From: Tom Lendacky <thomas.lendacky@amd.com>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: Ard Biesheuvel <ardb+git@google.com>,
linux-kernel@vger.kernel.org,
Kevin Loughlin <kevinloughlin@google.com>,
Dionna Glaze <dionnaglaze@google.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
Andy Lutomirski <luto@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
Nathan Chancellor <nathan@kernel.org>,
Nick Desaulniers <ndesaulniers@google.com>,
Justin Stitt <justinstitt@google.com>,
Kees Cook <keescook@chromium.org>,
Brian Gerst <brgerst@gmail.com>,
linux-arch@vger.kernel.org, llvm@lists.linux.dev
Subject: Re: [PATCH v4 07/11] efi/libstub: Add generic support for parsing mem_encrypt=
Date: Tue, 20 Feb 2024 13:28:00 -0600 [thread overview]
Message-ID: <fccd8544-76ab-4723-9616-ff4bc783b692@amd.com> (raw)
In-Reply-To: <CAMj1kXG_sQ-+ULtvE7SqD0DYe3p9=tP8K9VPgfiR-0Z55A9vVw@mail.gmail.com>
On 2/19/24 11:06, Ard Biesheuvel wrote:
> On Mon, 19 Feb 2024 at 18:00, Tom Lendacky <thomas.lendacky@amd.com> wrote:
>>
>> On 2/13/24 06:41, Ard Biesheuvel wrote:
>>> From: Ard Biesheuvel <ardb@kernel.org>
>>>
>>> Parse the mem_encrypt= command line parameter from the EFI stub if
>>> CONFIG_ARCH_HAS_MEM_ENCRYPT=y, so that it can be passed to the early
>>> boot code by the arch code in the stub.
>>>
>>> This avoids the need for the core kernel to do any string parsing very
>>> early in the boot.
>>>
>>> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
>>> ---
>>> drivers/firmware/efi/libstub/efi-stub-helper.c | 8 ++++++++
>>> drivers/firmware/efi/libstub/efistub.h | 2 +-
>>> 2 files changed, 9 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c
>>> index bfa30625f5d0..3dc2f9aaf08d 100644
>>> --- a/drivers/firmware/efi/libstub/efi-stub-helper.c
>>> +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
>>> @@ -24,6 +24,8 @@ static bool efi_noinitrd;
>>> static bool efi_nosoftreserve;
>>> static bool efi_disable_pci_dma = IS_ENABLED(CONFIG_EFI_DISABLE_PCI_DMA);
>>>
>>> +int efi_mem_encrypt;
>>> +
>>> bool __pure __efi_soft_reserve_enabled(void)
>>> {
>>> return !efi_nosoftreserve;
>>> @@ -75,6 +77,12 @@ efi_status_t efi_parse_options(char const *cmdline)
>>> efi_noinitrd = true;
>>> } else if (IS_ENABLED(CONFIG_X86_64) && !strcmp(param, "no5lvl")) {
>>> efi_no5lvl = true;
>>> + } else if (IS_ENABLED(CONFIG_ARCH_HAS_MEM_ENCRYPT) &&
>>> + !strcmp(param, "mem_encrypt") && val) {
>>> + if (parse_option_str(val, "on"))
>>> + efi_mem_encrypt = 1;
>>> + else if (parse_option_str(val, "off"))
>>> + efi_mem_encrypt = -1;
>>
>> With CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT having recently been
>> removed, I'm not sure what parsing for mem_encrypt=off does.
>>
>> (Same thing in the next patch.)
>>
>
> We have to deal with both mem_encrypt=on and mem_encrypt=off occurring
> on the command line. efi_parse_options() may be called more than once,
> i.e., when there is a default command line baked into the image that
> can be overridden at runtime. So if the baked in one has
> mem_encrypt=on, mem_encrypt=off appearing later should counter that.
>
> The same applies to the next patch, although the decompressor appears
> to ignore the built-in command line entirely (I made a note of that in
> the commit log)
Ah, makes sense.
Thanks,
Tom
next prev parent reply other threads:[~2024-02-20 19:28 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-13 12:41 [PATCH v4 00/11] x86: Confine early 1:1 mapped startup code Ard Biesheuvel
2024-02-13 12:41 ` [PATCH v4 01/11] x86/startup_64: Simplify global variable accesses in GDT/IDT programming Ard Biesheuvel
2024-02-13 20:05 ` Borislav Petkov
2024-02-13 21:53 ` Ard Biesheuvel
2024-02-14 7:28 ` Ard Biesheuvel
2024-02-15 13:52 ` Borislav Petkov
2024-02-13 12:41 ` [PATCH v4 02/11] x86/startup_64: Replace pointer fixups with RIP-relative references Ard Biesheuvel
2024-02-17 12:51 ` Borislav Petkov
2024-02-17 13:58 ` Ard Biesheuvel
2024-02-17 16:10 ` Ard Biesheuvel
2024-02-19 9:55 ` Borislav Petkov
2024-02-19 10:45 ` Ard Biesheuvel
2024-02-19 10:01 ` Borislav Petkov
2024-02-19 10:47 ` Ard Biesheuvel
2024-02-13 12:41 ` [PATCH v4 03/11] x86/startup_64: Simplify CR4 handling in startup code Ard Biesheuvel
2024-02-19 10:32 ` Borislav Petkov
2024-02-13 12:41 ` [PATCH v4 04/11] x86/startup_64: Defer assignment of 5-level paging global variables Ard Biesheuvel
2024-02-20 18:45 ` Borislav Petkov
2024-02-20 23:33 ` Ard Biesheuvel
2024-02-21 10:09 ` Borislav Petkov
2024-02-21 10:20 ` Ard Biesheuvel
2024-02-21 11:12 ` Borislav Petkov
2024-02-21 11:21 ` Ard Biesheuvel
2024-02-21 11:23 ` Borislav Petkov
2024-02-13 12:41 ` [PATCH v4 05/11] x86/startup_64: Simplify calculation of initial page table address Ard Biesheuvel
2024-02-13 12:41 ` [PATCH v4 06/11] x86/startup_64: Simplify virtual switch on primary boot Ard Biesheuvel
2024-02-13 12:41 ` [PATCH v4 07/11] efi/libstub: Add generic support for parsing mem_encrypt= Ard Biesheuvel
2024-02-19 17:00 ` Tom Lendacky
2024-02-19 17:06 ` Ard Biesheuvel
2024-02-20 19:28 ` Tom Lendacky [this message]
2024-02-13 12:41 ` [PATCH v4 08/11] x86/boot: Move mem_encrypt= parsing to the decompressor Ard Biesheuvel
2024-02-13 12:41 ` [PATCH v4 09/11] x86/sme: Move early SME kernel encryption handling into .head.text Ard Biesheuvel
2024-02-13 12:41 ` [PATCH v4 10/11] x86/sev: Move early startup code into .head.text section Ard Biesheuvel
2024-02-13 12:41 ` [PATCH v4 11/11] x86/startup_64: Drop global variables keeping track of LA57 state Ard Biesheuvel
2024-02-14 15:24 ` Brian Gerst
2024-02-14 15:44 ` Ard Biesheuvel
2024-02-14 20:25 ` Brian Gerst
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fccd8544-76ab-4723-9616-ff4bc783b692@amd.com \
--to=thomas.lendacky@amd.com \
--cc=ardb+git@google.com \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=bp@alien8.de \
--cc=brgerst@gmail.com \
--cc=dave.hansen@linux.intel.com \
--cc=dionnaglaze@google.com \
--cc=justinstitt@google.com \
--cc=keescook@chromium.org \
--cc=kevinloughlin@google.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox