Re: [PATCH] crypto: ccp: Load the firmware twice when SEV API version < 1.43

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jarkko Sakkinen <jarkko@kernel.org>
To: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Harald Hoyer <harald@profian.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Jarkko Sakkinen <jarkko@profian.com>,
	Brijesh Singh <brijesh.singh@amd.com>,
	John Allen <john.allen@amd.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	"open list:AMD CRYPTOGRAPHIC COPROCESSOR (CCP) DRIVER - SE..." 
	<linux-crypto@vger.kernel.org>,
	open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] crypto: ccp: Load the firmware twice when SEV API version < 1.43
Date: Sat, 6 Aug 2022 21:16:25 +0300	[thread overview]
Message-ID: <Yu6v+ZFe7zDQjcvZ@kernel.org> (raw)
In-Reply-To: <cd0d79a9-310c-2181-401a-64a67f454c66@amd.com>

On Thu, Aug 04, 2022 at 08:51:02AM -0500, Tom Lendacky wrote:
> On 8/4/22 08:37, Harald Hoyer wrote:
> > Am 04.08.22 um 15:13 schrieb Tom Lendacky:
> > > On 8/3/22 20:02, Jarkko Sakkinen wrote:
> > > > From: Jarkko Sakkinen <jarkko@profian.com>
> > > > 
> > > > SEV-SNP does not initialize to a legit state, unless the firmware is
> > > > loaded twice, when SEP API version < 1.43, and the firmware is updated
> > > > to a later version. Because of this user space needs to work around
> > > > this with "rmmod && modprobe" combo. Fix this by implementing the
> > > > workaround to the driver.
> > > 
> > > The SNP hypervisor patches are placing a minimum supported version
> > > requirement for the SEV firmware that exceeds the specified version
> > > above [1] (for the reason above, as well as some others), so this patch
> > > is not needed, NAK.
> > 
> > As described in the "Milan Release Notes.txt" of the AMD firmware update
> > package amd_sev_fam19h_model0xh_1.33.03.zip.
> > 
> > "If upgrading to 1.33.01 or later from something older (picking up
> > CSF-1201), it is required that two Download Firmware commands be run to
> > fix the "Committed Version" across the firmware. CSF-1201 fixed a bug
> > where the committed version in the attestation report was incorrect.
> > Performing a single Download Firmware will upgrade the firmware, but
> > performing a second one will correct the committed version. This is a
> > one-time upgrade issue.
> > "
> > 
> > Note that `1.33.01` is not the same version number as "1.51" in [1]. One
> > is the firmware version, the other is the SEV-SNP API version.
> 
> It is the same and are meant to correlate, the 33 is hex => 51.
> 
> > 
> > I am definitely seeing a wrong TCB version, if the firmware is only
> > updated once to `1.33.01` aka "1.51".
> > Reloading the `ccp` module, which triggers another firmware load, cures
> > the problem.
> > 
> > The patch might be wrong, as it might not do the right thing, but the
> > problem and the solution exist.
> > 
> > What is your suggestion then to fix the wrong committed TCB version?
> 
> Hmmm... ok, I see what you're saying. We don't want to have to make everyone
> update their BIOS/firmware to get to a starting level above 1.43 to begin
> with.
> 
> Ok, let me review/comment on the patch.

This was has a bug, and the reference to what Harald denoted
is missing. Hold on for v2. I'll put it out soon.

BR, Jarkko

next prev parent reply	other threads:[~2022-08-06 18:16 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-04  1:02 [PATCH] crypto: ccp: Load the firmware twice when SEV API version < 1.43 Jarkko Sakkinen
2022-08-04 13:13 ` Tom Lendacky
2022-08-04 13:37   ` Harald Hoyer
2022-08-04 13:51     ` Tom Lendacky
2022-08-06 18:16       ` Jarkko Sakkinen [this message]
2022-08-06 18:15     ` Jarkko Sakkinen
2022-08-04 13:39   ` Jeremi Piotrowski
2022-08-04 14:59 ` Tom Lendacky
2022-08-06 18:17   ` Jarkko Sakkinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Yu6v+ZFe7zDQjcvZ@kernel.org \
    --to=jarkko@kernel.org \
    --cc=brijesh.singh@amd.com \
    --cc=davem@davemloft.net \
    --cc=harald@profian.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=jarkko@profian.com \
    --cc=john.allen@amd.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pbonzini@redhat.com \
    --cc=thomas.lendacky@amd.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.