iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

x86/sev-es: Add SEV-ES Feature Detection

Browse Source 
Add a sev_es_active() function for checking whether SEV-ES is enabled.
Also cache the value of MSR_AMD64_SEV at boot to speed up the feature
checking in the running code.

 [ bp: Remove "!!" in sev_active() too. ]

Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lkml.kernel.org/r/20200907131613.12703-37-joro@8bytes.org
This commit is contained in:
Joerg Roedel 2020-09-07 15:15:37 +02:00 committed by Borislav Petkov
parent 4b47cdbda6
commit b57de6cd16
4 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
arch/x86/include/asm/mem_encrypt.h
View File

@ -19,6 +19,7 @@
#ifdef CONFIG_AMD_MEM_ENCRYPT #ifdef CONFIG_AMD_MEM_ENCRYPT
extern u64 sme_me_mask; extern u64 sme_me_mask;
extern u64 sev_status;
extern bool sev_enabled; extern bool sev_enabled;
void sme_encrypt_execute(unsigned long encrypted_kernel_vaddr, void sme_encrypt_execute(unsigned long encrypted_kernel_vaddr,
@ -50,6 +51,7 @@ void __init mem_encrypt_init(void);
bool sme_active(void); bool sme_active(void);
bool sev_active(void); bool sev_active(void);
bool sev_es_active(void);
#define __bss_decrypted __attribute__((__section__(".bss..decrypted"))) #define __bss_decrypted __attribute__((__section__(".bss..decrypted")))
@ -72,6 +74,7 @@ static inline void __init sme_enable(struct boot_params *bp) { }
static inline bool sme_active(void) { return false; } static inline bool sme_active(void) { return false; }
static inline bool sev_active(void) { return false; } static inline bool sev_active(void) { return false; }
static inline bool sev_es_active(void) { return false; }
static inline int __init static inline int __init
early_set_memory_decrypted(unsigned long vaddr, unsigned long size) { return 0; } early_set_memory_decrypted(unsigned long vaddr, unsigned long size) { return 0; }

2
arch/x86/include/asm/msr-index.h
View File

@ -469,7 +469,9 @@
#define MSR_AMD64_SEV_ES_GHCB 0xc0010130 #define MSR_AMD64_SEV_ES_GHCB 0xc0010130
#define MSR_AMD64_SEV 0xc0010131 #define MSR_AMD64_SEV 0xc0010131
#define MSR_AMD64_SEV_ENABLED_BIT 0 #define MSR_AMD64_SEV_ENABLED_BIT 0
#define MSR_AMD64_SEV_ES_ENABLED_BIT 1
#define MSR_AMD64_SEV_ENABLED BIT_ULL(MSR_AMD64_SEV_ENABLED_BIT) #define MSR_AMD64_SEV_ENABLED BIT_ULL(MSR_AMD64_SEV_ENABLED_BIT)
#define MSR_AMD64_SEV_ES_ENABLED BIT_ULL(MSR_AMD64_SEV_ES_ENABLED_BIT)
#define MSR_AMD64_VIRT_SPEC_CTRL 0xc001011f #define MSR_AMD64_VIRT_SPEC_CTRL 0xc001011f

9
arch/x86/mm/mem_encrypt.c
View File

@ -38,6 +38,7 @@
* section is later cleared. * section is later cleared.
*/ */
u64 sme_me_mask __section(.data) = 0; u64 sme_me_mask __section(.data) = 0;
u64 sev_status __section(.data) = 0;
EXPORT_SYMBOL(sme_me_mask); EXPORT_SYMBOL(sme_me_mask);
DEFINE_STATIC_KEY_FALSE(sev_enable_key); DEFINE_STATIC_KEY_FALSE(sev_enable_key);
EXPORT_SYMBOL_GPL(sev_enable_key); EXPORT_SYMBOL_GPL(sev_enable_key);
@ -347,7 +348,13 @@ bool sme_active(void)
bool sev_active(void) bool sev_active(void)
{ {
return sme_me_mask && sev_enabled; return sev_status & MSR_AMD64_SEV_ENABLED;
}
/* Needs to be called from non-instrumentable code */
bool noinstr sev_es_active(void)
{
return sev_status & MSR_AMD64_SEV_ES_ENABLED;
} }
/* Override for DMA direct allocation check - ARCH_HAS_FORCE_DMA_UNENCRYPTED */ /* Override for DMA direct allocation check - ARCH_HAS_FORCE_DMA_UNENCRYPTED */

3
arch/x86/mm/mem_encrypt_identity.c
View File

@ -540,6 +540,9 @@ void __init sme_enable(struct boot_params *bp)
if (!(msr & MSR_AMD64_SEV_ENABLED)) if (!(msr & MSR_AMD64_SEV_ENABLED))
return; return;
/* Save SEV_STATUS to avoid reading MSR again */
sev_status = msr;
/* SEV state cannot be controlled by a command line option */ /* SEV state cannot be controlled by a command line option */
sme_me_mask = me_mask; sme_me_mask = me_mask;
sev_enabled = true; sev_enabled = true;