1 files changed, 52 insertions, 0 deletions

diff --git a/meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.14.71-e3000/0045-x86-mm-Don-t-attempt-to-encrypt-initrd-under-SEV.patch b/meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.14.71-e3000/0045-x86-mm-Don-t-attempt-to-encrypt-initrd-under-SEV.patch
new file mode 100644
index 00000000..1da2e057
--- /dev/null
+++ b/meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.14.71-e3000/0045-x86-mm-Don-t-attempt-to-encrypt-initrd-under-SEV.patch
@@ -0,0 +1,52 @@
+From e15f9433db1cdc2f48c3b9529b0d009b66ed4613 Mon Sep 17 00:00:00 2001
+From: Sudheesh Mavila <sudheesh.mavila@amd.com>
+Date: Mon, 13 Aug 2018 14:34:26 +0530
+Subject: [PATCH 45/95] x86/mm: Don't attempt to encrypt initrd under SEV
+
+From 682af54399b6111730aec0be63e5f6a3a3359a76
+
+When SEV is active the initrd/initramfs will already have already been
+placed in memory encrypted so do not try to encrypt it.
+
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Borislav Petkov <bp@suse.de>
+Tested-by: Borislav Petkov <bp@suse.de>
+Cc: kvm@vger.kernel.org
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Andy Lutomirski <luto@kernel.org>
+Link: https://lkml.kernel.org/r/20171020143059.3291-4-brijesh.singh@amd.com
+
+Signed-off-by: Sudheesh Mavila <sudheesh.mavila@amd.com>
+---
+ arch/x86/kernel/setup.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+ mode change 100644 => 100755 arch/x86/kernel/setup.c
+
+diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
+old mode 100644
+new mode 100755
+index dcb00ac..aa23f8c
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -376,6 +376,16 @@ static void __init reserve_initrd(void)
+ 	    !ramdisk_image || !ramdisk_size)
+ 		return;		/* No initrd provided by bootloader */
+ 
++	/*
++	 * If SME is active, this memory will be marked encrypted by the
++	 * kernel when it is accessed (including relocation). However, the
++	 * ramdisk image was loaded decrypted by the bootloader, so make
++	 * sure that it is encrypted before accessing it. For SEV the
++	 * ramdisk will already be encrypted, so only do this for SME.
++	 */
++	if (sme_active())
++		sme_early_encrypt(ramdisk_image, ramdisk_end - ramdisk_image);
++
+ 	initrd_start = 0;
+ 
+ 	mapped_size = memblock_mem_size(max_pfn_mapped);
+-- 
+2.7.4
+