| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 6 Sep 2016 11:31:13 +0200
From: Borislav Petkov <bp@...en8.de>
To: Tom Lendacky <thomas.lendacky@....com>
Cc: linux-arch@...r.kernel.org, linux-efi@...r.kernel.org,
kvm@...r.kernel.org, linux-doc@...r.kernel.org, x86@...nel.org,
linux-kernel@...r.kernel.org, kasan-dev@...glegroups.com,
linux-mm@...ck.org, iommu@...ts.linux-foundation.org,
Radim Krčmář <rkrcmar@...hat.com>,
Arnd Bergmann <arnd@...db.de>,
Jonathan Corbet <corbet@....net>,
Matt Fleming <matt@...eblueprint.co.uk>,
Joerg Roedel <joro@...tes.org>,
Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>,
Andrey Ryabinin <aryabinin@...tuozzo.com>,
Ingo Molnar <mingo@...hat.com>,
Andy Lutomirski <luto@...nel.org>,
"H. Peter Anvin" <hpa@...or.com>,
Paolo Bonzini <pbonzini@...hat.com>,
Alexander Potapenko <glider@...gle.com>,
Thomas Gleixner <tglx@...utronix.de>,
Dmitry Vyukov <dvyukov@...gle.com>
Subject: Re: [RFC PATCH v2 07/20] x86: Provide general kernel support for
memory encryption
On Mon, Aug 22, 2016 at 05:36:46PM -0500, Tom Lendacky wrote:
> Adding general kernel support for memory encryption includes:
> - Modify and create some page table macros to include the Secure Memory
> Encryption (SME) memory encryption mask
> - Update kernel boot support to call an SME routine that checks for and
> sets the SME capability (the SME routine will grow later and for now
> is just a stub routine)
> - Update kernel boot support to call an SME routine that encrypts the
> kernel (the SME routine will grow later and for now is just a stub
> routine)
> - Provide an SME initialization routine to update the protection map with
> the memory encryption mask so that it is used by default
>
> Signed-off-by: Tom Lendacky <thomas.lendacky@....com>
...
> diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c
> index 54a2372..88c7bae 100644
> --- a/arch/x86/kernel/head64.c
> +++ b/arch/x86/kernel/head64.c
> @@ -28,6 +28,7 @@
> #include <asm/bootparam_utils.h>
> #include <asm/microcode.h>
> #include <asm/kasan.h>
> +#include <asm/mem_encrypt.h>
>
> /*
> * Manage page tables very early on.
> @@ -42,7 +43,7 @@ static void __init reset_early_page_tables(void)
> {
> memset(early_level4_pgt, 0, sizeof(pgd_t)*(PTRS_PER_PGD-1));
> next_early_pgt = 0;
> - write_cr3(__pa_nodebug(early_level4_pgt));
> + write_cr3(__sme_pa_nodebug(early_level4_pgt));
> }
>
> /* Create a new PMD entry */
> @@ -54,7 +55,7 @@ int __init early_make_pgtable(unsigned long address)
> pmdval_t pmd, *pmd_p;
>
> /* Invalid address or early pgt is done ? */
> - if (physaddr >= MAXMEM || read_cr3() != __pa_nodebug(early_level4_pgt))
> + if (physaddr >= MAXMEM || read_cr3() != __sme_pa_nodebug(early_level4_pgt))
> return -1;
>
> again:
> @@ -157,6 +158,11 @@ asmlinkage __visible void __init x86_64_start_kernel(char * real_mode_data)
>
> clear_page(init_level4_pgt);
>
> + /* Update the early_pmd_flags with the memory encryption mask */
> + early_pmd_flags |= _PAGE_ENC;
> +
> + sme_early_init();
> +
So maybe this comes later but you're setting _PAGE_ENC unconditionally
*before* sme_early_init().
I think you should set it in sme_early_init() and iff SME is enabled.
--
Regards/Gruss,
Boris.
ECO tip #101: Trim your mails when you reply.
Powered by blists - more mailing lists