| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 9 Sep 2016 17:53:06 +0200
From: Borislav Petkov <bp@...en8.de>
To: Tom Lendacky <thomas.lendacky@....com>
Cc: linux-arch@...r.kernel.org, linux-efi@...r.kernel.org,
kvm@...r.kernel.org, linux-doc@...r.kernel.org, x86@...nel.org,
linux-kernel@...r.kernel.org, kasan-dev@...glegroups.com,
linux-mm@...ck.org, iommu@...ts.linux-foundation.org,
Radim Krčmář <rkrcmar@...hat.com>,
Arnd Bergmann <arnd@...db.de>,
Jonathan Corbet <corbet@....net>,
Matt Fleming <matt@...eblueprint.co.uk>,
Joerg Roedel <joro@...tes.org>,
Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>,
Andrey Ryabinin <aryabinin@...tuozzo.com>,
Ingo Molnar <mingo@...hat.com>,
Andy Lutomirski <luto@...nel.org>,
"H. Peter Anvin" <hpa@...or.com>,
Paolo Bonzini <pbonzini@...hat.com>,
Alexander Potapenko <glider@...gle.com>,
Thomas Gleixner <tglx@...utronix.de>,
Dmitry Vyukov <dvyukov@...gle.com>
Subject: Re: [RFC PATCH v2 10/20] x86: Insure that memory areas are encrypted
when possible
On Mon, Aug 22, 2016 at 05:37:23PM -0500, Tom Lendacky wrote:
> Encrypt memory areas in place when possible (e.g. zero page, etc.) so
> that special handling isn't needed afterwards.
>
> Signed-off-by: Tom Lendacky <thomas.lendacky@....com>
> ---
> arch/x86/kernel/head64.c | 93 ++++++++++++++++++++++++++++++++++++++++++++--
> arch/x86/kernel/setup.c | 8 ++++
> 2 files changed, 96 insertions(+), 5 deletions(-)
...
> +int __init early_make_pgtable(unsigned long address)
> +{
> + unsigned long physaddr = address - __PAGE_OFFSET;
> + pmdval_t pmd;
> +
> + pmd = (physaddr & PMD_MASK) + early_pmd_flags;
> +
> + return __early_make_pgtable(address, pmd);
> +}
> +
> +static void __init create_unencrypted_mapping(void *address, unsigned long size)
> +{
> + unsigned long physaddr = (unsigned long)address - __PAGE_OFFSET;
> + pmdval_t pmd_flags, pmd;
> +
> + if (!sme_me_mask)
> + return;
> +
> + /* Clear the encryption mask from the early_pmd_flags */
> + pmd_flags = early_pmd_flags & ~sme_me_mask;
> +
> + do {
> + pmd = (physaddr & PMD_MASK) + pmd_flags;
> + __early_make_pgtable((unsigned long)address, pmd);
> +
> + address += PMD_SIZE;
> + physaddr += PMD_SIZE;
> + size = (size < PMD_SIZE) ? 0 : size - PMD_SIZE;
> + } while (size);
> +}
> +
> +static void __init __clear_mapping(unsigned long address)
Should be called something with "pmd" in the name as it clears a PMD,
i.e. __clear_pmd_mapping or so.
> +{
> + unsigned long physaddr = address - __PAGE_OFFSET;
> + pgdval_t pgd, *pgd_p;
> + pudval_t pud, *pud_p;
> + pmdval_t *pmd_p;
> +
> + /* Invalid address or early pgt is done ? */
> + if (physaddr >= MAXMEM ||
> + read_cr3() != __sme_pa_nodebug(early_level4_pgt))
> + return;
> +
> + pgd_p = &early_level4_pgt[pgd_index(address)].pgd;
> + pgd = *pgd_p;
> +
> + if (!pgd)
> + return;
> +
> + /*
> + * The use of __START_KERNEL_map rather than __PAGE_OFFSET here matches
> + * __early_make_pgtable where the entry was created.
> + */
> + pud_p = (pudval_t *)((pgd & PTE_PFN_MASK) + __START_KERNEL_map - phys_base);
> + pud_p += pud_index(address);
> + pud = *pud_p;
> +
> + if (!pud)
> + return;
> +
> + pmd_p = (pmdval_t *)((pud & PTE_PFN_MASK) + __START_KERNEL_map - phys_base);
> + pmd_p[pmd_index(address)] = 0;
> +}
> +
> +static void __init clear_mapping(void *address, unsigned long size)
> +{
> + if (!sme_me_mask)
> + return;
> +
> + do {
> + __clear_mapping((unsigned long)address);
> +
> + address += PMD_SIZE;
> + size = (size < PMD_SIZE) ? 0 : size - PMD_SIZE;
> + } while (size);
> +}
> +
> +static void __init sme_memcpy(void *dst, void *src, unsigned long size)
> +{
> + create_unencrypted_mapping(src, size);
> + memcpy(dst, src, size);
> + clear_mapping(src, size);
> +}
> +
In any case, this whole functionality is SME-specific and should be
somewhere in an SME-specific file. arch/x86/mm/mem_encrypt.c or so...
> /* Don't add a printk in there. printk relies on the PDA which is not initialized
> yet. */
> static void __init clear_bss(void)
> @@ -122,12 +205,12 @@ static void __init copy_bootdata(char *real_mode_data)
> char * command_line;
> unsigned long cmd_line_ptr;
>
> - memcpy(&boot_params, real_mode_data, sizeof boot_params);
> + sme_memcpy(&boot_params, real_mode_data, sizeof boot_params);
checkpatch.pl:
WARNING: sizeof boot_params should be sizeof(boot_params)
#155: FILE: arch/x86/kernel/head64.c:208:
+ sme_memcpy(&boot_params, real_mode_data, sizeof boot_params);
> sanitize_boot_params(&boot_params);
> cmd_line_ptr = get_cmd_line_ptr();
> if (cmd_line_ptr) {
> command_line = __va(cmd_line_ptr);
> - memcpy(boot_command_line, command_line, COMMAND_LINE_SIZE);
> + sme_memcpy(boot_command_line, command_line, COMMAND_LINE_SIZE);
> }
> }
>
> diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
> index 1489da8..1fdaa11 100644
> --- a/arch/x86/kernel/setup.c
> +++ b/arch/x86/kernel/setup.c
> @@ -114,6 +114,7 @@
> #include <asm/microcode.h>
> #include <asm/mmu_context.h>
> #include <asm/kaslr.h>
> +#include <asm/mem_encrypt.h>
>
> /*
> * max_low_pfn_mapped: highest direct mapped pfn under 4GB
> @@ -376,6 +377,13 @@ static void __init reserve_initrd(void)
> !ramdisk_image || !ramdisk_size)
> return; /* No initrd provided by bootloader */
>
> + /*
> + * This memory is marked encrypted by the kernel but the ramdisk
> + * was loaded in the clear by the bootloader, so make sure that
> + * the ramdisk image is encrypted.
> + */
> + sme_early_mem_enc(ramdisk_image, ramdisk_end - ramdisk_image);
What happens if we go and relocate the ramdisk? I.e., the function above
this one: relocate_initrd(). We have to encrypt it then too, I presume.
--
Regards/Gruss,
Boris.
ECO tip #101: Trim your mails when you reply.
Powered by blists - more mailing lists