diff options
Diffstat (limited to 'meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.14.71-e3000/0046-x86-mm-Use-encrypted-access-of-boot-related-data-wit.patch')
-rw-r--r-- | meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.14.71-e3000/0046-x86-mm-Use-encrypted-access-of-boot-related-data-wit.patch | 118 |
1 files changed, 118 insertions, 0 deletions
diff --git a/meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.14.71-e3000/0046-x86-mm-Use-encrypted-access-of-boot-related-data-wit.patch b/meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.14.71-e3000/0046-x86-mm-Use-encrypted-access-of-boot-related-data-wit.patch new file mode 100644 index 00000000..a2d28208 --- /dev/null +++ b/meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.14.71-e3000/0046-x86-mm-Use-encrypted-access-of-boot-related-data-wit.patch @@ -0,0 +1,118 @@ +From 95a0bf447324daaff28bc9cd7b2f6f0990421dc7 Mon Sep 17 00:00:00 2001 +From: Tom Lendacky <thomas.lendacky@amd.com> +Date: Fri, 20 Oct 2017 09:30:47 -0500 +Subject: [PATCH 46/95] x86/mm: Use encrypted access of boot related data with + SEV + +When Secure Encrypted Virtualization (SEV) is active, boot data (such as +EFI related data, setup data) is encrypted and needs to be accessed as +such when mapped. Update the architecture override in early_memremap to +keep the encryption attribute when mapping this data. + +Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> +Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Reviewed-by: Borislav Petkov <bp@suse.de> +Tested-by: Borislav Petkov <bp@suse.de> +Cc: Laura Abbott <labbott@redhat.com> +Cc: kvm@vger.kernel.org +Cc: Matt Fleming <matt@codeblueprint.co.uk> +Cc: Borislav Petkov <bp@alien8.de> +Cc: Andy Lutomirski <luto@kernel.org> +Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com> +Link: https://lkml.kernel.org/r/20171020143059.3291-6-brijesh.singh@amd.com +Signed-off-by: Sudheesh Mavila <sudheesh.mavila@amd.com> +--- + arch/x86/mm/ioremap.c | 44 ++++++++++++++++++++++++++++++-------------- + 1 file changed, 30 insertions(+), 14 deletions(-) + +diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c +index 7bebdd0..f0b91a2 100644 +--- a/arch/x86/mm/ioremap.c ++++ b/arch/x86/mm/ioremap.c +@@ -422,6 +422,9 @@ void unxlate_dev_mem_ptr(phys_addr_t phys, void *addr) + * areas should be mapped decrypted. And since the encryption key can + * change across reboots, persistent memory should also be mapped + * decrypted. ++ * ++ * If SEV is active, that implies that BIOS/UEFI also ran encrypted so ++ * only persistent memory should be mapped decrypted. + */ + static bool memremap_should_map_decrypted(resource_size_t phys_addr, + unsigned long size) +@@ -458,6 +461,11 @@ static bool memremap_should_map_decrypted(resource_size_t phys_addr, + case E820_TYPE_ACPI: + case E820_TYPE_NVS: + case E820_TYPE_UNUSABLE: ++ /* For SEV, these areas are encrypted */ ++ if (sev_active()) ++ break; ++ /* Fallthrough */ ++ + case E820_TYPE_PRAM: + return true; + default: +@@ -581,7 +589,7 @@ static bool __init early_memremap_is_setup_data(resource_size_t phys_addr, + bool arch_memremap_can_ram_remap(resource_size_t phys_addr, unsigned long size, + unsigned long flags) + { +- if (!sme_active()) ++ if (!mem_encrypt_active()) + return true; + + if (flags & MEMREMAP_ENC) +@@ -590,12 +598,13 @@ bool arch_memremap_can_ram_remap(resource_size_t phys_addr, unsigned long size, + if (flags & MEMREMAP_DEC) + return false; + +- if (memremap_is_setup_data(phys_addr, size) || +- memremap_is_efi_data(phys_addr, size) || +- memremap_should_map_decrypted(phys_addr, size)) +- return false; ++ if (sme_active()) { ++ if (memremap_is_setup_data(phys_addr, size) || ++ memremap_is_efi_data(phys_addr, size)) ++ return false; ++ } + +- return true; ++ return !memremap_should_map_decrypted(phys_addr, size); + } + + /* +@@ -608,17 +617,24 @@ pgprot_t __init early_memremap_pgprot_adjust(resource_size_t phys_addr, + unsigned long size, + pgprot_t prot) + { +- if (!sme_active()) ++ bool encrypted_prot; ++ ++ if (!mem_encrypt_active()) + return prot; + +- if (early_memremap_is_setup_data(phys_addr, size) || +- memremap_is_efi_data(phys_addr, size) || +- memremap_should_map_decrypted(phys_addr, size)) +- prot = pgprot_decrypted(prot); +- else +- prot = pgprot_encrypted(prot); ++ encrypted_prot = true; ++ ++ if (sme_active()) { ++ if (early_memremap_is_setup_data(phys_addr, size) || ++ memremap_is_efi_data(phys_addr, size)) ++ encrypted_prot = false; ++ } ++ ++ if (encrypted_prot && memremap_should_map_decrypted(phys_addr, size)) ++ encrypted_prot = false; + +- return prot; ++ return encrypted_prot ? pgprot_encrypted(prot) ++ : pgprot_decrypted(prot); + } + + bool phys_mem_access_encrypted(unsigned long phys_addr, unsigned long size) +-- +2.7.4 + |