From: Joerg Roedel <joro@8bytes.org>
To: x86@kernel.org
Cc: Joerg Roedel <joro@8bytes.org>, Joerg Roedel <jroedel@suse.de>,
Tom Lendacky <thomas.lendacky@amd.com>,
hpa@zytor.com, Andy Lutomirski <luto@kernel.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
Peter Zijlstra <peterz@infradead.org>,
Jiri Slaby <jslaby@suse.cz>,
Dan Williams <dan.j.williams@intel.com>,
Juergen Gross <jgross@suse.com>,
Kees Cook <keescook@chromium.org>,
David Rientjes <rientjes@google.com>,
Cfir Cohen <cfir@google.com>, Erdem Aktas <erdemaktas@google.com>,
Masami Hiramatsu <mhiramat@kernel.org>,
Mike Stunes <mstunes@vmware.com>,
Sean Christopherson <seanjc@google.com>,
Martin Radev <martin.b.radev@gmail.com>,
Arvind Sankar <nivedita@alum.mit.edu>,
linux-coco@lists.linux.dev, linux-kernel@vger.kernel.org,
kvm@vger.kernel.org, virtualization@lists.linux-foundation.org
Subject: [PATCH v3 1/7] x86/ioremap: Map efi_mem_reserve() memory as encrypted for SEV
Date: Tue, 8 Jun 2021 11:54:33 +0200 [thread overview]
Message-ID: <20210608095439.12668-2-joro@8bytes.org> (raw)
In-Reply-To: <20210608095439.12668-1-joro@8bytes.org>
From: Tom Lendacky <thomas.lendacky@amd.com>
Some drivers require memory that is marked as EFI boot services data. So that
this memory is not re-used by the kernel after ExitBootServices(),
efi_mem_reserve() is used to preserve it by inserting a new EFI memory
descriptor and marking it with the EFI_MEMORY_RUNTIME attribute.
Under SEV, memory marked with the EFI_MEMORY_RUNTIME attribute needs to
be mapped encrypted by Linux, otherwise the kernel might crash at boot
like below:
EFI Variables Facility v0.08 2004-May-17
general protection fault, probably for non-canonical address 0x3597688770a868b2: 0000 [#1] SMP NOPTI
CPU: 13 PID: 1 Comm: swapper/0 Not tainted 5.12.4-2-default #1 openSUSE Tumbleweed
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:efi_mokvar_entry_next+0x34/0x40
Code: c5 01 48 8b 17 48 c7 07 00 00 00 00 48 85 c0 74 24 48 85 d2 74 14 80 3a 00 74 18 48 8b 82 00 01 00 00 48 8d 84 02 08 01 00 00 <80> 38 00 74 04 48 89 07 c3 31 c0 c3 0f 1f 44 00 00 41 54 4c 8b 25
[...]
Call Trace:
efi_mokvar_sysfs_init
? efi_mokvar_table_init
do_one_initcall
? __kmalloc
kernel_init_freeable
? rest_init
kernel_init
ret_from_fork
Modules linked in:
---[ end trace 0de27ecc25d41b73 ]---
Expand the __ioremap_check_other() function to additionally check for this
other type of "runtime" data and indicate that it should be mapped encrypted
for an SEV guest.
Fixes: 58c909022a5a ("efi: Support for MOK variable config table")
Reported-by: Joerg Roedel <jroedel@suse.de>
Tested-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
---
arch/x86/mm/ioremap.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
index 12c686c65ea9..60ade7dd71bd 100644
--- a/arch/x86/mm/ioremap.c
+++ b/arch/x86/mm/ioremap.c
@@ -118,7 +118,9 @@ static void __ioremap_check_other(resource_size_t addr, struct ioremap_desc *des
if (!IS_ENABLED(CONFIG_EFI))
return;
- if (efi_mem_type(addr) == EFI_RUNTIME_SERVICES_DATA)
+ if (efi_mem_type(addr) == EFI_RUNTIME_SERVICES_DATA ||
+ (efi_mem_type(addr) == EFI_BOOT_SERVICES_DATA &&
+ efi_mem_attributes(addr) & EFI_MEMORY_RUNTIME))
desc->flags |= IORES_MAP_ENCRYPTED;
}
--
2.31.1
WARNING: multiple messages have this Message-ID (diff)
From: Joerg Roedel <joro@8bytes.org>
To: x86@kernel.org
Cc: kvm@vger.kernel.org, Peter Zijlstra <peterz@infradead.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
virtualization@lists.linux-foundation.org,
Arvind Sankar <nivedita@alum.mit.edu>,
hpa@zytor.com, Jiri Slaby <jslaby@suse.cz>,
Joerg Roedel <joro@8bytes.org>,
David Rientjes <rientjes@google.com>,
Martin Radev <martin.b.radev@gmail.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
Joerg Roedel <jroedel@suse.de>, Kees Cook <keescook@chromium.org>,
Cfir Cohen <cfir@google.com>,
linux-coco@lists.linux.dev, Andy Lutomirski <luto@kernel.org>,
Dan Williams <dan.j.williams@intel.com>,
Juergen Gross <jgross@suse.com>, Mike Stunes <mstunes@vmware.com>,
Sean Christopherson <seanjc@google.com>,
linux-kernel@vger.kernel.org,
Masami Hiramatsu <mhiramat@kernel.org>,
Erdem Aktas <erdemaktas@google.com>
Subject: [PATCH v3 1/7] x86/ioremap: Map efi_mem_reserve() memory as encrypted for SEV
Date: Tue, 8 Jun 2021 11:54:33 +0200 [thread overview]
Message-ID: <20210608095439.12668-2-joro@8bytes.org> (raw)
In-Reply-To: <20210608095439.12668-1-joro@8bytes.org>
From: Tom Lendacky <thomas.lendacky@amd.com>
Some drivers require memory that is marked as EFI boot services data. So that
this memory is not re-used by the kernel after ExitBootServices(),
efi_mem_reserve() is used to preserve it by inserting a new EFI memory
descriptor and marking it with the EFI_MEMORY_RUNTIME attribute.
Under SEV, memory marked with the EFI_MEMORY_RUNTIME attribute needs to
be mapped encrypted by Linux, otherwise the kernel might crash at boot
like below:
EFI Variables Facility v0.08 2004-May-17
general protection fault, probably for non-canonical address 0x3597688770a868b2: 0000 [#1] SMP NOPTI
CPU: 13 PID: 1 Comm: swapper/0 Not tainted 5.12.4-2-default #1 openSUSE Tumbleweed
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:efi_mokvar_entry_next+0x34/0x40
Code: c5 01 48 8b 17 48 c7 07 00 00 00 00 48 85 c0 74 24 48 85 d2 74 14 80 3a 00 74 18 48 8b 82 00 01 00 00 48 8d 84 02 08 01 00 00 <80> 38 00 74 04 48 89 07 c3 31 c0 c3 0f 1f 44 00 00 41 54 4c 8b 25
[...]
Call Trace:
efi_mokvar_sysfs_init
? efi_mokvar_table_init
do_one_initcall
? __kmalloc
kernel_init_freeable
? rest_init
kernel_init
ret_from_fork
Modules linked in:
---[ end trace 0de27ecc25d41b73 ]---
Expand the __ioremap_check_other() function to additionally check for this
other type of "runtime" data and indicate that it should be mapped encrypted
for an SEV guest.
Fixes: 58c909022a5a ("efi: Support for MOK variable config table")
Reported-by: Joerg Roedel <jroedel@suse.de>
Tested-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
---
arch/x86/mm/ioremap.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
index 12c686c65ea9..60ade7dd71bd 100644
--- a/arch/x86/mm/ioremap.c
+++ b/arch/x86/mm/ioremap.c
@@ -118,7 +118,9 @@ static void __ioremap_check_other(resource_size_t addr, struct ioremap_desc *des
if (!IS_ENABLED(CONFIG_EFI))
return;
- if (efi_mem_type(addr) == EFI_RUNTIME_SERVICES_DATA)
+ if (efi_mem_type(addr) == EFI_RUNTIME_SERVICES_DATA ||
+ (efi_mem_type(addr) == EFI_BOOT_SERVICES_DATA &&
+ efi_mem_attributes(addr) & EFI_MEMORY_RUNTIME))
desc->flags |= IORES_MAP_ENCRYPTED;
}
--
2.31.1
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
next prev parent reply other threads:[~2021-06-08 9:54 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-08 9:54 [PATCH v3 0/7] x86/sev-es: Fixes for SEV-ES Guest Support Joerg Roedel
2021-06-08 9:54 ` Joerg Roedel
2021-06-08 9:54 ` Joerg Roedel [this message]
2021-06-08 9:54 ` [PATCH v3 1/7] x86/ioremap: Map efi_mem_reserve() memory as encrypted for SEV Joerg Roedel
2021-06-08 15:26 ` [tip: x86/urgent] x86/ioremap: Map EFI-reserved " tip-bot2 for Tom Lendacky
2021-06-08 9:54 ` [PATCH v3 2/7] x86/sev-es: Fix error message in runtime #VC handler Joerg Roedel
2021-06-08 9:54 ` Joerg Roedel
2021-06-08 9:54 ` [PATCH v3 3/7] x86/sev-es: Disable IRQs while GHCB is active Joerg Roedel
2021-06-08 9:54 ` Joerg Roedel
2021-06-08 9:54 ` [PATCH v3 4/7] x86/sev-es: Run #VC handler in plain IRQ state Joerg Roedel
2021-06-08 9:54 ` Joerg Roedel
2021-06-08 11:58 ` Peter Zijlstra
2021-06-08 11:58 ` Peter Zijlstra
2021-06-08 13:25 ` Joerg Roedel
2021-06-08 13:25 ` Joerg Roedel
2021-06-08 9:54 ` [PATCH v3 5/7] x86/insn-eval: Make 0 a valid RIP for insn_get_effective_ip() Joerg Roedel
2021-06-08 9:54 ` Joerg Roedel
2021-06-08 9:54 ` [PATCH v3 6/7] x86/insn: Extend error reporting from insn_fetch_from_user[_inatomic]() Joerg Roedel
2021-06-08 9:54 ` Joerg Roedel
2021-06-08 9:54 ` [PATCH v3 7/7] x86/sev-es: Propagate #GP if getting linear instruction address failed Joerg Roedel
2021-06-08 9:54 ` Joerg Roedel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210608095439.12668-2-joro@8bytes.org \
--to=joro@8bytes.org \
--cc=cfir@google.com \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=erdemaktas@google.com \
--cc=hpa@zytor.com \
--cc=jgross@suse.com \
--cc=jroedel@suse.de \
--cc=jslaby@suse.cz \
--cc=keescook@chromium.org \
--cc=kvm@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=martin.b.radev@gmail.com \
--cc=mhiramat@kernel.org \
--cc=mstunes@vmware.com \
--cc=nivedita@alum.mit.edu \
--cc=peterz@infradead.org \
--cc=rientjes@google.com \
--cc=seanjc@google.com \
--cc=thomas.lendacky@amd.com \
--cc=virtualization@lists.linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.