
+ def_bool y
+ depends on X86
That one is silly. The config switch is in the x86 KConfig file, so X86 is
on. If you intended to move this to some generic place
On 6/20/2017 11:17 AM, Andy Lutomirski wrote:
On Fri, Jun 16, 2017 at 11:51 AM, Tom Lendacky <thomas.lenda...@amd.com> wrote:
The cr3 register entry can contain the SME encryption mask that indicates
the PGD is encrypted. The encryption mask should not be used when
creating a virtual a
On 6/20/2017 2:38 AM, Borislav Petkov wrote:
On Fri, Jun 16, 2017 at 01:51:15PM -0500, Tom Lendacky wrote:
Add support to the early boot code to use Secure Memory Encryption (SME).
Since the kernel has been loaded into memory in a decrypted state, encrypt
the kernel in place and update
Create a Documentation entry to describe the AMD Secure Memory
Encryption (SME) feature and add documentation for the mem_encrypt=
kernel parameter.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
Documentation/admin-
being mapped
decrypted vs encrypted.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/dmi.h |8
arch/x86/kernel/acpi/boot.c |6 +++---
arch/x86/kernel/kdebugfs.c | 34 +++---
arch/x86/kernel/ksysfs.c
Create a pgd_pfn() macro similar to the p[um]d_pfn() macros and then
use the p[gum]d_pfn() macros in the p[gum]d_page() macros instead of
duplicating the code.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/a
a native version of read_cr3_pa(),
so create native_read_cr3_pa().
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/processor-flags.h |3 ++-
arch/x86/include/asm/processor.h |5 +
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/ar
the encryption mask so
that user-space allocations will automatically have the encryption mask
applied.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/boot/compressed/pagetable.c |7 +
arch/x86/include/asm/fixmap.h
remapping, ioremap_cache() will be used
instead, which will provide a decrypted mapping of the boot related data.
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/x86/include/asm/io.h |5 +
arch/x86/mm/ioremap.c | 179 +
include
to return a negative error value when no memmap entry is
found.
Reviewed-by: Borislav Petkov <b...@suse.de>
Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com>
---
arch/ia64/kernel/efi.c |4 ++--
arch/x86/platform/efi/efi.c |6 +++---
include/linux/efi.h |2
1 - 100 of 259 matches
Mail list logo