On 12/7/2016 7:19 AM, Matt Fleming wrote:
> On Wed, 09 Nov, at 06:36:31PM, Tom Lendacky wrote:
>> Boot data (such as EFI related data) is not encrypted when the system is
>> booted and needs to be accessed unencrypted. Add support to apply the
>> proper attributes to the E
This patch adds a Documenation entry to decribe the AMD Secure Memory
Encryption (SME) feature.
Signed-off-by: Tom Lendacky
---
Documentation/admin-guide/kernel-parameters.txt | 11
Documentation/x86/amd-memory-encryption.txt | 57 +++
2 files changed, 68
the necessary #ifdefs
to allow head_64.S to successfully build and call the SME routines.
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/Makefile |2 +
arch/x86/kernel/head_64.S | 46 -
arch/x86/kernel/mem_encrypt_init.c | 50
routine to update the protection map with
the memory encryption mask so that it is used by default
- #undef CONFIG_AMD_MEM_ENCRYPT in the compressed boot path
Signed-off-by: Tom Lendacky
---
arch/x86/boot/compressed/pagetable.c |7 +
arch/x86/include/asm/fixmap.h|7 +
arch
s that the hardware will never give the core a
dirty line with this memtype.
Signed-off-by: Tom Lendacky
---
arch/x86/Kconfig |4 +++
arch/x86/include/asm/fixmap.h| 13 ++
arch/x86/include/asm/pgtable_types.h |8 ++
arch/x86/mm
.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/cpufeature.h|7 +--
arch/x86/include/asm/cpufeatures.h |5 -
arch/x86/include/asm/disabled-features.h |3 ++-
arch/x86/include/asm/msr-index.h |2 ++
arch/x86/include/asm/required-features.h |3
When System Memory Encryption (SME) is enabled, the physical address
space is reduced. Adjust the x86_phys_bits value to reflect this
reduction.
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/cpu/common.c | 10 +++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/arch/x86
Add support for Secure Memory Encryption (SME). This initial support
provides a Kconfig entry to build the SME support into the kernel and
defines the memory encryption mask that will be used in subsequent
patches to mark pages as encrypted.
Signed-off-by: Tom Lendacky
---
arch/x86/Kconfig
This patch adds support to return the E820 type associated with an address
range.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/e820/api.h |2 ++
arch/x86/include/asm/e820/types.h |2 ++
arch/x86/kernel/e820.c| 26 +++---
3 files changed, 27
initrd, encrypt this data in place. Since the future mapping of the
initrd area will be mapped as encrypted the data will be accessed properly.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/mem_encrypt.h | 11 +
arch/x86/kernel/head64.c | 34 +++--
arch/x86
encrypting data "in place". The write-protect attribute is
considered cacheable for loads, but not stores. This implies that the
hardware will never give the core a dirty line with this memtype.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/mem_encrypt.h | 15 +++
a
This patch adds support that will determine if a supplied physical address
matches the address of an EFI table.
Signed-off-by: Tom Lendacky
---
drivers/firmware/efi/efi.c | 33 +
include/linux/efi.h|7 +++
2 files changed, 40 insertions(+)
diff
Update the efi_mem_type() to return EFI_RESERVED_TYPE instead of a
hardcoded 0.
Signed-off-by: Tom Lendacky
---
arch/x86/platform/efi/efi.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
index a15cf81..6407103
attribute can be applied.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/io.h |3 +
arch/x86/include/asm/setup.h |8 +++
arch/x86/kernel/setup.c| 33
arch/x86/mm/ioremap.c | 111
arch/x86/platform/efi
Add support for changing the memory encryption attribute for one or more
memory pages.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/cacheflush.h |3 ++
arch/x86/mm/pageattr.c| 66 +
2 files changed, 69 insertions(+)
diff --git a
-by: Tom Lendacky
---
arch/x86/include/asm/dma-mapping.h |5 ++-
arch/x86/include/asm/mem_encrypt.h |5 +++
arch/x86/kernel/pci-dma.c | 11 +--
arch/x86/kernel/pci-nommu.c|2 +
arch/x86/kernel/pci-swiotlb.c |8 -
arch/x86/mm/mem_encrypt.c
.
Signed-off-by: Tom Lendacky
---
arch/x86/mm/ioremap.c |2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
index b0ff6bc..c6cb921 100644
--- a/arch/x86/mm/ioremap.c
+++ b/arch/x86/mm/ioremap.c
@@ -498,6 +498,8 @@ static bool
Add warnings to let the user know when bounce buffers are being used for
DMA when SME is active. Since the bounce buffers are not in encrypted
memory, these notifications are to allow the user to determine some
appropriate action - if necessary.
Signed-off-by: Tom Lendacky
---
arch/x86/include
For now, disable the AMD IOMMU if memory encryption is active. A future
patch will re-enable the function with full memory encryption support.
Signed-off-by: Tom Lendacky
---
drivers/iommu/amd_iommu_init.c |7 +++
1 file changed, 7 insertions(+)
diff --git a/drivers/iommu
.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/realmode.h | 12
arch/x86/realmode/init.c |4
arch/x86/realmode/rm/trampoline_64.S | 17 +
3 files changed, 33 insertions(+)
diff --git a/arch/x86/include/asm/realmode.h b/arch/x86/include
Update the KVM support to include the memory encryption mask when creating
and using nested page tables.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/kvm_host.h |3 ++-
arch/x86/kvm/mmu.c |8 ++--
arch/x86/kvm/vmx.c |3 ++-
arch/x86/kvm/x86.c
Since video memory needs to be accessed decrypted, be sure that the
memory encryption mask is not set for the video ranges.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/vga.h | 13 +
drivers/gpu/drm/drm_gem.c|2 ++
drivers/gpu/drm/drm_vm.c |4
Use memremap() to map the setup data. This will make the appropriate
decision as to whether a RAM remapping can be done or if a fallback to
ioremap_cache() is needed (similar to the setup data debugfs support).
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/ksysfs.c | 27
Use memremap() to map the setup data. This simplifies the code and will
make the appropriate decision as to whether a RAM remapping can be done
or if a fallback to ioremap_cache() is needed (which includes checking
PageHighMem).
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/kdebugfs.c | 30
encryption bit. This
can cause random memory corruption when caches are flushed depending on
which cacheline is written last.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/cacheflush.h|2 ++
arch/x86/include/asm/init.h |1 +
arch/x86/include/asm/mem_encrypt.h | 10
ot;in place."
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/head_64.S |1 +
arch/x86/kernel/mem_encrypt_init.c | 71 +++-
arch/x86/mm/mem_encrypt.c |2 +
3 files changed, 73 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/h
This patch adds the support to encrypt the kernel in-place. This is
done by creating new page mappings for the kernel - a decrypted
write-protected mapping and an encrypted mapping. The kernel is encyrpted
by copying the kernel through a temporary buffer.
Signed-off-by: Tom Lendacky
---
arch
of physical address size
of the processor. It is possible that BIOS could have configured resources
resources into a range that will now not be addressable. To prevent this,
rely on BIOS to set the SYSCFG[MEME] bit and only then enable memory
encryption support in the kernel.
For processors that support PAT, set the write-protect cache mode
(_PAGE_CACHE_MODE_WP) entry to the actual write-protect value (x05).
Acked-by: Borislav Petkov
Signed-off-by: Tom Lendacky
---
arch/x86/mm/pat.c |6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch
When Secure Memory Encryption is enabled, the trampoline area must not
be encrypted. A CPU running in real mode will not be able to decrypt
memory that has been encrypted because it will not be able to use addresses
with the memory encryption mask.
Signed-off-by: Tom Lendacky
---
arch/x86
On 02/16/2017 12:13 PM, Borislav Petkov wrote:
> On Thu, Feb 16, 2017 at 09:42:36AM -0600, Tom Lendacky wrote:
>> Update the CPU features to include identifying and reporting on the
>> Secure Memory Encryption (SME) feature. SME is identified by CPUID
>> 0x801f, but req
On 02/16/2017 11:56 AM, Borislav Petkov wrote:
> Ok, this time detailed review :-)
>
> On Thu, Feb 16, 2017 at 09:42:11AM -0600, Tom Lendacky wrote:
>> This patch adds a Documenation entry to decribe the AMD Secure Memory
>> Encryption (SME) feature.
>
> Please introdu
On 2/17/2017 5:07 AM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:42:25AM -0600, Tom Lendacky wrote:
For processors that support PAT, set the write-protect cache mode
(_PAGE_CACHE_MODE_WP) entry to the actual write-protect value (x05).
Acked-by: Borislav Petkov
Signed-off-by: Tom
On 2/17/2017 9:57 AM, Konrad Rzeszutek Wilk wrote:
On Thu, Feb 16, 2017 at 09:47:55AM -0600, Tom Lendacky wrote:
Provide support so that kexec can be used to boot a kernel when SME is
enabled.
Is the point of kexec and kdump to ehh, dump memory ? But if the
rest of the memory is encrypted you
On 2/17/2017 9:59 AM, Konrad Rzeszutek Wilk wrote:
On Thu, Feb 16, 2017 at 09:46:19AM -0600, Tom Lendacky wrote:
Add warnings to let the user know when bounce buffers are being used for
DMA when SME is active. Since the bounce buffers are not in encrypted
memory, these notifications are to
On 2/20/2017 6:51 AM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:43:19AM -0600, Tom Lendacky wrote:
This patch adds support to the early boot code to use Secure Memory
Encryption (SME). Support is added to update the early pagetables with
the memory encryption mask and to encrypt the
On 2/18/2017 12:12 PM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:41:59AM -0600, Tom Lendacky wrote:
create mode 100644 Documentation/x86/amd-memory-encryption.txt
create mode 100644 arch/x86/include/asm/mem_encrypt.h
create mode 100644 arch/x86/kernel/mem_encrypt_boot.S
create mode
On 2/20/2017 9:21 AM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:43:32AM -0600, Tom Lendacky wrote:
Adding general kernel support for memory encryption includes:
- Modify and create some page table macros to include the Secure Memory
Encryption (SME) memory encryption mask
Let'
On 2/20/2017 9:43 AM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:43:48AM -0600, Tom Lendacky wrote:
Add to the early_memremap support to be able to specify encrypted and
early_memremap()
Please append "()" to function names in your commit messages text.
decrypted mapping
On 2/20/2017 12:22 PM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:43:58AM -0600, Tom Lendacky wrote:
Add support to be able to either encrypt or decrypt data in place during
the early stages of booting the kernel. This does not change the memory
encryption attribute - it is used for
On 2/20/2017 12:38 PM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:43:32AM -0600, Tom Lendacky wrote:
Adding general kernel support for memory encryption includes:
- Modify and create some page table macros to include the Secure Memory
Encryption (SME) memory encryption mask
- Modify
On 2/20/2017 1:45 PM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:44:11AM -0600, Tom Lendacky wrote:
The boot data and command line data are present in memory in a decrypted
state and are copied early in the boot process. The early page fault
support will map these areas as encrypted, so
On 2/21/2017 6:05 AM, Matt Fleming wrote:
On Thu, 16 Feb, at 09:44:57AM, Tom Lendacky wrote:
Update the efi_mem_type() to return EFI_RESERVED_TYPE instead of a
hardcoded 0.
Signed-off-by: Tom Lendacky
---
arch/x86/platform/efi/efi.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions
On 2/21/2017 9:06 AM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:45:09AM -0600, Tom Lendacky wrote:
Boot data (such as EFI related data) is not encrypted when the system is
booted and needs to be mapped decrypted. Add support to apply the proper
attributes to the EFI page tables and to
On 2/22/2017 12:13 PM, Dave Hansen wrote:
On 02/16/2017 07:43 AM, Tom Lendacky wrote:
static inline unsigned long pte_pfn(pte_t pte)
{
- return (pte_val(pte) & PTE_PFN_MASK) >> PAGE_SHIFT;
+ return (pte_val(pte) & ~sme_me_mask & PTE_PFN_MASK) >> PAGE_S
On 2/24/2017 4:21 AM, Borislav Petkov wrote:
On Thu, Feb 23, 2017 at 03:34:30PM -0600, Tom Lendacky wrote:
Hmm... maybe I'm missing something here. This doesn't have anything to
do with kexec or efi_reuse_config. This has to do with the fact that
I said kexec because kexe
On 2/20/2017 2:09 PM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:44:30AM -0600, Tom Lendacky wrote:
This patch adds support to return the E820 type associated with an address
s/This patch adds/Add/
range.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/e820/api.h |2
On 2/22/2017 12:52 PM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:45:35AM -0600, Tom Lendacky wrote:
Add support for changing the memory encryption attribute for one or more
memory pages.
"This will be useful when we, , for example."
Yup, will expand on the "why&q
On 2/25/2017 9:29 AM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:43:07AM -0600, Tom Lendacky wrote:
Add support for Secure Memory Encryption (SME). This initial support
provides a Kconfig entry to build the SME support into the kernel and
defines the memory encryption mask that will be
On 2/27/2017 11:52 AM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:46:19AM -0600, Tom Lendacky wrote:
Add warnings to let the user know when bounce buffers are being used for
DMA when SME is active. Since the bounce buffers are not in encrypted
memory, these notifications are to allow
On 2/27/2017 12:17 PM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:46:47AM -0600, Tom Lendacky wrote:
Add support to check if memory encryption is active in the kernel and that
it has been enabled on the AP. If memory encryption is active in the kernel
but has not been enabled on the AP
+kexec list
On 2/28/2017 4:35 AM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:47:55AM -0600, Tom Lendacky wrote:
Provide support so that kexec can be used to boot a kernel when SME is
enabled.
Support is needed to allocate pages for kexec without encryption. This
is needed in order to
On 3/1/2017 3:17 AM, Dave Young wrote:
Hi Tom,
Hi Dave,
... SNIP ...
- Added support for (re)booting with kexec
Could you please add kexec list in cc when you updating the patches so
that kexec/kdump people do not miss them?
Sorry about that, I'll be sure to add it to the cc list.
On 3/1/2017 11:36 AM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:48:08AM -0600, Tom Lendacky wrote:
This patch adds the support to encrypt the kernel in-place. This is
done by creating new page mappings for the kernel - a decrypted
write-protected mapping and an encrypted mapping. The
On 2/25/2017 11:10 AM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:46:04AM -0600, Tom Lendacky wrote:
Since DMA addresses will effectively look like 48-bit addresses when the
memory encryption mask is set, SWIOTLB is needed if the DMA mask of the
device performing the DMA does not support
On 3/1/2017 3:25 AM, Dave Young wrote:
Hi Tom,
Hi Dave,
On 02/17/17 at 10:43am, Tom Lendacky wrote:
On 2/17/2017 9:57 AM, Konrad Rzeszutek Wilk wrote:
On Thu, Feb 16, 2017 at 09:47:55AM -0600, Tom Lendacky wrote:
Provide support so that kexec can be used to boot a kernel when SME is
+kexec-list
On 3/6/2017 11:58 AM, Tom Lendacky wrote:
On 3/1/2017 3:25 AM, Dave Young wrote:
Hi Tom,
Hi Dave,
On 02/17/17 at 10:43am, Tom Lendacky wrote:
On 2/17/2017 9:57 AM, Konrad Rzeszutek Wilk wrote:
On Thu, Feb 16, 2017 at 09:47:55AM -0600, Tom Lendacky wrote:
Provide support so
On 3/1/2017 12:40 PM, Borislav Petkov wrote:
On Thu, Feb 16, 2017 at 09:48:25AM -0600, Tom Lendacky wrote:
This patch adds the support to check if SME has been enabled and if
memory encryption should be activated (checking of command line option
based on the configuration of the default state
On 3/8/2017 12:55 AM, Dave Young wrote:
On 02/16/17 at 09:45am, Tom Lendacky wrote:
[snip]
+ * This function determines if an address should be mapped encrypted.
+ * Boot setup data, EFI data and E820 areas are checked in making this
+ * determination.
+ */
+static bool
On 3/8/2017 1:04 AM, Dave Young wrote:
On 02/16/17 at 09:47am, Tom Lendacky wrote:
Use memremap() to map the setup data. This simplifies the code and will
make the appropriate decision as to whether a RAM remapping can be done
or if a fallback to ioremap_cache() is needed (which includes
On 3/8/2017 1:09 AM, Dave Young wrote:
On 02/16/17 at 09:47am, Tom Lendacky wrote:
Use memremap() to map the setup data. This will make the appropriate
decision as to whether a RAM remapping can be done or if a fallback to
ioremap_cache() is needed (similar to the setup data debugfs support
On 3/17/2017 5:58 PM, Elliott, Robert (Persistent Memory) wrote:
-Original Message-
From: linux-kernel-ow...@vger.kernel.org [mailto:linux-kernel-
ow...@vger.kernel.org] On Behalf Of Tom Lendacky
Sent: Thursday, February 16, 2017 9:45 AM
Subject: [RFC PATCH v4 15/28] Add support to
s,
rely on BIOS to set the SYSCFG[MEME] bit and only then enable memory
encryption support in the kernel.
Tom Lendacky (32):
x86: Documentation for AMD Secure Memory Encryption (SME)
x86/mm/pat: Set write-protect cache mode for full PAT support
x86, mpparse, x86/acpi, x86/PCI,
For processors that support PAT, set the write-protect cache mode
(_PAGE_CACHE_MODE_WP) entry to the actual write-protect value (x05).
Acked-by: Borislav Petkov
Signed-off-by: Tom Lendacky
---
arch/x86/mm/pat.c |6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch
.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/cpufeatures.h |1 +
arch/x86/include/asm/msr-index.h |2 ++
arch/x86/kernel/cpu/amd.c | 15 +++
arch/x86/kernel/cpu/scattered.c|1 +
4 files changed, 19 insertions(+)
diff --git a/arch/x86/include/asm
mapped
decrypted vs encrypted.
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/acpi/boot.c |6 +++---
arch/x86/kernel/kdebugfs.c | 34 +++---
arch/x86/kernel/ksysfs.c| 28 ++--
arch/x86/kernel/mpparse.c | 10 +-
arch/x86
Create a Documentation entry to describe the AMD Secure Memory
Encryption (SME) feature and add documentation for the mem_encrypt=
kernel parameter.
Signed-off-by: Tom Lendacky
---
Documentation/admin-guide/kernel-parameters.txt | 11
Documentation/x86/amd-memory-encryption.txt
When System Memory Encryption (SME) is enabled, the physical address
space is reduced. Adjust the x86_phys_bits value to reflect this
reduction.
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/cpu/amd.c | 14 +++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/arch
Add support for Secure Memory Encryption (SME). This initial support
provides a Kconfig entry to build the SME support into the kernel and
defines the memory encryption mask that will be used in subsequent
patches to mark pages as encrypted.
Signed-off-by: Tom Lendacky
---
arch/x86/Kconfig
Create a Documentation entry to describe the AMD Secure Memory
Encryption (SME) feature and add documentation for the mem_encrypt=
kernel parameter.
Signed-off-by: Tom Lendacky
---
Documentation/admin-guide/kernel-parameters.txt | 11
Documentation/x86/amd-memory-encryption.txt
s,
rely on BIOS to set the SYSCFG[MEME] bit and only then enable memory
encryption support in the kernel.
Tom Lendacky (32):
x86: Documentation for AMD Secure Memory Encryption (SME)
x86/mm/pat: Set write-protect cache mode for full PAT support
x86, mpparse, x86/acpi, x86/PCI,
For processors that support PAT, set the write-protect cache mode
(_PAGE_CACHE_MODE_WP) entry to the actual write-protect value (x05).
Acked-by: Borislav Petkov
Signed-off-by: Tom Lendacky
---
arch/x86/mm/pat.c |6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch
mapped
decrypted vs encrypted.
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/acpi/boot.c |6 +++---
arch/x86/kernel/kdebugfs.c | 34 +++---
arch/x86/kernel/ksysfs.c| 28 ++--
arch/x86/kernel/mpparse.c | 10 +-
arch/x86
.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/cpufeatures.h |1 +
arch/x86/include/asm/msr-index.h |2 ++
arch/x86/kernel/cpu/amd.c | 15 +++
arch/x86/kernel/cpu/scattered.c|1 +
4 files changed, 19 insertions(+)
diff --git a/arch/x86/include/asm
When System Memory Encryption (SME) is enabled, the physical address
space is reduced. Adjust the x86_phys_bits value to reflect this
reduction.
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/cpu/amd.c | 14 +++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/arch
Add support for Secure Memory Encryption (SME). This initial support
provides a Kconfig entry to build the SME support into the kernel and
defines the memory encryption mask that will be used in subsequent
patches to mark pages as encrypted.
Signed-off-by: Tom Lendacky
---
arch/x86/Kconfig
functionality or stub routines depending on CONFIG_AMD_MEM_ENCRYPT.
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/head_64.S | 61 -
arch/x86/mm/Makefile |4 +--
arch/x86/mm/mem_encrypt.c | 26 +++
3 files changed, 86
Create a pgd_pfn() and p4d_pfn() macro similar to the p[um]d_pfn() macros
and then use the p[g4um]d_pfn() macros in the p[g4um]d_page() macros
instead of duplicating the code.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/pgtable.h | 16 +---
1 file changed, 9 insertions
encryption mask so
that user-space allocations will automatically have the encryption mask
applied.
Signed-off-by: Tom Lendacky
---
arch/x86/boot/compressed/pagetable.c |7 +
arch/x86/include/asm/fixmap.h|7 +
arch/x86/include/asm/mem_encrypt.h | 25
initrd will have been loaded by the boot loader and will not be
encrypted, but the memory that it resides in is marked as encrypted).
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/mem_encrypt.h | 15 +++
arch/x86/mm/mem_encrypt.c | 76
initrd, encrypt this data in place. Since the future mapping of the
initrd area will be mapped as encrypted the data will be accessed properly.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/mem_encrypt.h | 11 +
arch/x86/include/asm/pgtable.h |3 +
arch/x86/kernel/head64.c
Add a function that will determine if a supplied physical address matches
the address of an EFI table.
Signed-off-by: Tom Lendacky
---
drivers/firmware/efi/efi.c | 33 +
include/linux/efi.h|7 +++
2 files changed, 40 insertions(+)
diff --git a
s that the hardware will never give the core a
dirty line with this memtype.
Signed-off-by: Tom Lendacky
---
arch/x86/Kconfig |4 +++
arch/x86/include/asm/fixmap.h| 13 ++
arch/x86/include/asm/pgtable_types.h |8 ++
arch/x86/mm/ioremap.c
Add a function that will return the E820 type associated with an address
range.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/e820/api.h |2 ++
arch/x86/kernel/e820.c | 26 +++---
2 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/arch/x86
on to return a negative error value when no memmap entry is
found.
Signed-off-by: Tom Lendacky
---
arch/ia64/kernel/efi.c |4 ++--
arch/x86/platform/efi/efi.c |6 +++---
include/linux/efi.h |2 +-
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/arch/ia64/k
successfully. The pagetable mapping
as well as the kernel are also added to the pagetable mapping as encrypted.
All other EFI mappings are mapped decrypted (tables, etc.).
Signed-off-by: Tom Lendacky
---
arch/x86/platform/efi/efi_64.c | 15 +++
1 file changed, 11 insertions(+), 4
generated. By preventing RAM remapping,
ioremap_cache() will be used instead, which will provide a decrypted
mapping of the boot related data.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/io.h |4 +
arch/x86/mm/ioremap.c | 182
encryption mask so that the data can be successfully accessed when
SME is active.
Signed-off-by: Tom Lendacky
---
arch/x86/kernel/mpparse.c | 102 +++--
1 file changed, 71 insertions(+), 31 deletions(-)
diff --git a/arch/x86/kernel/mpparse.c b/arch/x86/kernel
.
Signed-off-by: Tom Lendacky
---
arch/x86/mm/ioremap.c | 31 ++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
index bce0604..55317ba 100644
--- a/arch/x86/mm/ioremap.c
+++ b/arch/x86/mm/ioremap.c
mask range.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/cacheflush.h |3 ++
arch/x86/mm/pageattr.c| 62 +
2 files changed, 65 insertions(+)
diff --git a/arch/x86/include/asm/cacheflush.h
b/arch/x86/include/asm/cacheflush.h
index e7
When Secure Memory Encryption is enabled, the trampoline area must not
be encrypted. A CPU running in real mode will not be able to decrypt
memory that has been encrypted because it will not be able to use addresses
with the memory encryption mask.
Signed-off-by: Tom Lendacky
---
arch/x86
-by: Tom Lendacky
---
arch/x86/include/asm/dma-mapping.h |5 ++-
arch/x86/include/asm/mem_encrypt.h |5 +++
arch/x86/kernel/pci-dma.c | 11 +--
arch/x86/kernel/pci-nommu.c|2 +
arch/x86/kernel/pci-swiotlb.c |8 -
arch/x86/mm/mem_encrypt.c
For now, disable the AMD IOMMU if memory encryption is active. A future
patch will re-enable the function with full memory encryption support.
Signed-off-by: Tom Lendacky
---
drivers/iommu/amd_iommu_init.c |7 +++
1 file changed, 7 insertions(+)
diff --git a/drivers/iommu
Add warnings to let the user know when bounce buffers are being used for
DMA when SME is active. Since the bounce buffers are not in encrypted
memory, these notifications are to allow the user to determine some
appropriate action - if necessary.
Signed-off-by: Tom Lendacky
---
arch/x86/include
the
AP to continue start up.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/realmode.h | 12
arch/x86/realmode/init.c |4
arch/x86/realmode/rm/trampoline_64.S | 24
3 files changed, 40 insertions(+)
diff --git a/arch/x86
Since video memory needs to be accessed decrypted, be sure that the
memory encryption mask is not set for the video ranges.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/vga.h | 13 +
arch/x86/mm/pageattr.c |2 ++
drivers/gpu/drm/drm_gem.c|2
tables.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/kvm_host.h |2 +-
arch/x86/kvm/mmu.c | 12
arch/x86/kvm/mmu.h |2 +-
arch/x86/kvm/svm.c | 35 ++-
arch/x86/kvm/vmx.c |3
encryption bit. This
can cause random memory corruption when caches are flushed depending on
which cacheline is written last.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm/init.h |1 +
arch/x86/include/asm/irqflags.h |5 +
arch/x86/include/asm/kexec.h
Add a cmdline_find_option() function to look for cmdline options that
take arguments. The argument is returned in a supplied buffer and the
argument length (regardless of whether it fits in the supplied buffer)
is returned, with -1 indicating not found.
Signed-off-by: Tom Lendacky
---
arch/x86
Add the support to encrypt the kernel in-place. This is done by creating
new page mappings for the kernel - a decrypted write-protected mapping
and an encrypted mapping. The kernel is encrypted by copying it through
a temporary buffer.
Signed-off-by: Tom Lendacky
---
arch/x86/include/asm
1 - 100 of 620 matches
Mail list logo
