From: Dave Hansen <dave.hansen@intel.com>
To: "Nikunj A. Dadhania" <nikunj@amd.com>, bp@alien8.de
Cc: tglx@kernel.org, mingo@redhat.com, kvm@vger.kernel.org,
dave.hansen@linux.intel.com, hpa@zytor.com, xin@zytor.com,
seanjc@google.com, pbonzini@redhat.com, x86@kernel.org,
jon.grimm@amd.com, stable@vger.kernel.org,
Tom Lendacky <thomas.lendacky@amd.com>,
linux-kernel@vger.kernel.org, sohil.mehta@intel.com,
andrew.cooper3@citrix.com
Subject: Re: [PATCH] x86/fred: Fix early boot failures on SEV-ES/SNP guests
Date: Mon, 16 Feb 2026 09:10:15 -0800 [thread overview]
Message-ID: <1bc0b798-9cef-4dfd-af06-7674b699af1b@intel.com> (raw)
In-Reply-To: <317f7def-9ac7-41e1-8754-808cd08f88cb@amd.com>
> CR pinning can prematurely enable features during secondary CPU bringup
> before their supporting infrastructure is initialized. Specifically, when
> FRED is enabled, cr4_init() sets CR4.FRED via the pinned mask early in
> start_secondary(), long before cpu_init_fred_exceptions() configures the
> required FRED MSRs. This creates a window where exceptions cannot be
> properly handled.
This is a collision of FRED, CR-pinning and SEV. Future me would
appreciate having all that background in one place:
== CR Pinning Background ==
Modern CPU hardening features like SMAP/SMEP are enabled by
flipping control register (CR) bits. Attackers find these
features inconvenient and often try to disable them.
CR-pinning is a kernel hardening feature that detects when
security-sensitive control bits are flipped off, complains about
it, then turns them back on. The CR-pinning checks are performed
in the CR manipulation helpers.
X86_CR4_FRED controls FRED enabling and is pinned. There is a
single, system-wide static key that controls CR-pinning
behavior. The static key is enabled by the boot CPU after it has
established its CR configuration.
The end result is that CR-pinning is not active while
initializing the boot CPU but it is active while bringing up
secondary CPUs.
== FRED Background ==
FRED is a new hardware entry/exit feature for the kernel. It is
not on by default and started out as Intel-only. AMD is just
adding support now.
FRED has MSRs for configuration and is enabled by the pinned
X86_CR4_FRED bit. It should not be enabled until after MSRs are
properly initialized.
== SEV Background ==
Some flavors of AMD SEV have special virtualization exceptions:
#VC. These exceptions happen in "weird" places like when
accessing MMIO, running CPUID or even accessing apparently
normal kernel memory.
Writes to the console can generate #VC.
== Problem ==
CR-pinning implicitly enables FRED on secondary CPUs at a
different point than the boot CPU. This point is *before* the
CPU has done an explicit cr4_set_bits(X86_CR4_FRED) and before
the MSRs are initialized. This means that there is a window
where no exceptions can be handled.
For SEV-ES/SNP and TDX guests, any console output during this
window triggers #VC or #VE exceptions that result in triple
faults because the exception handlers rely on FRED MSRs that
aren't yet configured.
== Fix ==
Defer CR-pinning enforcement during secondary CPU bringup. This
avoids any implicit CR changes during CPU bringup, ensuring that
FRED is not enabled before it is configured and able to handle a
#VC.
This also aligns boot and secondary CPU bringup.
Note: FRED is not on by default anywhere so this is not likely
to be causing many problems. The only reason this was noticed
was that AMD started to enable FRED and was turning it on.
With that, you can add:
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
next prev parent reply other threads:[~2026-02-16 17:10 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-05 5:10 [PATCH] x86/fred: Fix early boot failures on SEV-ES/SNP guests Nikunj A Dadhania
2026-02-05 5:55 ` Greg KH
2026-02-05 6:10 ` Nikunj A. Dadhania
2026-02-05 6:20 ` Greg KH
2026-02-05 15:50 ` Sean Christopherson
2026-02-05 15:58 ` Dave Hansen
2026-02-05 16:00 ` Greg KH
2026-02-05 5:56 ` Greg KH
2026-02-05 6:24 ` Nikunj A. Dadhania
2026-02-05 7:11 ` Xin Li
2026-02-05 8:54 ` Nikunj A. Dadhania
2026-02-05 14:34 ` Xin Li
2026-02-05 10:41 ` kernel test robot
2026-02-06 3:31 ` Nikunj A. Dadhania
2026-02-06 9:34 ` Xin Li
2026-02-05 12:24 ` kernel test robot
2026-02-05 12:35 ` kernel test robot
2026-02-05 16:10 ` Dave Hansen
2026-02-05 17:20 ` Dave Hansen
2026-02-05 17:39 ` Tom Lendacky
2026-02-06 12:38 ` Nikunj A. Dadhania
2026-02-16 5:16 ` Nikunj A. Dadhania
2026-02-16 17:10 ` Dave Hansen [this message]
2026-02-19 19:27 ` Sohil Mehta
2026-02-19 20:22 ` Dave Hansen
2026-02-19 20:50 ` Sohil Mehta
2026-02-05 17:39 ` H. Peter Anvin
2026-02-06 12:12 ` Nikunj A. Dadhania
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1bc0b798-9cef-4dfd-af06-7674b699af1b@intel.com \
--to=dave.hansen@intel.com \
--cc=andrew.cooper3@citrix.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=jon.grimm@amd.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=nikunj@amd.com \
--cc=pbonzini@redhat.com \
--cc=seanjc@google.com \
--cc=sohil.mehta@intel.com \
--cc=stable@vger.kernel.org \
--cc=tglx@kernel.org \
--cc=thomas.lendacky@amd.com \
--cc=x86@kernel.org \
--cc=xin@zytor.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox