| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 11 Nov 2016 16:17:36 +0000
From: "Kani, Toshimitsu" <toshi.kani@....com>
To: "kvm@...r.kernel.org" <kvm@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
"kasan-dev@...glegroups.com" <kasan-dev@...glegroups.com>,
"x86@...nel.org" <x86@...nel.org>,
"iommu@...ts.linux-foundation.org" <iommu@...ts.linux-foundation.org>,
"linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>,
"thomas.lendacky@....com" <thomas.lendacky@....com>,
"linux-arch@...r.kernel.org" <linux-arch@...r.kernel.org>,
"linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>
CC: "matt@...eblueprint.co.uk" <matt@...eblueprint.co.uk>,
"corbet@....net" <corbet@....net>,
"tglx@...utronix.de" <tglx@...utronix.de>,
"konrad.wilk@...cle.com" <konrad.wilk@...cle.com>,
"joro@...tes.org" <joro@...tes.org>,
"dvyukov@...gle.com" <dvyukov@...gle.com>,
"aryabinin@...tuozzo.com" <aryabinin@...tuozzo.com>,
"riel@...hat.com" <riel@...hat.com>,
"lwoodman@...hat.com" <lwoodman@...hat.com>,
"mingo@...hat.com" <mingo@...hat.com>,
"hpa@...or.com" <hpa@...or.com>,
"luto@...nel.org" <luto@...nel.org>,
"pbonzini@...hat.com" <pbonzini@...hat.com>,
"bp@...en8.de" <bp@...en8.de>,
"glider@...gle.com" <glider@...gle.com>,
"rkrcmar@...hat.com" <rkrcmar@...hat.com>,
"arnd@...db.de" <arnd@...db.de>
Subject: Re: [RFC PATCH v3 10/20] Add support to access boot related data in
the clear
On Wed, 2016-11-09 at 18:36 -0600, Tom Lendacky wrote:
> Boot data (such as EFI related data) is not encrypted when the system
> is booted and needs to be accessed unencrypted. Add support to apply
> the proper attributes to the EFI page tables and to the
> early_memremap and memremap APIs to identify the type of data being
> accessed so that the proper encryption attribute can be applied.
:
> +static bool memremap_apply_encryption(resource_size_t phys_addr,
> + unsigned long size)
> +{
> + /* SME is not active, just return true */
> + if (!sme_me_mask)
> + return true;
> +
> + /* Check if the address is part of the setup data */
> + if (memremap_setup_data(phys_addr, size))
> + return false;
> +
> + /* Check if the address is part of EFI boot/runtime data */
> + switch (efi_mem_type(phys_addr)) {
> + case EFI_BOOT_SERVICES_DATA:
> + case EFI_RUNTIME_SERVICES_DATA:
> + return false;
> + }
> +
> + /* Check if the address is outside kernel usable area */
> + switch (e820_get_entry_type(phys_addr, phys_addr + size -
> 1)) {
> + case E820_RESERVED:
> + case E820_ACPI:
> + case E820_NVS:
> + case E820_UNUSABLE:
> + return false;
> + }
> +
> + return true;
> +}
Are you supporting encryption for E820_PMEM ranges? If so, this
encryption will persist across a reboot and does not need to be
encrypted again, right? Also, how do you keep a same key across a
reboot?
Thanks,
-Toshi
Powered by blists - more mailing lists