diff options
Diffstat (limited to 'meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.14.71-e3000/0042-Documentation-x86-Add-AMD-Secure-Encrypted-Virtualiz.patch')
| -rw-r--r-- | meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.14.71-e3000/0042-Documentation-x86-Add-AMD-Secure-Encrypted-Virtualiz.patch | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.14.71-e3000/0042-Documentation-x86-Add-AMD-Secure-Encrypted-Virtualiz.patch b/meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.14.71-e3000/0042-Documentation-x86-Add-AMD-Secure-Encrypted-Virtualiz.patch new file mode 100644 index 00000000..619087b4 --- /dev/null +++ b/meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.14.71-e3000/0042-Documentation-x86-Add-AMD-Secure-Encrypted-Virtualiz.patch @@ -0,0 +1,92 @@ +From 73e22bb33ff668812fefcfb4b4faa003666bb790 Mon Sep 17 00:00:00 2001 +From: Brijesh Singh <brijesh.singh@amd.com> +Date: Fri, 20 Oct 2017 09:30:43 -0500 +Subject: [PATCH 42/95] Documentation/x86: Add AMD Secure Encrypted + Virtualization (SEV) description + +Update the AMD memory encryption document describing the Secure Encrypted +Virtualization (SEV) feature. + +Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Reviewed-by: Borislav Petkov <bp@suse.de> +Cc: Tom Lendacky <thomas.lendacky@amd.com> +Cc: kvm@vger.kernel.org +Cc: Jonathan Corbet <corbet@lwn.net> +Cc: Borislav Petkov <bp@alien8.de> +Link: https://lkml.kernel.org/r/20171020143059.3291-2-brijesh.singh@amd.com +Signed-off-by: Sudheesh Mavila <sudheesh.mavila@amd.com> +--- + Documentation/x86/amd-memory-encryption.txt | 30 +++++++++++++++++++++++++---- + 1 file changed, 26 insertions(+), 4 deletions(-) + +diff --git a/Documentation/x86/amd-memory-encryption.txt b/Documentation/x86/amd-memory-encryption.txt +index f512ab7..afc41f5 100644 +--- a/Documentation/x86/amd-memory-encryption.txt ++++ b/Documentation/x86/amd-memory-encryption.txt +@@ -1,4 +1,5 @@ +-Secure Memory Encryption (SME) is a feature found on AMD processors. ++Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV) are ++features found on AMD processors. + + SME provides the ability to mark individual pages of memory as encrypted using + the standard x86 page tables. A page that is marked encrypted will be +@@ -6,24 +7,38 @@ automatically decrypted when read from DRAM and encrypted when written to + DRAM. SME can therefore be used to protect the contents of DRAM from physical + attacks on the system. + ++SEV enables running encrypted virtual machines (VMs) in which the code and data ++of the guest VM are secured so that a decrypted version is available only ++within the VM itself. SEV guest VMs have the concept of private and shared ++memory. Private memory is encrypted with the guest-specific key, while shared ++memory may be encrypted with hypervisor key. When SME is enabled, the hypervisor ++key is the same key which is used in SME. ++ + A page is encrypted when a page table entry has the encryption bit set (see + below on how to determine its position). The encryption bit can also be + specified in the cr3 register, allowing the PGD table to be encrypted. Each + successive level of page tables can also be encrypted by setting the encryption + bit in the page table entry that points to the next table. This allows the full + page table hierarchy to be encrypted. Note, this means that just because the +-encryption bit is set in cr3, doesn't imply the full hierarchy is encyrpted. ++encryption bit is set in cr3, doesn't imply the full hierarchy is encrypted. + Each page table entry in the hierarchy needs to have the encryption bit set to + achieve that. So, theoretically, you could have the encryption bit set in cr3 + so that the PGD is encrypted, but not set the encryption bit in the PGD entry + for a PUD which results in the PUD pointed to by that entry to not be + encrypted. + +-Support for SME can be determined through the CPUID instruction. The CPUID +-function 0x8000001f reports information related to SME: ++When SEV is enabled, instruction pages and guest page tables are always treated ++as private. All the DMA operations inside the guest must be performed on shared ++memory. Since the memory encryption bit is controlled by the guest OS when it ++is operating in 64-bit or 32-bit PAE mode, in all other modes the SEV hardware ++forces the memory encryption bit to 1. ++ ++Support for SME and SEV can be determined through the CPUID instruction. The ++CPUID function 0x8000001f reports information related to SME: + + 0x8000001f[eax]: + Bit[0] indicates support for SME ++ Bit[1] indicates support for SEV + 0x8000001f[ebx]: + Bits[5:0] pagetable bit number used to activate memory + encryption +@@ -39,6 +54,13 @@ determine if SME is enabled and/or to enable memory encryption: + Bit[23] 0 = memory encryption features are disabled + 1 = memory encryption features are enabled + ++If SEV is supported, MSR 0xc0010131 (MSR_AMD64_SEV) can be used to determine if ++SEV is active: ++ ++ 0xc0010131: ++ Bit[0] 0 = memory encryption is not active ++ 1 = memory encryption is active ++ + Linux relies on BIOS to set this bit if BIOS has determined that the reduction + in the physical address space as a result of enabling memory encryption (see + CPUID information above) will not conflict with the address space resource +-- +2.7.4 + |