diff options
Diffstat (limited to 'meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.14.71-e3000/0042-Documentation-x86-Add-AMD-Secure-Encrypted-Virtualiz.patch')
| -rw-r--r-- | meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.14.71-e3000/0042-Documentation-x86-Add-AMD-Secure-Encrypted-Virtualiz.patch | 92 |
1 files changed, 0 insertions, 92 deletions
diff --git a/meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.14.71-e3000/0042-Documentation-x86-Add-AMD-Secure-Encrypted-Virtualiz.patch b/meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.14.71-e3000/0042-Documentation-x86-Add-AMD-Secure-Encrypted-Virtualiz.patch deleted file mode 100644 index 619087b4..00000000 --- a/meta-amd-bsp/recipes-kernel/linux/linux-yocto-4.14.71-e3000/0042-Documentation-x86-Add-AMD-Secure-Encrypted-Virtualiz.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 73e22bb33ff668812fefcfb4b4faa003666bb790 Mon Sep 17 00:00:00 2001 -From: Brijesh Singh <brijesh.singh@amd.com> -Date: Fri, 20 Oct 2017 09:30:43 -0500 -Subject: [PATCH 42/95] Documentation/x86: Add AMD Secure Encrypted - Virtualization (SEV) description - -Update the AMD memory encryption document describing the Secure Encrypted -Virtualization (SEV) feature. - -Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> -Signed-off-by: Thomas Gleixner <tglx@linutronix.de> -Reviewed-by: Borislav Petkov <bp@suse.de> -Cc: Tom Lendacky <thomas.lendacky@amd.com> -Cc: kvm@vger.kernel.org -Cc: Jonathan Corbet <corbet@lwn.net> -Cc: Borislav Petkov <bp@alien8.de> -Link: https://lkml.kernel.org/r/20171020143059.3291-2-brijesh.singh@amd.com -Signed-off-by: Sudheesh Mavila <sudheesh.mavila@amd.com> ---- - Documentation/x86/amd-memory-encryption.txt | 30 +++++++++++++++++++++++++---- - 1 file changed, 26 insertions(+), 4 deletions(-) - -diff --git a/Documentation/x86/amd-memory-encryption.txt b/Documentation/x86/amd-memory-encryption.txt -index f512ab7..afc41f5 100644 ---- a/Documentation/x86/amd-memory-encryption.txt -+++ b/Documentation/x86/amd-memory-encryption.txt -@@ -1,4 +1,5 @@ --Secure Memory Encryption (SME) is a feature found on AMD processors. -+Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV) are -+features found on AMD processors. - - SME provides the ability to mark individual pages of memory as encrypted using - the standard x86 page tables. A page that is marked encrypted will be -@@ -6,24 +7,38 @@ automatically decrypted when read from DRAM and encrypted when written to - DRAM. SME can therefore be used to protect the contents of DRAM from physical - attacks on the system. - -+SEV enables running encrypted virtual machines (VMs) in which the code and data -+of the guest VM are secured so that a decrypted version is available only -+within the VM itself. SEV guest VMs have the concept of private and shared -+memory. Private memory is encrypted with the guest-specific key, while shared -+memory may be encrypted with hypervisor key. When SME is enabled, the hypervisor -+key is the same key which is used in SME. -+ - A page is encrypted when a page table entry has the encryption bit set (see - below on how to determine its position). The encryption bit can also be - specified in the cr3 register, allowing the PGD table to be encrypted. Each - successive level of page tables can also be encrypted by setting the encryption - bit in the page table entry that points to the next table. This allows the full - page table hierarchy to be encrypted. Note, this means that just because the --encryption bit is set in cr3, doesn't imply the full hierarchy is encyrpted. -+encryption bit is set in cr3, doesn't imply the full hierarchy is encrypted. - Each page table entry in the hierarchy needs to have the encryption bit set to - achieve that. So, theoretically, you could have the encryption bit set in cr3 - so that the PGD is encrypted, but not set the encryption bit in the PGD entry - for a PUD which results in the PUD pointed to by that entry to not be - encrypted. - --Support for SME can be determined through the CPUID instruction. The CPUID --function 0x8000001f reports information related to SME: -+When SEV is enabled, instruction pages and guest page tables are always treated -+as private. All the DMA operations inside the guest must be performed on shared -+memory. Since the memory encryption bit is controlled by the guest OS when it -+is operating in 64-bit or 32-bit PAE mode, in all other modes the SEV hardware -+forces the memory encryption bit to 1. -+ -+Support for SME and SEV can be determined through the CPUID instruction. The -+CPUID function 0x8000001f reports information related to SME: - - 0x8000001f[eax]: - Bit[0] indicates support for SME -+ Bit[1] indicates support for SEV - 0x8000001f[ebx]: - Bits[5:0] pagetable bit number used to activate memory - encryption -@@ -39,6 +54,13 @@ determine if SME is enabled and/or to enable memory encryption: - Bit[23] 0 = memory encryption features are disabled - 1 = memory encryption features are enabled - -+If SEV is supported, MSR 0xc0010131 (MSR_AMD64_SEV) can be used to determine if -+SEV is active: -+ -+ 0xc0010131: -+ Bit[0] 0 = memory encryption is not active -+ 1 = memory encryption is active -+ - Linux relies on BIOS to set this bit if BIOS has determined that the reduction - in the physical address space as a result of enabling memory encryption (see - CPUID information above) will not conflict with the address space resource --- -2.7.4 - |