Re: [Xen-devel] [PATCH v6 10/34] x86, x86/mm, x86/xen, olpc: Use __va() against just the physical address in cr3

On 6/7/2017 5:06 PM, Boris Ostrovsky wrote: On 06/07/2017 03:14 PM, Tom Lendacky wrote: The cr3 register entry can contain the SME encryption bit that indicates the PGD is encrypted. The encryption bit should not be used when creating a virtual address for the PGD table. Create a new function

Re: [Xen-devel] [PATCH v6 10/34] x86, x86/mm, x86/xen, olpc: Use __va() against just the physical address in cr3

On 6/8/2017 3:51 PM, Boris Ostrovsky wrote: What may be needed is making sure X86_FEATURE_SME is not set for PV guests. And that may be something that Xen will need to control through either CPUID or MSR support for the PV guests. Only on newer versions of Xen. On earlier versions (2-3 y

Re: [Xen-devel] [PATCH v6 10/34] x86, x86/mm, x86/xen, olpc: Use __va() against just the physical address in cr3

On 6/8/2017 5:01 PM, Andrew Cooper wrote: On 08/06/2017 22:17, Boris Ostrovsky wrote: On 06/08/2017 05:02 PM, Tom Lendacky wrote: On 6/8/2017 3:51 PM, Boris Ostrovsky wrote: What may be needed is making sure X86_FEATURE_SME is not set for PV guests. And that may be something that Xen will

Re: [Xen-devel] [PATCH v6 10/34] x86, x86/mm, x86/xen, olpc: Use __va() against just the physical address in cr3

On 6/9/2017 1:43 PM, Boris Ostrovsky wrote: On 06/09/2017 02:36 PM, Tom Lendacky wrote: On 6/8/2017 5:01 PM, Andrew Cooper wrote: On 08/06/2017 22:17, Boris Ostrovsky wrote: On 06/08/2017 05:02 PM, Tom Lendacky wrote: On 6/8/2017 3:51 PM, Boris Ostrovsky wrote: What may be needed is making

[Xen-devel] [PATCH v7 01/36] x86: Document AMD Secure Memory Encryption (SME)

Create a Documentation entry to describe the AMD Secure Memory Encryption (SME) feature and add documentation for the mem_encrypt= kernel parameter. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- Documentation/admin-guide/kernel-parameters.txt | 11 Documentation/x86/amd

[Xen-devel] [PATCH v7 00/36] x86: Secure Memory Encryption (AMD)

into a range that will now not be addressable. To prevent this, rely on BIOS to set the SYSCFG[MEME] bit and only then enable memory encryption support in the kernel. Tom Lendacky (36): x86: Document AMD Secure Memory Encryption (SME) x86/mm/pat: Set write-protect cache mode for full PAT

[Xen-devel] [PATCH v7 02/36] x86/mm/pat: Set write-protect cache mode for full PAT support

For processors that support PAT, set the write-protect cache mode (_PAGE_CACHE_MODE_WP) entry to the actual write-protect value (x05). Acked-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/mm/pat.c |6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch

[Xen-devel] [PATCH v7 03/36] x86, mpparse, x86/acpi, x86/PCI, x86/dmi, SFI: Use memremap for RAM mappings

being mapped decrypted vs encrypted. Signed-off-by: Tom Lendacky --- arch/x86/include/asm/dmi.h |8 arch/x86/kernel/acpi/boot.c |6 +++--- arch/x86/kernel/kdebugfs.c | 34 +++--- arch/x86/kernel/ksysfs.c | 28 ++-- arch

[Xen-devel] [PATCH v7 04/36] x86/CPU/AMD: Add the Secure Memory Encryption CPU feature

. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/cpufeatures.h |1 + arch/x86/include/asm/msr-index.h |2 ++ arch/x86/kernel/cpu/amd.c | 13 + arch/x86/kernel/cpu/scattered.c|1 + 4 files changed, 17 insertions(+) diff

[Xen-devel] [PATCH v7 05/36] x86/CPU/AMD: Handle SME reduction in physical address size

When System Memory Encryption (SME) is enabled, the physical address space is reduced. Adjust the x86_phys_bits value to reflect this reduction. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/kernel/cpu/amd.c | 10 +++--- 1 file changed, 7 insertions(+), 3

[Xen-devel] [PATCH v7 07/36] x86/mm: Don't use phys_to_virt in ioremap() if SME is active

have the encryption bit set. So only use the phys_to_virt() function if SME is not active Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/mm/ioremap.c |7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm

[Xen-devel] [PATCH v7 09/36] x86/mm: Simplify p[gum]d_page() macros

Create a pgd_pfn() macro similar to the p[um]d_pfn() macros and then use the p[gum]d_pfn() macros in the p[gum]d_page() macros instead of duplicating the code. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/pgtable.h | 16 +--- 1 file changed, 9

[Xen-devel] [PATCH v7 10/36] x86/mm: Provide general kernel support for memory encryption

encryption mask so that user-space allocations will automatically have the encryption mask applied. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/boot/compressed/pagetable.c |7 + arch/x86/include/asm/fixmap.h|7 + arch/x86/include/asm

[Xen-devel] [PATCH v7 08/36] x86/mm: Add support to enable SME in early boot processing

routines depending on CONFIG_AMD_MEM_ENCRYPT. Signed-off-by: Tom Lendacky --- arch/x86/include/asm/mem_encrypt.h |8 +++ arch/x86/kernel/head64.c | 33 +- arch/x86/kernel/head_64.S | 39 ++-- arch/x86/mm

[Xen-devel] [PATCH v7 06/36] x86/mm: Add Secure Memory Encryption (SME) support

x86/include/asm/mem_encrypt.h @@ -0,0 +1,30 @@ +/* + * AMD Memory Encryption Support + * + * Copyright (C) 2016 Advanced Micro Devices, Inc. + * + * Author: Tom Lendacky + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License vers

[Xen-devel] [PATCH v7 11/36] x86/mm: Add SME support for read_cr3_pa()

native version of read_cr3_pa(), so create native_read_cr3_pa(). Signed-off-by: Tom Lendacky --- arch/x86/include/asm/processor-flags.h |3 ++- arch/x86/include/asm/processor.h |5 + 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/asm/processor

[Xen-devel] [PATCH v7 13/36] x86/mm: Add support for early encrypt/decrypt of memory

initrd will have been loaded by the boot loader and will not be encrypted, but the memory that it resides in is marked as encrypted). Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/mem_encrypt.h | 10 + arch/x86/mm/mem_encrypt.c | 76

[Xen-devel] [PATCH v7 12/36] x86/mm: Extend early_memremap() support with additional attrs

s that the hardware will never give the core a dirty line with this memtype. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/Kconfig |4 +++ arch/x86/include/asm/fixmap.h| 13 ++ arch/x86/include/asm/pgtable_types.h |8 ++ a

[Xen-devel] [PATCH v7 15/36] x86/boot/e820: Add support to determine the E820 type of an address

Add a function that will return the E820 type associated with an address range. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/e820/api.h |2 ++ arch/x86/kernel/e820.c | 26 +++--- 2 files changed, 25 insertions(+), 3

[Xen-devel] [PATCH v7 16/36] efi: Add an EFI table address match function

Add a function that will determine if a supplied physical address matches the address of an EFI table. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- drivers/firmware/efi/efi.c | 33 + include/linux/efi.h|7 +++ 2 files changed

[Xen-devel] [PATCH v7 14/36] x86/mm: Insure that boot memory areas are mapped properly

initrd, encrypt this data in place. Since the future mapping of the initrd area will be mapped as encrypted the data will be accessed properly. Signed-off-by: Tom Lendacky --- arch/x86/include/asm/mem_encrypt.h |6 +++ arch/x86/include/asm/pgtable.h |3 ++ arch/x86/kernel/head64.c

[Xen-devel] [PATCH v7 17/36] efi: Update efi_mem_type() to return an error rather than 0

on to return a negative error value when no memmap entry is found. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/ia64/kernel/efi.c |4 ++-- arch/x86/platform/efi/efi.c |6 +++--- include/linux/efi.h |2 +- 3 files changed, 6 insertions(+), 6 dele

[Xen-devel] [PATCH v7 18/36] x86/efi: Update EFI pagetable creation to work with SME

successfully. The pagetable mapping as well as the kernel are also added to the pagetable mapping as encrypted. All other EFI mappings are mapped decrypted (tables, etc.). Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/platform/efi/efi_64.c | 15 +++ 1 file

[Xen-devel] [PATCH v7 19/36] x86/mm: Add support to access boot related data in the clear

remapping, ioremap_cache() will be used instead, which will provide a decrypted mapping of the boot related data. Signed-off-by: Tom Lendacky --- arch/x86/include/asm/io.h |5 + arch/x86/mm/ioremap.c | 179 + include/linux/io.h|2

[Xen-devel] [PATCH v7 20/36] x86, mpparse: Use memremap to map the mpf and mpc data

encryption mask so that the data can be successfully accessed when SME is active. Signed-off-by: Tom Lendacky --- arch/x86/kernel/mpparse.c | 98 - 1 file changed, 70 insertions(+), 28 deletions(-) diff --git a/arch/x86/kernel/mpparse.c b/arch/x86/kernel

[Xen-devel] [PATCH v7 21/36] x86/mm: Add support to access persistent memory in the clear

. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/mm/ioremap.c | 31 ++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c index f3fa007..0254b78 100644 --- a/arch/x86/mm/ioremap.c +++ b

[Xen-devel] [PATCH v7 22/36] x86/mm: Add support for changing the memory encryption attribute

mask range. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/set_memory.h |3 ++ arch/x86/mm/pageattr.c| 62 + 2 files changed, 65 insertions(+) diff --git a/arch/x86/include/asm/set_memory.h b/arch/x86/in

[Xen-devel] [PATCH v7 24/36] x86, swiotlb: Add memory encryption support

-by: Tom Lendacky --- arch/x86/include/asm/dma-mapping.h |5 ++- arch/x86/include/asm/mem_encrypt.h |5 +++ arch/x86/kernel/pci-dma.c | 11 +-- arch/x86/kernel/pci-nommu.c|2 + arch/x86/kernel/pci-swiotlb.c | 15 +- arch/x86/mm/mem_encrypt.c

[Xen-devel] [PATCH v7 23/36] x86, realmode: Decrypt trampoline area if memory encryption is active

When Secure Memory Encryption is enabled, the trampoline area must not be encrypted. A CPU running in real mode will not be able to decrypt memory that has been encrypted because it will not be able to use addresses with the memory encryption mask. Signed-off-by: Tom Lendacky --- arch/x86

[Xen-devel] [PATCH v7 25/36] swiotlb: Add warnings for use of bounce buffers with SME

, replacing the device with another device that can support 64-bit DMA, ignoring the message if the device isn't used much, etc. Signed-off-by: Tom Lendacky --- include/linux/dma-mapping.h | 11 +++ include/linux/mem_encrypt.h |8 lib/swiotlb.c |3 +++ 3

[Xen-devel] [PATCH v7 26/36] x86/CPU/AMD: Make the microcode level available earlier in the boot

Move the setting of the cpuinfo_x86.microcode field from amd_init() to early_amd_init() so that it is available earlier in the boot process. This avoids having to read MSR_AMD64_PATCH_LEVEL directly during early boot. Signed-off-by: Tom Lendacky --- arch/x86/kernel/cpu/amd.c |8 1

[Xen-devel] [PATCH v7 29/36] x86, drm, fbdev: Do not specify encrypted memory for video mappings

Since video memory needs to be accessed decrypted, be sure that the memory encryption mask is not set for the video ranges. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/vga.h | 14 +- arch/x86/mm/pageattr.c |2 ++ drivers

[Xen-devel] [PATCH v7 28/36] x86, realmode: Check for memory encryption on the APs

the AP to continue start up. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/realmode.h | 12 arch/x86/realmode/init.c |4 arch/x86/realmode/rm/trampoline_64.S | 24 3 files changed, 40

[Xen-devel] [PATCH v7 30/36] kvm: x86: svm: Support Secure Memory Encryption within KVM

tables. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/kvm_host.h |2 +- arch/x86/kvm/mmu.c | 12 arch/x86/kvm/mmu.h |2 +- arch/x86/kvm/svm.c | 35 ++- arch/x86/kvm

[Xen-devel] [PATCH v7 31/36] x86/mm, kexec: Allow kexec to be used with SME

encryption bit. This can cause random memory corruption when caches are flushed depending on which cacheline is written last. Signed-off-by: Tom Lendacky --- arch/x86/include/asm/init.h |1 + arch/x86/include/asm/kexec.h |8 arch/x86/include/asm/pgtable_types.h

[Xen-devel] [PATCH v7 27/36] iommu/amd: Allow the AMD IOMMU to work with memory encryption

included in these physical addresses during configuration. The PTE entries created by the IOMMU should also include the encryption mask so that when the device behind the IOMMU performs a DMA, the DMA will be performed to encrypted memory. Signed-off-by: Tom Lendacky --- drivers/iommu/amd_iommu.c

[Xen-devel] [PATCH v7 32/36] xen/x86: Remove SME feature in PV guests

Xen does not currently support SME for PV guests. Clear the SME cpu capability in order to avoid any ambiguity. Signed-off-by: Tom Lendacky --- arch/x86/xen/enlighten_pv.c |1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c index

[Xen-devel] [PATCH v7 33/36] x86/mm: Use proper encryption attributes with /dev/mem

mapped encrypted then the VMA protection value is updated to remove the encryption bit. Signed-off-by: Tom Lendacky --- arch/x86/include/asm/io.h |3 +++ arch/x86/mm/ioremap.c | 18 +- arch/x86/mm/pat.c |3 +++ 3 files changed, 15 insertions(+), 9 deletions

[Xen-devel] [PATCH v7 35/36] x86/boot: Add early cmdline parsing for options with arguments

Add a cmdline_find_option() function to look for cmdline options that take arguments. The argument is returned in a supplied buffer and the argument length (regardless of whether it fits in the supplied buffer) is returned, with -1 indicating not found. Signed-off-by: Tom Lendacky --- arch/x86

[Xen-devel] [PATCH v7 34/36] x86/mm: Add support to encrypt the kernel in-place

Add the support to encrypt the kernel in-place. This is done by creating new page mappings for the kernel - a decrypted write-protected mapping and an encrypted mapping. The kernel is encrypted by copying it through a temporary buffer. Signed-off-by: Tom Lendacky --- arch/x86/include/asm

[Xen-devel] [PATCH v7 36/36] x86/mm: Add support to make use of Secure Memory Encryption

Signed-off-by: Tom Lendacky --- arch/x86/include/asm/mem_encrypt.h |6 ++- arch/x86/kernel/head64.c |4 +- arch/x86/mm/mem_encrypt.c | 86 +++- 3 files changed, 90 insertions(+), 6 deletions(-) diff --git a/arch/x86/include/asm/mem_en

Re: [Xen-devel] [PATCH v1 00/27] x86: PIE support and option to extend KASLR randomization

On 10/11/2017 3:30 PM, Thomas Garnier wrote: > Changes: > - patch v1: > - Simplify ftrace implementation. > - Use gcc mstack-protector-guard-reg=%gs with PIE when possible. > - rfc v3: > - Use --emit-relocs instead of -pie to reduce dynamic relocation space on > mapped memory.

Re: [Xen-devel] [PATCH v1 00/27] x86: PIE support and option to extend KASLR randomization

On 10/12/2017 10:34 AM, Thomas Garnier wrote: On Wed, Oct 11, 2017 at 2:34 PM, Tom Lendacky wrote: On 10/11/2017 3:30 PM, Thomas Garnier wrote: Changes: - patch v1: - Simplify ftrace implementation. - Use gcc mstack-protector-guard-reg=%gs with PIE when possible. - rfc v3

[Xen-devel] [PATCH v10 00/38] x86: Secure Memory Encryption (AMD)

n of physical address size of the processor. It is possible that BIOS could have configured resources resources into a range that will now not be addressable. To prevent this, rely on BIOS to set the SYSCFG[MEME] bit and only then enable memory encryption support in the kernel. To

[Xen-devel] [PATCH v10 32/38] xen/x86: Remove SME feature in PV guests

Xen does not currently support SME for PV guests. Clear the SME CPU capability in order to avoid any ambiguity. Cc: Cc: Boris Ostrovsky Cc: Juergen Gross Reviewed-by: Borislav Petkov Reviewed-by: Juergen Gross Signed-off-by: Tom Lendacky --- arch/x86/xen/enlighten_pv.c | 1 + 1 file

Re: [Xen-devel] [PATCH v10 00/38] x86: Secure Memory Encryption (AMD)

On 7/18/2017 7:03 AM, Thomas Gleixner wrote: On Mon, 17 Jul 2017, Tom Lendacky wrote: This patch series provides support for AMD's new Secure Memory Encryption (SME) feature. SME can be used to mark individual pages of memory as encrypted through the page tables. A page of memory th

Re: [Xen-devel] [PATCH v7 08/36] x86/mm: Add support to enable SME in early boot processing

On 6/20/2017 2:38 AM, Borislav Petkov wrote: On Fri, Jun 16, 2017 at 01:51:15PM -0500, Tom Lendacky wrote: Add support to the early boot code to use Secure Memory Encryption (SME). Since the kernel has been loaded into memory in a decrypted state, encrypt the kernel in place and update the

Re: [Xen-devel] [PATCH v7 11/36] x86/mm: Add SME support for read_cr3_pa()

On 6/20/2017 11:17 AM, Andy Lutomirski wrote: On Fri, Jun 16, 2017 at 11:51 AM, Tom Lendacky wrote: The cr3 register entry can contain the SME encryption mask that indicates the PGD is encrypted. The encryption mask should not be used when creating a virtual address from the cr3 register, so

Re: [Xen-devel] [PATCH v7 06/36] x86/mm: Add Secure Memory Encryption (SME) support

On 6/20/2017 3:49 PM, Thomas Gleixner wrote: On Fri, 16 Jun 2017, Tom Lendacky wrote: +config ARCH_HAS_MEM_ENCRYPT + def_bool y + depends on X86 That one is silly. The config switch is in the x86 KConfig file, so X86 is on. If you intended to move this to some generic place

Re: [Xen-devel] [PATCH v7 07/36] x86/mm: Don't use phys_to_virt in ioremap() if SME is active

On 6/20/2017 3:55 PM, Thomas Gleixner wrote: On Fri, 16 Jun 2017, Tom Lendacky wrote: Currently there is a check if the address being mapped is in the ISA range (is_ISA_range()), and if it is then phys_to_virt() is used to perform the mapping. When SME is active, however, this will result in

Re: [Xen-devel] [PATCH v7 07/36] x86/mm: Don't use phys_to_virt in ioremap() if SME is active

On 6/21/2017 2:37 AM, Thomas Gleixner wrote: On Fri, 16 Jun 2017, Tom Lendacky wrote: Currently there is a check if the address being mapped is in the ISA range (is_ISA_range()), and if it is then phys_to_virt() is used to perform the mapping. When SME is active, however, this will result in

Re: [Xen-devel] [PATCH v7 08/36] x86/mm: Add support to enable SME in early boot processing

On 6/21/2017 2:16 AM, Thomas Gleixner wrote: On Fri, 16 Jun 2017, Tom Lendacky wrote: diff --git a/arch/x86/include/asm/mem_encrypt.h b/arch/x86/include/asm/mem_encrypt.h index a105796..988b336 100644 --- a/arch/x86/include/asm/mem_encrypt.h +++ b/arch/x86/include/asm/mem_encrypt.h @@ -15,16

Re: [Xen-devel] [PATCH v7 25/36] swiotlb: Add warnings for use of bounce buffers with SME

On 6/21/2017 5:50 AM, Borislav Petkov wrote: On Fri, Jun 16, 2017 at 01:54:36PM -0500, Tom Lendacky wrote: Add warnings to let the user know when bounce buffers are being used for DMA when SME is active. Since the bounce buffers are not in encrypted memory, these notifications are to allow the

Re: [Xen-devel] [PATCH v7 08/36] x86/mm: Add support to enable SME in early boot processing

On 6/21/2017 10:38 AM, Thomas Gleixner wrote: On Wed, 21 Jun 2017, Tom Lendacky wrote: On 6/21/2017 2:16 AM, Thomas Gleixner wrote: Why is this an unconditional function? Isn't the mask simply 0 when the MEM ENCRYPT support is disabled? I made it unconditional because of the call

Re: [Xen-devel] [PATCH v7 27/36] iommu/amd: Allow the AMD IOMMU to work with memory encryption

On 6/22/2017 5:56 AM, Borislav Petkov wrote: On Fri, Jun 16, 2017 at 01:54:59PM -0500, Tom Lendacky wrote: The IOMMU is programmed with physical addresses for the various tables and buffers that are used to communicate between the device and the driver. When the driver allocates this memory it

Re: [Xen-devel] [PATCH v7 34/36] x86/mm: Add support to encrypt the kernel in-place

On 6/23/2017 5:00 AM, Borislav Petkov wrote: On Fri, Jun 16, 2017 at 01:56:19PM -0500, Tom Lendacky wrote: Add the support to encrypt the kernel in-place. This is done by creating new page mappings for the kernel - a decrypted write-protected mapping and an encrypted mapping. The kernel is

Re: [Xen-devel] [PATCH v7 34/36] x86/mm: Add support to encrypt the kernel in-place

On 6/26/2017 10:45 AM, Borislav Petkov wrote: On Fri, Jun 23, 2017 at 12:44:46PM -0500, Tom Lendacky wrote: Normally the __p4d() macro would be used and that would be ok whether CONFIG_X86_5LEVEL is defined or not. But since __p4d() is part of the paravirt ops path I have to use native_make_p4d

[Xen-devel] [PATCH v8 01/38] x86: Document AMD Secure Memory Encryption (SME)

Create a Documentation entry to describe the AMD Secure Memory Encryption (SME) feature and add documentation for the mem_encrypt= kernel parameter. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- Documentation/admin-guide/kernel-parameters.txt | 11 Documentation/x86/amd

[Xen-devel] [PATCH v8 00/38] x86: Secure Memory Encryption (AMD)

rces resources into a range that will now not be addressable. To prevent this, rely on BIOS to set the SYSCFG[MEME] bit and only then enable memory encryption support in the kernel. Tom Lendacky (38): x86: Document AMD Secure Memory Encryption (SME) x86/mm/pat: Set write-protect

[Xen-devel] [PATCH v8 02/38] x86/mm/pat: Set write-protect cache mode for full PAT support

For processors that support PAT, set the write-protect cache mode (_PAGE_CACHE_MODE_WP) entry to the actual write-protect value (x05). Acked-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/mm/pat.c |6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch

[Xen-devel] [PATCH v8 04/38] x86/CPU/AMD: Add the Secure Memory Encryption CPU feature

. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/cpufeatures.h |1 + arch/x86/include/asm/msr-index.h |2 ++ arch/x86/kernel/cpu/amd.c | 13 + arch/x86/kernel/cpu/scattered.c|1 + 4 files changed, 17 insertions(+) diff

[Xen-devel] [PATCH v8 03/38] x86, mpparse, x86/acpi, x86/PCI, x86/dmi, SFI: Use memremap for RAM mappings

being mapped decrypted vs encrypted. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/dmi.h |8 arch/x86/kernel/acpi/boot.c |6 +++--- arch/x86/kernel/kdebugfs.c | 34 +++--- arch/x86/kernel/ksysfs.c | 28

[Xen-devel] [PATCH v8 05/38] x86/CPU/AMD: Handle SME reduction in physical address size

When System Memory Encryption (SME) is enabled, the physical address space is reduced. Adjust the x86_phys_bits value to reflect this reduction. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/kernel/cpu/amd.c | 10 +++--- 1 file changed, 7 insertions(+), 3

[Xen-devel] [PATCH v8 06/38] x86/mm: Add Secure Memory Encryption (SME) support

-0,0 +1,30 @@ +/* + * AMD Memory Encryption Support + * + * Copyright (C) 2016 Advanced Micro Devices, Inc. + * + * Author: Tom Lendacky + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +

[Xen-devel] [PATCH v8 07/38] x86/mm: Remove phys_to_virt() usage in ioremap()

scenario, remove the ISA range check and usage of phys_to_virt() and have ISA range mappings continue through the remaining ioremap() path. Signed-off-by: Tom Lendacky --- arch/x86/mm/ioremap.c |7 +-- 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/arch/x86/mm/ioremap.c b/arch

[Xen-devel] [PATCH v8 08/38] x86/mm: Add support to enable SME in early boot processing

routines to set the encryption mask and perform the encryption are stub routines for now with functionality to be added in a later patch. Signed-off-by: Tom Lendacky --- arch/x86/include/asm/mem_encrypt.h |8 + arch/x86/kernel/head64.c | 53

[Xen-devel] [PATCH v8 10/38] x86/mm: Provide general kernel support for memory encryption

encryption mask so that user-space allocations will automatically have the encryption mask applied. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/boot/compressed/pagetable.c |7 + arch/x86/include/asm/fixmap.h|7 + arch/x86/include/asm

[Xen-devel] [PATCH v8 09/38] x86/mm: Simplify p[g4um]d_page() macros

Create a pgd_pfn() macro similar to the p[4um]d_pfn() macros and then use the p[g4um]d_pfn() macros in the p[g4um]d_page() macros instead of duplicating the code. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/pgtable.h | 16 +--- 1 file changed

[Xen-devel] [PATCH v8 13/38] x86/mm: Add support for early encrypt/decrypt of memory

initrd will have been loaded by the boot loader and will not be encrypted, but the memory that it resides in is marked as encrypted). Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/mem_encrypt.h | 10 + arch/x86/mm/mem_encrypt.c | 76

[Xen-devel] [PATCH v8 12/38] x86/mm: Extend early_memremap() support with additional attrs

s that the hardware will never give the core a dirty line with this memtype. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/Kconfig |4 +++ arch/x86/include/asm/fixmap.h| 13 ++ arch/x86/include/asm/pgtable_types.h |8 ++ a

[Xen-devel] [PATCH v8 11/38] x86/mm: Add SME support for read_cr3_pa()

native version of read_cr3_pa(), so create native_read_cr3_pa(). Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/processor-flags.h |5 +++-- arch/x86/include/asm/processor.h |5 + 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a

[Xen-devel] [PATCH v8 14/38] x86/mm: Insure that boot memory areas are mapped properly

initrd, encrypt this data in place. Since the future mapping of the initrd area will be mapped as encrypted the data will be accessed properly. Signed-off-by: Tom Lendacky --- arch/x86/include/asm/mem_encrypt.h |6 +++ arch/x86/include/asm/pgtable.h |3 ++ arch/x86/kernel/head64.c

[Xen-devel] [PATCH v8 16/38] efi: Add an EFI table address match function

Add a function that will determine if a supplied physical address matches the address of an EFI table. Reviewed-by: Matt Fleming Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- drivers/firmware/efi/efi.c | 33 + include/linux/efi.h|7

[Xen-devel] [PATCH v8 15/38] x86/boot/e820: Add support to determine the E820 type of an address

Add a function that will return the E820 type associated with an address range. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/e820/api.h |2 ++ arch/x86/kernel/e820.c | 26 +++--- 2 files changed, 25 insertions(+), 3

[Xen-devel] [PATCH v8 17/38] efi: Update efi_mem_type() to return an error rather than 0

on to return a negative error value when no memmap entry is found. Reviewed-by: Matt Fleming Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/ia64/kernel/efi.c |4 ++-- arch/x86/platform/efi/efi.c |6 +++--- include/linux/efi.h |2 +- 3 files chang

[Xen-devel] [PATCH v8 18/38] x86/efi: Update EFI pagetable creation to work with SME

successfully. The pagetable mapping as well as the kernel are also added to the pagetable mapping as encrypted. All other EFI mappings are mapped decrypted (tables, etc.). Reviewed-by: Matt Fleming Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/platform/efi/efi_64.c | 15

[Xen-devel] [PATCH v8 19/38] x86/mm: Add support to access boot related data in the clear

remapping, ioremap_cache() will be used instead, which will provide a decrypted mapping of the boot related data. Reviewed-by: Matt Fleming Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/io.h |5 + arch/x86/mm/ioremap.c | 179

[Xen-devel] [PATCH v8 20/38] x86, mpparse: Use memremap to map the mpf and mpc data

encryption mask so that the data can be successfully accessed when SME is active. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/kernel/mpparse.c | 98 - 1 file changed, 70 insertions(+), 28 deletions(-) diff --git a/arch/x86/kernel

[Xen-devel] [PATCH v8 21/38] x86/mm: Add support to access persistent memory in the clear

. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/mm/ioremap.c | 31 ++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c index ee33838..effa529 100644 --- a/arch/x86/mm/ioremap.c +++ b

[Xen-devel] [PATCH v8 23/38] x86/realmode: Decrypt trampoline area if memory encryption is active

When Secure Memory Encryption is enabled, the trampoline area must not be encrypted. A CPU running in real mode will not be able to decrypt memory that has been encrypted because it will not be able to use addresses with the memory encryption mask. Reviewed-by: Borislav Petkov Signed-off-by: Tom

[Xen-devel] [PATCH v8 22/38] x86/mm: Add support for changing the memory encryption attribute

mask range. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/set_memory.h |3 ++ arch/x86/mm/pageattr.c| 62 + 2 files changed, 65 insertions(+) diff --git a/arch/x86/include/asm/set_memory.h b/arch/x86/in

[Xen-devel] [PATCH v8 24/38] x86, swiotlb: Add memory encryption support

-by: Tom Lendacky --- arch/x86/include/asm/dma-mapping.h |5 ++- arch/x86/include/asm/mem_encrypt.h |5 +++ arch/x86/kernel/pci-dma.c | 11 +-- arch/x86/kernel/pci-nommu.c|2 + arch/x86/kernel/pci-swiotlb.c | 15 +- arch/x86/mm/mem_encrypt.c

[Xen-devel] [PATCH v8 25/38] swiotlb: Add warnings for use of bounce buffers with SME

, replacing the device with another device that can support 64-bit DMA, ignoring the message if the device isn't used much, etc. Signed-off-by: Tom Lendacky --- include/linux/dma-mapping.h | 13 + lib/swiotlb.c |3 +++ 2 files changed, 16 insertions(+) diff --git a/in

[Xen-devel] [PATCH v8 26/38] x86/CPU/AMD: Make the microcode level available earlier in the boot

Move the setting of the cpuinfo_x86.microcode field from amd_init() to early_amd_init() so that it is available earlier in the boot process. This avoids having to read MSR_AMD64_PATCH_LEVEL directly during early boot. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/kernel

[Xen-devel] [PATCH v8 27/38] iommu/amd: Allow the AMD IOMMU to work with memory encryption

included in these physical addresses during configuration. The PTE entries created by the IOMMU should also include the encryption mask so that when the device behind the IOMMU performs a DMA, the DMA will be performed to encrypted memory. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky

[Xen-devel] [PATCH v8 28/38] x86, realmode: Check for memory encryption on the APs

the AP to continue start up. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/realmode.h | 12 arch/x86/realmode/init.c |4 arch/x86/realmode/rm/trampoline_64.S | 24 3 files changed, 40

[Xen-devel] [PATCH v8 29/38] x86, drm, fbdev: Do not specify encrypted memory for video mappings

Since video memory needs to be accessed decrypted, be sure that the memory encryption mask is not set for the video ranges. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/vga.h | 14 +- arch/x86/mm/pageattr.c |2 ++ drivers

[Xen-devel] [PATCH v8 30/38] kvm: x86: svm: Support Secure Memory Encryption within KVM

tables. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/kvm_host.h |2 +- arch/x86/kvm/mmu.c | 12 arch/x86/kvm/mmu.h |2 +- arch/x86/kvm/svm.c | 35 ++- arch/x86/kvm

[Xen-devel] [PATCH v8 RESEND 02/38] x86/mm/pat: Set write-protect cache mode for full PAT support

For processors that support PAT, set the write-protect cache mode (_PAGE_CACHE_MODE_WP) entry to the actual write-protect value (x05). Acked-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/mm/pat.c |6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch

[Xen-devel] [PATCH v8 RESEND 00/38] x86: Secure Memory Encryption (AMD)

S could have configured resources resources into a range that will now not be addressable. To prevent this, rely on BIOS to set the SYSCFG[MEME] bit and only then enable memory encryption support in the kernel. Tom Lendacky (38): x86: Document AMD Secure Memory Encryption (SME)

[Xen-devel] [PATCH v8 RESEND 01/38] x86: Document AMD Secure Memory Encryption (SME)

Create a Documentation entry to describe the AMD Secure Memory Encryption (SME) feature and add documentation for the mem_encrypt= kernel parameter. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- Documentation/admin-guide/kernel-parameters.txt | 11 Documentation/x86/amd

[Xen-devel] [PATCH v8 RESEND 03/38] x86, mpparse, x86/acpi, x86/PCI, x86/dmi, SFI: Use memremap for RAM mappings

being mapped decrypted vs encrypted. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/dmi.h |8 arch/x86/kernel/acpi/boot.c |6 +++--- arch/x86/kernel/kdebugfs.c | 34 +++--- arch/x86/kernel/ksysfs.c | 28

[Xen-devel] [PATCH v8 RESEND 04/38] x86/CPU/AMD: Add the Secure Memory Encryption CPU feature

. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/cpufeatures.h |1 + arch/x86/include/asm/msr-index.h |2 ++ arch/x86/kernel/cpu/amd.c | 13 + arch/x86/kernel/cpu/scattered.c|1 + 4 files changed, 17 insertions(+) diff

[Xen-devel] [PATCH v8 RESEND 05/38] x86/CPU/AMD: Handle SME reduction in physical address size

When System Memory Encryption (SME) is enabled, the physical address space is reduced. Adjust the x86_phys_bits value to reflect this reduction. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/kernel/cpu/amd.c | 10 +++--- 1 file changed, 7 insertions(+), 3

[Xen-devel] [PATCH v8 RESEND 07/38] x86/mm: Remove phys_to_virt() usage in ioremap()

scenario, remove the ISA range check and usage of phys_to_virt() and have ISA range mappings continue through the remaining ioremap() path. Signed-off-by: Tom Lendacky --- arch/x86/mm/ioremap.c |7 +-- 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/arch/x86/mm/ioremap.c b/arch

[Xen-devel] [PATCH v8 RESEND 06/38] x86/mm: Add Secure Memory Encryption (SME) support

-0,0 +1,30 @@ +/* + * AMD Memory Encryption Support + * + * Copyright (C) 2016 Advanced Micro Devices, Inc. + * + * Author: Tom Lendacky + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +

[Xen-devel] [PATCH v8 RESEND 08/38] x86/mm: Add support to enable SME in early boot processing

routines to set the encryption mask and perform the encryption are stub routines for now with functionality to be added in a later patch. Signed-off-by: Tom Lendacky --- arch/x86/include/asm/mem_encrypt.h |8 + arch/x86/kernel/head64.c | 53

[Xen-devel] [PATCH v8 RESEND 10/38] x86/mm: Provide general kernel support for memory encryption

encryption mask so that user-space allocations will automatically have the encryption mask applied. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/boot/compressed/pagetable.c |7 + arch/x86/include/asm/fixmap.h|7 + arch/x86/include/asm

[Xen-devel] [PATCH v8 RESEND 11/38] x86/mm: Add SME support for read_cr3_pa()

native version of read_cr3_pa(), so create native_read_cr3_pa(). Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/processor-flags.h |5 +++-- arch/x86/include/asm/processor.h |5 + 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a

[Xen-devel] [PATCH v8 RESEND 09/38] x86/mm: Simplify p[g4um]d_page() macros

Create a pgd_pfn() macro similar to the p[4um]d_pfn() macros and then use the p[g4um]d_pfn() macros in the p[g4um]d_page() macros instead of duplicating the code. Reviewed-by: Borislav Petkov Signed-off-by: Tom Lendacky --- arch/x86/include/asm/pgtable.h | 16 +--- 1 file changed

  1   2   >